Getting More Value from TWIC, FIPS-201 PIV Credentials Today

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4  Next  »

Codebench CEO Castaldo on Unlocking PIV Potential

Call us nuts, but we're fascinated by the thought of potentially millions of people carrying interoperable and/or compatible smart credentials that offer two or more factors of authentication, the ability to encrypt emails, digitally sign documents and more. The FIPS-201 Personal Identity Verification (PIV) standard shapes how such cards are deployed in the federal space and influences them in transport and emergency settings.

So how might enterprises leverage the availability of these credentials, either among customers/consumers they serve or employees or contractors who must carry them? We've been putting that question to a variety of smart folks, including
castaldojpg.jpgGeri Castaldo (pictured), CEO of Codebench. The company's software extends the utility of Transportation Worker Identity Credentials (TWIC) and other PIV cards. In the transcription that follows, edited for length and clarity, Castaldo shares her insights on FIPS-201 influence, TWIC and more.
 
********
Sharon J. Watson, Security Squared: I am interested in the people who are not being compelled to adopt FIPS 201 but that might want to take advantage of all that work being done by the federal government. The Smartcard Alliance even has a white paper out saying that enterprises should think about being FIPS 201 compliant at some level. That's my first question: how practical is it today for an enterprise to incorporate FIPS 201 verification processes and procedures into their existing credentialing and identity management processes?

Geri Castaldo, Codebench
: It's a big paradigm shift for those kinds of organizations because it's not a federal mandate. They're going to have to have a lot of money to be able to go into this. It's something that's costly if you don't need to do it.

If you look at commercial facilities today that are mandated, like some petrochemical companies or energy companies that need to comply with TWIC, they don't have a choice even though they're not a government entity.

We came across a potential customer on the Chesapeake Bay, a chicken plant that may have to comply with the Maritime Transportation Security Act. You don't really think about TWIC and chicken in the same sentence, but because they are on a waterway and they have cargo coming in and out--it's chicken instead of oil-- they have to comply.
Now you take that to the next step and ask what are the types of facilities that don't have to comply but for which [FIPS 201 compliance] would make sense. In my mind, it would be financial institutions -- banking or investment firms. They potentially would want to do something like this to take advantage of the increased security features inside these cards. They are already doing smart cards for logging on securely to their logical network. This is the natural next step.

[Post interview addendum from Geri Castaldo: FIPS 201 also addresses processes such as identity proofing and card issuance.  It specifies a clear separation of roles and responsibilities for those administering the identity and card management systems.  These are all best practices that can be adopted by commercial enterprises.  The R&D has been done, and as the systems are deployed in the government space, companies will be able to observe how well the technology performs before adopting it.]


SJW: What would the evolution path be? Maybe it would be helpful to compare and contrast a little bit how the non-FIPS-201 compliant smart card implementation looks versus one that meets the FIPS compatibility standards.

GC: Look at the TWIC program. The TSA, which is in charge of that program, has contracted with Lockheed Martin to produce all of the TWIC cards. TSA started with the FIPS 201 PIV data model and added their own data model to accommodate some of the unique requirements of the maritime environment.   TSA then selected a prime contractor to acquire all of the fingerprints, to vet the people that have to get those cards, and roll out the production of those cards. Here's an agency that's taken it upon themselves to figure out how are we going to roll this out and hired one contractor to go do it. Now there are 1.5 million TWIC cards out in the market. With the government agencies, many have contracted with the GSA Shared Services, which does this exact same thing.  Shared Services produces and maintains these cards for those agencies as a [profit center.]

But now if you have a commercial facility that has no mandate that they have to get those cards, they need to go produce these cards. There is now a format called PIV-I, and that's for organizations that aren't mandated that want to take this on themselves. So they are either going to have to outsource or decide to make these cards themselves. They will need an identity management or card management system that can encode these cards, they're going to want to have to vet these individuals just the way the government or port or petrochemical company does before they can give a card to a person. Then they will have to start spitting these cards out of their system and then be able to train people on what to do with them. It is not an insignificant financial task.

Page:   1   2   3   4  Next  »

Codebench CEO Castaldo on Unlocking PIV Potential

Call us nuts, but we're fascinated by the thought of potentially millions of people carrying interoperable and/or compatible smart credentials that offer two or more factors of authentication, the ability to encrypt emails, digitally sign documents and more. The FIPS-201 Personal Identity Verification (PIV) standard shapes how such cards are deployed in the federal space and influences them in transport and emergency settings.

