Get documents about "Observation
Document Sample
National Capital Region
First Responder Partnership Initiative
“A Scalable Standards-based
Identity Solution
for Incident Management”
Please see notes section of slides for further
This is the logo for the Department of
Homeland Security and it’s on every page.
explanation if necessary.
Mr. Thomas J. Lockwood
Director, ONCRC, DHS
1
Joint Federal Committee Requirement
(Tasked August 4, 2004 to ONCRC)
Rationale: 2001-2005 NCR “Incident Snapshot”
Sep 11, 2001 Terrorist attack on Pentagon
Anthrax crisis
Sniper incident
W. Wilson Bridge “rush-hour” attempted suicide
Washington Monument “tractor man”
2005 Anthrax scare
May 11, 2005 “no fly zone” violation during JFC update
ALL LACKED FEDERAL/STATE/LOCAL
MULTI-JURISDICTIONAL “COMMON IDENTITY TRUST”
2
The Response…leveraged opportunity
Federal:
HSPD 12 signed 27 August 04
Implemented NLT 27 October 2005
Must identify “Emergency Response Officials” (COOP/COG/ESF)
State and Local:
NIST FIPS PUB 201 released on 25 February 2005
Leveraged for NCR common identity trust model
Own, control, and manage First Responder identity and attribute
Smart “identification” card:
Identity verified through standard architecture
attribute validated via PKI public key (COOP, COG, ESF, etc.)
Deliberate and urgent identity verification:
Daily “routine use” identity card becomes “crisis” identity card
No requirement to issue another identification card
3
HSPD – 12 Identification Verbiage
"Secure and reliable forms of identification" for purposes of this
directive means identification that:
is issued based on sound criteria for verifying an individual
employee's identity;
is strongly resistant to identity fraud, tampering, counterfeiting,
and terrorist exploitation;
can be rapidly authenticated electronically; and
is issued only by providers whose reliability has been established
by an official accreditation process.
The Standard will include graduated criteria, from least secure to
most secure, to ensure flexibility in selecting the appropriate level
of security for each application
4
Policy Drivers
Federal Information Processing Standard (FIPS) 201: Personal Identity Verification (PIV) of Federal
employees and contractors (http://csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf)
Executive Order 13356: Strengthening the Sharing of Terrorism Information to Protect America (August 27,2004)
(http://www.fas.org/irp/offdocs/eo/eo-13356.htm)
OMB M-04-04: E-Authentication Guidance for Federal Agencies
(http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf)
OMB M-05-05: Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
(http://www.whitehouse.gov/omb/memoranda/fy2005/m05-05.pdf)
OMB M-03-22: OMB Guidance for Implementing the Privacy Provisions the E-Government Act of 2002
(http://www.whitehouse.gov/omb/memoranda/m03-22.html)
HSPD-5 Management of Domestic Incidents: Establishes a single, comprehensive national incident
management system (February 28, 2003) (http://www.whitehouse.gov/news/releases/2003/02/20030228-
9.html)
HSPD-6 Integration and Use of Screening Information: Consolidates the Government's approach to terrorism
screening and information collection and usage in screening processes. (September 16, 2003)
(http://www.whitehouse.gov/news/releases/2003/09/20030916-5.html)
HSPD-7 Critical Infrastructure Protection: Federal departments and agencies are to identify, prioritize, and
protect United States critical infrastructure and key resources (December 17, 2003)
(http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html)
HSPD-8 National Preparedness: Defines "first responder“ as those who are responsible for the protection and
preservation of life, property, evidence, and the environment (December 17, 2003)
(http://www.whitehouse.gov/news/releases/2003/12/20031217-6.html)
HSPD-11 Comprehensive Terrorist-Related Screening Procedures: Research and development on
technologies, including biometric identifier (also Exec Order 13356)
(http://www.whitehouse.gov/news/releases/2004/08/20040827-7.html)
HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors: Sets a
standard for secure and reliable forms of identification
(http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html)
5
Incident Identity Management
PKI identity smart card will provide the relying party with machine-read information to
determine access privileges for granting access into, out of, and within various areas in a trusted
and secure manner as required
Disaster recovery
area
6
Targeted Population
Federal Community Fire and Rescue Transportation / HAZMAT
Medical Community Community
Community
Emergency
Management Infrastructure Community
Community
State
Community
Military / National Guard
Local Community
Retail Community
Force Protection Volunteer Resident / Tribal / NGO
Community Community Community
7
