The next step in realizing HSPD-12
26 August, 2010
category: Contactless, Corporate, Digital ID, Government
Investment needed to improve logical, physical infrastructure
By Salvatore D’Agostino, IDmachines
The identity, credentialing and access management effort on the part of the CIO Council is a next step to realize the goals of HSPD-12. It takes FIPS 201 technology and policy and applies procedures to the identity, credential and access categories, hence management. Not coincidentally, in parallel, are President Obama’s National Strategy for Trusted Identities in Cyberspace and the Department of Commerce’s efforts on innovation in cybersecurity, innovation and Internet policy.
The federal Identity, Credential and Access Management (ICAM) part B work by the CIO Council is coming—maybe as soon as this fall—along with a revamp of the Federal PKI. The council has reached out to industry where a good dialog is taking place.
IDmachines participates with industry colleagues to provide guidance and recommendations to those working to upgrade the infrastructure and applications to support the 10 million identity credentials that will encompass the federal enterprise.
The CIO Council is looking at the experience that agencies have had in the more than five years since FIPS 201 was issued, unfortunately this is extremely limited outside of the Defense Department and intelligence domains and is nascent for physical access control.
Most of the time has been spent trying to get critical mass in credential issuance in an individual enterprise. There’s been no real experience with the federated requirement of inter-agency portability and mapping of assurance levels.
The challenge has at least two steps. First get to individual enterprise applications. This is easier for the logical access than physical, and needs to address devices. The legacy infrastructure is not easily integrated. Particularly since, in this case, the cost of “fixing” is orders of magnitude more than building it right.
Modern enterprise architecture and infrastructure must support the multi-use of PIV and PIV-I credentials at some point. To date most of the investment has been in the credential and primarily from the federal government. This is changing with defense industrial base and critical infrastructure companies joining state and local governments that have had a toe in the water for years via first responder initiatives.
For everyone to realize the efficiencies that come from operating at scale, the effort could use a push. The cost of the enterprise upgrades are not really that much in the era of economic stimulus.
What better stimulus than to put the down payment on a 21st century digital infrastructure? Stimulus for industry to achieve interoperability could go hand in hand with federal efforts. Billions of funding has already targeted health information technology and government has committed to 2011-12 IT budgets that support ICAM.
Multiple rationales exist for this. First hardware is inexpensive and easily available.
Secondly almost all of the enterprise software vendors will at least tell you they support FIPS 201, or sell the roadmap of it. In reality x.509 certificates are baked into many apps already. So its not a technology issue for the logical access side of the house. In this regard ICAM should realize real benefits in government service related to response, efficiency, cost and accountability.
The challenge here is the human resources and 21st century cyber services to support this. And this is true both in the case of government and contractors/industry. A significant effort needs to be put into education. There are not enough people with the experience and skill sets to fully deploy and support ICAM and PIV-I.
Physical access controls systems (PACS) present bigger challenges. That said, the number of readers and controllers across the federal enterprise and the associated budget is manageable compared to the annual agency spend on IT. Since the PACS are IT systems–servers will need to be certified under FISMA–their upgrade should be covered by this budget.
For example, An agency with 100,000 employees and contractors might have 10,000 card readers and 5,000 controllers. So let’s say 1 million card readers and 500,000 controllers/panels for an entire federal enterprise. At $3,000 for each of these nodes—readers and controllers—this amounts to a $4.5 or $5 billion PACS investment.
This is a manageable sum relative to the total federal IT spend–even if it is two to five times that. Again the challenge will be a budget to maintain these new systems assuming 20% or a billion dollars a year in order for these system to have a refresh rate that matches IT.
The good news is that much of the wiring should be able to be re-used and that network drops to the controllers are likely there, it’s just a matter of the controllers being able to function as network devices.
If this is done so that both logical and physical use the same authentication methods and identity infrastructure then other aspects, such as administration and audit, privilege and attribute management, role-based controls and certifications, all can be addressed as a shared resource.
This doesn’t change the management of access or security and its need to be done “locally,” distributed to those responsible for the resources, and driven by global policy. But it does change the locus of the decision about what to acquire.
The saving and improvements in productivity justify the investment. Strategically raising the level of cybersecurity across government, critical infrastructure and key resources has to be done. Not doing so means failure at keeping pace with global competition– look at the investments being made in places such as India.
Not moving ahead means we remain prone to cyber threats such as Stuxnet, financial and medical fraud totaling billions and the potential to cripple our digital and increasingly mobile network based economy.
It is time to take the next step.
Read more from D’Agostino at his IDMachines blog.