So how might enterprises leverage the availability of these credentials, either among customers/consumers they serve or employees or contractors who must carry them? We've been putting that question to a variety of smart folks, including
castaldojpg.jpgGeri Castaldo (pictured), CEO of Codebench. The company's software extends the utility of Transportation Worker Identity Credentials (TWIC) and other PIV cards. In the transcription that follows, edited for length and clarity, Castaldo shares her insights on FIPS-201 influence, TWIC and more.
 
********
Sharon J. Watson, Security Squared: I am interested in the people who are not being compelled to adopt FIPS 201 but that might want to take advantage of all that work being done by the federal government. The Smartcard Alliance even has a white paper out saying that enterprises should think about being FIPS 201 compliant at some level. That's my first question: how practical is it today for an enterprise to incorporate FIPS 201 verification processes and procedures into their existing credentialing and identity management processes?

Geri Castaldo, Codebench
: It's a big paradigm shift for those kinds of organizations because it's not a federal mandate. They're going to have to have a lot of money to be able to go into this. It's something that's costly if you don't need to do it.

If you look at commercial facilities today that are mandated, like some petrochemical companies or energy companies that need to comply with TWIC, they don't have a choice even though they're not a government entity.

We came across a potential customer on the Chesapeake Bay, a chicken plant that may have to comply with the Maritime Transportation Security Act. You don't really think about TWIC and chicken in the same sentence, but because they are on a waterway and they have cargo coming in and out--it's chicken instead of oil-- they have to comply.
Now you take that to the next step and ask what are the types of facilities that don't have to comply but for which [FIPS 201 compliance] would make sense. In my mind, it would be financial institutions -- banking or investment firms. They potentially would want to do something like this to take advantage of the increased security features inside these cards. They are already doing smart cards for logging on securely to their logical network. This is the natural next step.

[Post interview addendum from Geri Castaldo: FIPS 201 also addresses processes such as identity proofing and card issuance.  It specifies a clear separation of roles and responsibilities for those administering the identity and card management systems.  These are all best practices that can be adopted by commercial enterprises.  The R&D has been done, and as the systems are deployed in the government space, companies will be able to observe how well the technology performs before adopting it.]


SJW: What would the evolution path be? Maybe it would be helpful to compare and contrast a little bit how the non-FIPS-201 compliant smart card implementation looks versus one that meets the FIPS compatibility standards.

GC: Look at the TWIC program. The TSA, which is in charge of that program, has contracted with Lockheed Martin to produce all of the TWIC cards. TSA started with the FIPS 201 PIV data model and added their own data model to accommodate some of the unique requirements of the maritime environment.   TSA then selected a prime contractor to acquire all of the fingerprints, to vet the people that have to get those cards, and roll out the production of those cards. Here's an agency that's taken it upon themselves to figure out how are we going to roll this out and hired one contractor to go do it. Now there are 1.5 million TWIC cards out in the market. With the government agencies, many have contracted with the GSA Shared Services, which does this exact same thing.  Shared Services produces and maintains these cards for those agencies as a [profit center.]

But now if you have a commercial facility that has no mandate that they have to get those cards, they need to go produce these cards. There is now a format called PIV-I, and that's for organizations that aren't mandated that want to take this on themselves. So they are either going to have to outsource or decide to make these cards themselves. They will need an identity management or card management system that can encode these cards, they're going to want to have to vet these individuals just the way the government or port or petrochemical company does before they can give a card to a person. Then they will have to start spitting these cards out of their system and then be able to train people on what to do with them. It is not an insignificant financial task.

<!--nextpage-->

SJW: So if you are working with a company that realizes [it needs] to be in compliance in at least one of [its] facilities because it's in a sensitive area, how do you help them get to that compliance level and is there a way for them to build on that work and make their other corporate credentials stronger?

GC: If you look at PIV or TWIC, for instance, that [TWIC] card is mandated, and people who need to comply should have already had their card a year ago.  All that you really need to have today is the card. That's the only mandate. There is no mandate that you need to do anything with that card other than have it. So when you walk into a facility, it's a flash pass. There it is, my photo looks like me, and I walk in. That's not really very secure but today that's what the mandate is.