Enrollment/Issuance Process
State Emergency Response / Public Key Infrastructure
LE Database Recovery Community Shared Service Provider
Issuance - Card management system
Other Engine Common - Certificate authority
Volunteers Interface
Authoritative - Validation authority
Schema
Medical Individual - Web secure application
Data Source
Other
Issuance
Bearer
Authority
Issuance
Workstation
8
PKI Interoperability
Credential Privileged Compressed, Signed Authorization
ID Cards *CRLs Lists Validation Lists Handhelds
Issuers
(produced and synchronized every
24 hours at minimum)
Trusted: Valid
…
DoD / CAC
Validation
Trusted:
Authority Valid
…
VA / NCR / FRAC
Trusted:
… Valid
MD / FRAC
Trusted: Valid
…
TSA / TWIC
First Responder
Attribute Authority
*CRLs – certificate revocation lists
9
Multi-Jurisdictional Recognition
INFORMATION FEED:
FEDERAL
STATE
LOCAL
PRIVATE
First Responder Validation Authority
(Produced and Synchronized Nightly)
PDA INFORMATION FORMAT:
DATA
TEXT
IMAGE
10
Public Key Infrastructure (PKI)
Federal Bridge Levels of Assurance
Assurance Level Applicability
Test To be established in the MOA with the Entity (will depend upon test circumstances)
No identification requirement; applicant may apply and receive a certificate by providing his or her e-
Rudimentary mail address
Basic Identity may be established by in-person proofing before a Registration Authority or Trusted
Agent; or comparison with trusted information in a data base of user-supplied information
- Agency sponsored (obtained and/or checked electronically, through other trusted means (such as the U.S. mail),
First Responders or in-person); or by attestation of a supervisor, or administrative or information security
(plus FR attribute) officer, or a person certified by a State or Federal Entity as being authorized to confirm
identities.
Medium Identity shall be established by in-person proofing before the Registration Authority, Trusted
Agent or an entity certified by a State or Federal Entity as being authorized to confirm
-Fed Gov (HSPD 12) identities; information provided shall be verified to ensure legitimacy. A trust relationship
between the Trusted Agent and the applicant which is based on an in-person antecedent may
-Sponsoring Agencies suffice as meeting the in-person identity proofing requirement. Credentials required are either
(FIPS 201: enrollment/ one Federal Government-issued Picture I.D., or two Non-Federal Government IDs, one of
issuance officials ) which shall be a photo I.D. (e.g., Drivers License)
Identity established by in-person appearance before the Registration Authority or Trusted
High Agent; information provided shall be checked to ensure legitimacy. Credentials required are
either one Federal Government-issued Picture I.D., or two Non-Federal Government IDs, one
of which shall be a photo I.D. (e.g., Drivers License)
11
One Identity Framework
First
Responder
COOP/COG Fed &
State/Local Contractors
State
Real ID
Drivers Electronic
License Corporate
Espionage
Common
Education Framework
Student
Tracking for ID Theft
Banking Card
Identity Proofing, Valid/Intended
Issuance Bearer
Medical
and
Volunteers Verification
E-patient GPEA
Records Fed &
Contractors
Utility
Emergency DHS Info Share
Response HSIN
& Preparedness HSDN
12
Take Away: Public Key Infrastructure (PKI)
Identity Interoperability
NCR credential requirement
Leveraged response
Policy drivers
Incident identity management
Targeted population
Enrollment / issuance process
PKI technical requirements
Mobile identity management
PKI identity proofing requirements
Benefits / outcome
13
Benefits / Outcome
Machine-read vs. discretionary identity management
Federal, State, Local PKI certificate-based identity interoperability
Multi-jurisdictional conformance (Federal, State, Local, Tribal, NGO, other)
Enables trust and cooperation for collaboration in a distributed environment
Scalable for use in other regions & cost effective implementation
Functional and reliable in a “communication-out” environment
Provides for standards-based technology migration opportunities
Supports mutual aid human resources asset management
Supports National Incident Management System (NIMS) integration of
defined Emergency Support Functions (ESFs)
14
Winter Fox Interoperability Demonstration
23 February 2006
Coordinated by: Hosted by:
Department of Homeland Security Department of Defense
Office of National Capital Region Coordination Pentagon Force Protection Agency
Thomas J. Lockwood, Director Robert Taylor, Director
15
Multi-Jurisdictional Trust Model
Integrated/Collaborative Planning Framework
Provide a continual process
SC
Federal PC improvement loop to
DHS incorporate best practices across
EPA HHSDOJ Strategic jurisdictions and ensure
Strategic
Strategic
Strategic Plan Plan continued architectural alignment
Plan Plan HSPD…
and interoperability.
