Didn't ANYONE see "Minority Report"?

Identity Network


A government/industry effort to develop an interoperable authentication network to securely and efficiently verify the identities of defense and contract employees has taken an important step forward with the signing of an agreement between the Defense Manpower Data Center and the Federation for Identity and Cross-Credentialing Systems.
By Cindie Beach



A government/industry effort to develop an interoperable authentication network to securely and efficiently verify the identities of defense and contract employees has taken an important step forward with the signing of an agreement between the Defense Manpower Data Center (DMDC) and the Federation for Identity and Cross-Credentialing Systems (FiXs).

The Department of Defense agency and industry have been taking a hard look over the past few years at the business of reliable identification and authentication of individual credentials for both federal and contractor employees. Traditionally, different government agencies were responsible for managing their own information technology infrastructure, which led to disparate systems that could not communicate with one another. There were wide variations in the quality and reliability of information integrity and identity authentication.

Public key infrastructure (PKI) systems were being utilized to address security of various government departments, but because of the burgeoning risks and concerns, the DoD director of information assurance, Robert Lentz, called together an industry group to look at the PKI and make recommendations about what was good and not good about its use and the surrounding business processes.

That led to the formation of the Federated Electronic Government Coalition (FEGC). The coalition was a partnership between DoD and industry that was created to support the development of a comprehensive identity management system.

The objectives included creating a federated credentialing system between government and industry, in which information on individuals remains with, and under the control of, their parent organizations, and developing interoperable system concepts for validating contractor and government credentials at U.S. facilities. Out of that study group, a more formalized coalition was formed in 2004 as FiXs.

FiXs has as its core members large systems integrators, financial institutions and other vendors that have a stake in promoting improved force protection and systems security for critical infrastructure markets.

The following organizations are founding members of FiXs: BearingPoint, Data Systems Analysts, EDS, Lockheed Martin, NACHA-The Electronic Payments Association, Northrop Grumman, Saflink, SRA International, SRP Consulting Group, 3Factor, Unlimited New Dimensions and Wave Systems.

In addition, FiXs lists the following companies as full members: Citigroup, ChoicePoint Government Services, Disaster Management Solutions, EID Passport, Giesecke and Devrient Cardtech, Maxiumus and Wells Fargo.

Verification Process

The priority of the members was to provide federated, authentication transaction services, including management of the individual enrollment process, credentialing of organizations and equipment installation to DoD vendors. There was a need for government-to-business, business-to-government, and business-to-business identity verification of employees and contractors.

“We didn’t know that any other environment existed out there that allowed that to happen, but FiXs had that solution,” said Mike Mestrovich, president-elect of FiXs.

Those involved shared their initial findings with the National Institute of Standards, which developed the Federal Information Processing Standard (FIPS) 201. FIPS 201 comprises two parts: PIV I, which describes the basic requirements and process under which federal agencies must conduct personal identity proofing, and PIV II, which provides the detailed specifications, components and processes for deploying personal identity verification card management system across the federal government.

“FiXs modeled the operating rules a great deal after how the financial networks are handling automatic teller machine transactions under the auspices of NACHA. One bank must trust another bank’s customer in dispensing money from an ATM,” explained Mestrovich.

The personal identity verification process for FiXs is similar. In addition, FiXs policy, operating rules and interoperable technical components already complied with the PIV I requirements. FiXs created and deployed an interoperable identity cross-credentialing network that was FIPS 201, PIV I-compliant in 2005. It was the intention of the FiXs federation to align itself with PIV II, as the technical and interoperability standards evolved and become finalized. Interoperability was the key.

About the same time that some of the initial work was being done, President Bush in 2004 signed HSPD-12, the “Policy for a Common Identification Standard for Federal Employees and Contractors.” The directive requires the development and agency implementation of a mandatory, governmentwide standard for secure and reliable forms of identification for federal employees and contractors.

The policy outlined a timeline for development and implementation of a governmentwide standard, with fraud-resistant criteria for identity verification. In addition, the policy requires that providers must undergo a strict accreditation process. The requirement was to get the right information into the right hands reliably and quickly. The goal of HSPD-12 was to take the mix-and-match of federal systems and create an interoperable system.

Since 2003, the DMDC and FiXs have been working together to develop a secure means of authenticating employees while protecting their personal information. Last year, DoD announced that the DMDC and FiXs had won the Government Solution Center’s first Successful Public/Private Partnership Award for the pilot testing.

“Working together, they developed a completely new system to verify credentials via electronic means,” according to Mestrovich. “The new method provides significant improvements in security and reliability, compared to other methods of human verification.”

The operating polices and rules direct that identity information is stored by the individual’s employer, and not in a master database. No one looks at someone else’s data. The scenario would be that as an individual is seeking access to a secure facility, he or she places a finger on a fingerprint reader. That biometric data is routed to their government or credentialed employer, who then sends back a picture of the individual.

The guard identifies the individual and permits him or her access to the facility. Validation and authentication procedures are uniform across organizations and organizations and government agencies can terminate or invalidate an identity credential in a timely, electronic manner.

“When a person’s affiliation or trustworthiness changes, you know that in as near real-time as possible,” said Mary Dixon, deputy director of DMDC.

Northrop Grumman is implementing and operating the switch for the FiXs Network. EDS, SRA and Northrop Grumman are member service provider companies offering identity management services utilizing the FiXs Network. Wells Fargo is set to provide business identity background verification services to qualify new FiXs members.

Enrollment Scenarios

Enrollment can be accomplished in several different scenarios. Some companies, like EDS and SRA, are already certified to do the enrollment, but the FiXs operating rules and policies dictate how. All of the transactions conform to a set of operating rules managed by the FiXs membership. In addition, they are updated on a continuous basis to conform to developing standards and relevant laws and regulations.

New initiatives are on the table based on an interface between two existing projects: FiXs and the Defense Cross-Credentialing System (DCCIS). According to Jack Radzikowski, FiXs business manager at Northrop Grumman, the system will be introduced as DoD starts deploying DCCIS to military installations worldwide during the next few years.

“Over the last two years, the Department of Defense has been aggressively working on policies and technologies to improve process dealing with identity protection proofing, verification, authentication and use of biometrics,” said Air Force Lieutenant Colonel Ellen Krenke, a DoD spokeswoman. “HSPD-12 instructs all federal agencies and departments to implement smartcard-based security controls for physical access to facilities and logical access to IT systems. Therefore the long-range goal is to provide the most secure identification and verification systems possible between government and its qualifying industry partners.”

Currently, FiXs is in the final stages of testing for its high security global network utility that routes credential authentication requests to and among its members companies and facilities. The goal is to have the testing completed and network operational with DoD by this spring.

“A growing number of government and commercial organizations need highly secure, interoperable systems to manage user authentication and access control across multiple facilities,” said Glenn Argenbright, chief executive officer of Saflink. “Programs like DCCIS and FiXs, which we’ve supported from the outset, provide an important framework for developing those systems.

“DCCIS and FIXs can also draw on the policies and technical standards developed in other government cross credentialing initiatives—including the Personal Identity Verification, Transportation Worker Identification Credential, Common Access Card, US-Visit and Registered Traveler programs,” Argenbright added.