There are facilities that want to take advantage of the expanded security features of that card so they have purchased our PIVCheck software that allows them to check the contents of that card. There's a PIN that unlocks the information in the different containers inside the card. We can also do a fingerprint check so we can verify the person is the person to whom the card was issued. Then we check a revocation list.  For a TWIC card, it would be the TSA hotlist. We make sure the card is not on that list. Then we can copy the card contents and import it into one of 16 different access control systems so we can create a brand-new cardholder record with that TWIC card into that access control system. 

That's part one. We check the cards, then we register the cards in the system. That is not compliant. Though it's great that the card is in there and we know somebody has a TWIC card or a PIV card, that doesn't make it compliant. What makes it compliant is always knowing the status of that card. If somebody became a felon six months ago and their card is revoked, and you are not checking the card all the time, you're still going to be letting this person in and out of the building.

You always have to keep checking so we have a second piece of software called the PIVCheck Certificate Manager, and it sits in the background along with the access control system. On some user-defined value--maybe every night at midnight--it will go back out to the TSA hotlist and revalidate all the cards that we know about.

At some point in the future if it finds someone who is now on the TSA hotlist, it can go back into the access control system and suspend any card associated with that person so they can't get back in. That's what compliance is. It's not just registering--it's registering and always knowing the status and then taking an action based upon that status.

That whole process that I have just described is called a caching status proxy and our software is the only FIPS 201 GSA-certified software that's in the caching status proxy category on the GSA FIPS 201 approved products list.

<!--nextpage-->

SJW: Are people using card status or actions you might take based on status not just to trigger actions in the physical access control but also in IT-based identity management systems?

GC
: There are some that do that as well. However, that's a separate piece of software.

SJW: This is kind of a "blue sky" question but I was curious: Could you conceive of someone building a business on selling secure personal credentials that meet all of the government standards and that those might be credentials businesses could take advantage of?

GC: The GSA has a shared services division. When different government agencies want to have their PIV cards made, they can either go buy a card management system and set it up in their own facility and start cranking out cards and vetting people and doing all that or they can hire the GSA to go do that for them for a fee....That's a model that could be followed whether it's the GSA or ABC company that knows how to do what the GSA is doing today for a PIV card. So the model is already there.

SJW
: I'm reading that credit card issuers use much more secure credentials in Europe than they do in the U.S....I just wondered if at some point those companies might be a natural fit for helping individuals have a more secure credential so [merchants and employers] might say, well if they got that kind of card from Visa, I know they are authenticated and passed a certain level of security.

GC
: But that also assumes the rules for the vetting process are the same across the board. Visa says I'm okay, maybe MasterCard says that I'm not.

SJW: So in other words, you'd need a lot of standardization.

GC: Exactly. That's the beauty of FIPS-201 because that told us what the standard was and all these cards like PIV and TWIC and FRAC were all done to the same PIV-2 compliant format. For Codebench, our software can be used with any of those cards because they are all on the same format. There's a little bit of difference to them but our software is smart enough to know one from another because the differences are very, very small. If you don't have a standard, then things are going to be all over the place.

<!--nextpage-->

SJW: It seems to me the [FIPS-201 credential rollout] process has gone somewhat slow, given that there are standards. Having looked at the documents, it seems as though things are pretty well spelled out.

GC
: There's really two pieces as to why it's slow. On the TWIC side, it's slow because they don't have to do anything other than have the card. That's the mandate. But if you're an organization like many of the ports that we have, the petrochemical companies that are our customers, they say, 'Hey - we had to pay $132.50 for each of these cards, we had darn well better be doing something with them.'  So they proactively put a system in place that lets them use the features of the card.

There are grant monies out there for TWIC cards, for people that need to comply with that. As people are getting money, they are doing things with them but again there is no mandate other than having the card.

On the PIV side, there is a mandate that they have to do something with the card but it's an unfunded mandate. So unless the government is going to give money to every agency and say, we told you to go do this, they can't really force them to do it. Government agencies have to report every quarter on their implementation and how many cards they've issued. In a lot of agencies, there are a lot of cards out there. In some agencies, there are hardly any, they've barely even started. Last year I saw a lot of TWIC activity. This year, we're seeing a lot more PIV activity, at least in my field, which tells me that people are finally getting some money.

# # #


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/220

Leave a comment