H.R. 418
FIPS
201
State Private Sector
Virginia Profit
D.C. Critical
Regional
Strategic
Plan
Strategic Maryland NCRC Infrastructure
Plan Strategic Associations
Regional Plan Chambers
Orgs
&
Hosted County & Local Private Sector
International
Not-For-Profit
County County County Community
Strategic Strategic Strategic Round Table
Plan Plan Plan Organizations
PM
16
Strategic Objectives
1. Establishment of a multi-jurisdictional identity trust model in accordance with
existing standards and technology that enables interoperability for dynamic identity
and emergency attribute management
2. Categorize all emergency response or critical infrastructure support
personnel in accordance with the National Response Plan (NRP) or National
Infrastructure Protection Plan (NIPP)
3. Integrate identity and NRP/NIPP category information into existing
authoritative human resources databases/directories for use with current
technology tool sets that support the electronic proliferation of trusted and secure
information for access decisions
4. Standardize NRP/NIPP occupation sub-categories and qualifications in
accordance with national and international personnel qualification standards as
appropriate
5. Conduct exercises to integrate use with response requirements and
applications development for trusted and secure electronic incident management
with accountability
6. Proof of concept of key capabilities: personnel accountability / physical access,
incident muster list, EOC notification/cross agency personnel visibility, time
keeping/reimbursement; post-event notification, enhanced COOP/COG processes
17
Winter Fox Interoperability Demonstration
Winter Fox validated the capability to use the public-key infrastructure (PKI)
to establish a multi-jurisdictional identity trust model by electronically binding
PKI smart ID card, issued from different back-end infrastructures, to
authorized responder in a communication-in or out environment
Pentagon
Federal Office Building II
Virginia Department of
Transportation (VDOT) Frederick county
Smart Traffic Center Maryland
Maryland Department of
Transportation
Port of Baltimore
18
Targeted Population
Targeted Participation
Participation for this exercise was focused primarily on
federal, state, regional, local, private sector, and public safety
leadership to grasp a better understanding of the PKI identity
trust model that provides multi-jurisdictional interoperability
and can be leveraged for incident management of responding
human resource assets.
19
Federal / State / Perimeter Access Controls
Scenario 2 Scenario 1
Virginia State Property Pentagon Federal Property
Escort
Required
8 VDOT
9 9
Smart Federal Office Building II
Authenticated Traffic Center
FRAC & ESF
3
7 Simulated 2
Incident Scene
Mobile ID Unit
Third perimeter
Staging Area Escort
6 Required
Escort 4 Authenticated
Authenticated Required FRAC or DoD CAC
FRAC
1
5 Incident Scene
Second Perimeter Staging Area
Staging Area (Incident Scene
Outer Perimeter)
20
Winter Fox Data Sample
21
Winter Fox
(data sample a closer look)
22
Winter Fox Identity Transaction Metrics
Locations:
• 285 total scans recorded:
– 138 scans into VDOT Smart Traffic Center
– 87 scans into Pentagon Federal Property
– 35 scans into Baltimore Incident Area
– 25 scans Frederick County, MD
Transactions:
• 206 Success: Card Validation
• 79 Failure: Pin Verification
Technology:
• 5 Drivers license bar code, no bind to card
• 263 FRACs (w/ digital photo) plus PIN verification
• 16 CACs (w/o photo) plus PIN verification
• 1 TWIC (w/o photo) plus PIN verification
23
Winter Fox Validated Proof of Concepts
Validated key capabilities:
• A multi-jurisdictional identity trust model at a Pentagon federal facility, Virginia
State facility, Maryland State port, and Maryland County municipality
• Routine electronic physical access into federal and state facilities
• Incident area first, second and third perimeter control using electronic identity
validation for incident management
• Secure access through a local municipality-controlled check point
• In-transit visibility of COOP/COG human resource assets in a communication-
in and/or out environment
