By Zack Martin, Editor, Avisian Publications
There’s been a lot of discussion about using the Personal Identity Verification credential outside of the federal government. First responders are the biggest group to discuss issuance of an interoperable credential, but other jurisdictions also want to issue the ID to employees.
The problem was that the PIV/FIPS 201 specification was for federal employees and contractors and didn’t translate seamlessly to other areas. One of the primary differences is the required identity vetting processes, but there were some technical challenges too. This changed in May when a new Personal Identity Verification Interoperability For Non-Federal Issuers standard was released.
The new specification enables states and others to issue interoperable PIV credentials and clears up any concern that states could start issuing credentials to one standard and then have it changed. “States and others felt that without clear guidance they were at risk because if the specification changed they would have to redo things,” says John Bys, executive vice president at CoreStreet. “This wipes that fear away.”
CoreStreet is working with a number of states and first responders on PIV I projects, Bys says. Colorado, Hawaii and Illinois are starting to issue credentials along with Washington DC.
Colorado invokes a two-tiered credential system
Colorado will use the PIV I spec but will also have another tier of credentials for first responders, says Micheline Casey, director of identity management at Colorado’s Office of Information Technology. The state wanted to be interoperable with the federal government and U.S. Department of Defense because it has the second largest concentration of federal government employees and military installations in the country.
But Colorado’s governance poses an interesting challenge. The state is a commonwealth and it cannot force local jurisdictions to use a specific technology, says Casey, stressing that the local government must choose to adopt it. When the state first decided it wanted to go with a FIPS 201 credential the Information Technology Office spent nine months working with different groups across the state reviewing policy and standards before coming to an agreement.
“Those local agencies are the ultimate determining factor in how it will be used,” Casey says. “A lot of this is monetary-based. When they are able to replace existing physical access control systems with FIPS 201 products they may. We are a very rural state and have a lot of volunteer forces that don’t have a lot of money to do this sort of thing.”
Because some of these smaller agencies don’t have the funds, the state is recommending that first responders issue one of two credentials, Casey says. One will use the PIV I spec that will have a contact and contactless smart card chip. The other will use a two-dimensional bar code, Casey says.
Both credentials will include the bar code but the smart card will be issued to the first responders who cross jurisdictions while the other ID will be distributed to those who do not, Casey says. The non-PIV cards will be able to be validated using the bar code, which will act as a pointer to information stored in a database.
The North Central Region around Denver will be the first of Colorado’s nine regional homeland security areas to issue credentials, Casey says. While the credential will be a statewide ID, it will also serve as an employee ID badge for access where agencies have a physical access control system in place.
Areas are also looking at uses beyond the typical first responder applications, Casey says. There’s a city that hosts a major music festival in July and first responders from other jurisdictions help staff the event. The city hosting the event reimburses the other areas for staff time and hours will be logged using the first responder credential.
DC to badge city workers as well as first responders
Washington D.C. wants to issue first responder credentials too, but the district may take it a step further and issue IDs to city workers as well, says Chris Wiley, Washington D.C.’s chief technology officer. They are calling the proposed credential the DC One Card.
The district is taking a similar approach to Colorado, issuing different tier credentials to different employees, Wiley says. The primary difference is that all the DC One cards will be smart cards and the cards will be issued to city employees as well as first responders.
The district is planning to issue the cards to 5,000 first responders and then possibly add 10,000 to 20,000 city employees over the next couple of years, Wiley says.
One tier will follow the PIV I specification with third-party verification of identity, Wiley says. “PIV I will be important for us,” he says. “We don’t have to reinvent the wheel, look to those types of standards and it saves us a lot of energy.” The other will be a card that’s issued by the city agency and goes to city employees who need smart cards to bridge the physical and logical worlds.
Wiley has been working with the first responder program in Washington to set up the back end system and but he is thinking ahead to how city employees will use it.
The first application Washington will enable with the smart cards is single sign-on, Wiley says. The card will be a second factor of authentication that enables access to the different applications an employee uses. File encryption and email digital signatures will be the next applications the district considers after single-sign on.
Anticipating the use of smart cards Wiley has already been purchasing laptops that have built in smart card readers. On the physical access control side, he has been working with the district’s property managers to install dual proximity and contactless smart card physical access control readers as older readers are phased out.
From its inception, the DC One Card also was expected to serve as the employees’ transit card for the Washington’s Metro public transportation system. “One of the clearest benefits to this is having a Metro card built in,” Wiley says.
Unfortunately, this has held up the project because the Metro uses a proprietary contactless technology from fare collection system operator Cubic. It’s been difficult to get the Cubic chip put into a card with the other smart card technology.
Eventually the plan is to have one city employee badge instead of the dozen or more currently issued. Eventually it could be pushed out to citizens as well, who could use it for identification to different city services, such as the library and the Metro.
The DC One card is still in the capital phase, Wiley says. “We’re trying to make operating costs lower. If you look at all the different carding operations in place and how this will consolidate those,” he says, “it will save us some money.”
‘Spring Ahead’ demonstrates many technologies
FEMA’s ‘Spring Ahead’ demonstration showcased many different technologies and use cases. The purpose of the demonstration was to showcase FIPS 201 interoperability, with credentials issued from multiple private sector, federal, state and local jurisdictions utilizing the same technology as recommended in the draft National Incident Management System Credentialing Guideline.
The demonstration included the electronic validation of federal agency-issued FIPS 201 compliant and state/local government issued FIPS 201 interoperable credentials for risk mitigation and human resource situational awareness across more than 30 organizations in 20 locations throughout the United States.
The Illinois Terrorism Task Force was a key participant in the trial. A representative sample of Illinois-based emergency response officials from the emergency management, fire rescue, law enforcement, and critical infrastructure sectors reported to a simulated emergency operations center and presented smart credentials for electronic authentication and entry to the scene. The task force’s credentials used public key infrastructure from Entrust Inc.
Business consulting firm, CGN & Associates, provided program management for the State of Illinois FIPS 201 Interoperable Secure Credentialing Project. CoreStreet’s PIVMAN Solution was used to control access to the sites by authenticating and validating the identities and privileges Spring Ahead participants.
Spring Ahead consisted of:
- Eight scenarios that demonstrated the relocation of government personnel via air, water, and land assets
- The issuance of “just-in-time” credentials for emergency response officials who deploy to the scene of an incident without their credentials
- Smart phone application proof-of-concept: routine and emergency access to seaports using the Transportation Worker Identification Credential
- Federal and mutual aid out-of-area ingress for disaster response
- FIPS 201 migration technology
- Citizen evacuation, post-disaster re-entry, and sheltering-in-place.