• Satellite communications (SATCOM) manifest tracking of sponsoring agency
personnel to a relocation sites
• Federal, state, and local EOC notification and cross agency personnel visibility
• Time keeping/reimbursement; post-event notification 24
Next Steps
• Continue working with Partnership members for FIPS 201
implementation in all of Virginia, Maryland and NCR
• Work with the public/private sector practitioner communities for
coordinated FIPS 201 implementation
• Coordinate and integrate NIMS qualifications with electronic
identities and attribute systems of records
• Standardize FIPS 201 products /services / application development
• Include FRAC interoperability as a performance measure in all
future exercises (federal, state, regional) for incident area, physical
and logical access control procedures
25
Notional PDA ID Authentication &
Attribute Validation Screen Shot
1. Identity Authentication Confirmation
Unconfirmed
Incorrect Pin 5. Attribute Nomenclature
Confirmed Qualification – (e.g., COOP, COG,
Cardholder: State Trooper, doctor, utility, water)
Revoked
John A. Doe
Certification – (e.g., Skill, EMT, Firefighter,
2. Identity Assurance Level Maryland
SWAT)
Basic Authorization – (e.g., Lawful Entitlement,
Medium 1. Unconfirmed Weapons, security investigation)
High 2. Medium
Privilege – (e.g., Official Benefits, VIP)
3. NIPP Sector Coordinating Council 3. Transportation
(17 sectors of critical infrastructure both 4. ESF 1, 13 6. Sponsoring Agency
public and private) 5. Public Safety, VIP (store on card)
6. VDOT
4. NIMS ESF Category 7. Arlington
8. Virginia
7. Jurisdiction Location
#1 – Transportation (store on card)
#2 – Communications
#3 – Public Works and Engineering
#4 – Firefighting 8. State
#5 – Emergency Management (store on card)
#6 – Mass Care, Housing, and Human Services
#7 – Resource Support
#8 – Public Health and Medical Services
#9 – Urban Search and Rescue
#10 – Oil and Hazardous Materials Response
#11 – Agriculture and Natural Resources
#12 – Energy
#13 – Public Safety and Security
#14 – Long-Term Community Recovery and Mitigation
#15 – External Affairs
26
NCR Implementation Timeline
Phase I: Dates
Regional “as-is” and “to be” analysis 3/15/06-5/15/06
Includes 19 Jurisdictions + the states of Md and Va
Limited implementation for interface analysis 3/15/06-5/15/06
Mobile device and interoperability analysis 3/15/06-5/15/06
Provide recommendations and implementation plan 06/01/06
Pentagon sponsored Winter Fox exercise Done
NCR sponsored pilot exercise planning 5/15/06-6/15/06
Phase II: Dates
NCR sponsored pilot exercise 7/06
Commence regional implementation 6/1/06- 9/1/06
NCR sponsored exercises 8/1/06- 10/1/06
FEMA sponsored Forward Challenge 06 06/19/06 - 06/22/06
Phase III: Dates
Complete implementation of UASI 05 Funding 9/1/06-11/1/06
NCR sponsored exercises 11/15/06-12/15/06
27
GSA Support
• Enable State/Local government economies of scale for
FIPS 201 procurement off GSA schedule
• Extend invitation for NCR S/L participation in FIPS 201
authorized equipment list evaluation
• Use NCR as incubator for equipment analysis
• Include FBCA level II in RFI/RFP infrastructure selection
to support non-UASI covered First Responders
28
End state: Preparedness Identity Management
Incident Management:
To get the right people with the right attributes to the right places at the right times
thus reducing response/recovery times and promoting restoration to pre-incident quality of
life conditions
Intended benefit:
Emergency response officials will possess public-key infrastructure (PKI) identity cards
that align with federal standards and enable electronic validation of identity and emergency
attribute information for determining access privileges
Additional benefit:
Emergency response officials will possess PKI identity cards issued by respective
sponsoring agencies in a distributed environment that can be integrated into standards-
based physical and logical access systems
29
Questions?
FRACSupport@dhs.gov
Office of National Capital Region Coordination
202-254-2301
Craig A. Wilson
Partnership Coordinator
202-254-2305 (office)
703-597-4113 (cell)
craig.a.wilson@associates.dhs.gov
30
