Goodbye anonymity. Hello ID superiority.
Government-issued personal identity verification cards are a form of identity proofing superior to anything available in the past, security experts say.
- By Jason Miller
- Jan 18, 2008
When federal agencies finish issuing computer-readable personal identity cards, it will mark the end of a difficult four-year process and the beginning of a new era.
The new federal ID cards will indicate who belongs in federal buildings and who has permission to access federal networks. For the first time, identity cards for federal employees and contractors will contain more than information about who they are. The smart cards will store information about their organizational roles and access rights to information and information systems.
“We need to recognize the change that is occurring in society,” said Morris Hymes, who leads the ID Assurance Directorate at the Defense Department. Society, he said, is taking away the privilege of anonymity.
Hymes is helping to promote a concept that DOD officials refer to as ID superiority. It is similar to DOD’s concept of information superiority, which relies on networks to make data available anytime and anywhere it is needed. ID superiority, like information superiority, requires an extensive network infrastructure to guarantee privacy and security.
Under Homeland Security Presidential Directive 12, every federal agency is implementing uniform standards for verifying people’s identities. For almost every agency, HSPD-12 will mean an end to the era of redundant databases for storing personal identification numbers and passwords. HSPD-12 will usher in an era of public-key infrastructure security based on cryptographic technology and biometric identifiers such as fingerprint scans.
“Leveraging a common identification is the key to gaining access to information more quickly,” Hymes said.
The concept of identity superiority is now within reach because of the work that many federal agencies — DOD, the General Services Administration, National Institute of Standards and Technology and others — have done to develop a largely invisible infrastructure that supports identity management.
HSPD-12 is the first high-profile project to make use of that infrastructure.
“What we have done is laid down the infrastructure that allows us to build on top of that all these capabilities that will lead us to ID superiority,” said Judy Spencer, chairwoman of the Federal Identity Credentialing Committee (FICC).
Spencer, who has been engaged in federal identity management activities since the 1990s, said many factors — FICC, the Federal Bridge for linking the federal government’s various PKIs, the E-Authentication e-government initiative, and a 2003 joint memo from the Office of Management and Budget and GSA — created a foundation for HSPD-12 today and ID superiority in the future.
“The concept of ID superiority has been around for a while, but it has been a twinkle in our eye,” Spencer said. “The idea [was that] if we had the infrastructure, we could do a lot of cool things. The reality now is that with the [HSPD-12] credential and its capabilities, we believe there is no reason we [can’t] do these cool things.”
If federal agencies had attempted to implement ID superiority five years ago, it would have been called science fiction, Spencer said.
However, now some departments and agencies — including DOD, the Veterans Affairs and State departments, and NASA — are beginning to gain an advantage from ID superiority.
Last year, for example, Charles Croom, director of the Defense Information Systems Agency, established a new policy that requires everyone to use PKI and Common Access Card technologies when they log on to DOD and military networks. Almost immediately, network intrusions declined by at least 46 percent.
ID superiority extends beyond successfully blocking network intruders. It also means having a standard identity credential for each employee, contractor and nongovernmental partner. Any agency can trust that credential to v rify the cardholder’s identity.
VA, like DOD, is at the forefront of the ID superiority movement because of its decentralized workforce and dependence on contractors and other partners. The department has about 500,000 employees, contractors and volunteers in addition to 26.5 million veterans. VA officials say they hope to issue common identity credentials to everyone the department does business with and avoid having to support multiple personal identity card programs.
“HSPD-12 is a natural springboard to identity superiority,” said Joe Bond, the leader of VA’s Program Executive Office for Resource Management. “Our approach is to create the user’s identity once and build it into our access management infrastructure,” Bond said. “When things change, everyone who needs to know will know.”
Neville Pattinson, vice president of government affairs and standards at Gemalto, a smart-card manufacturer, said ID superiority will enable agencies and companies to “bolt down someone’s identity based on a set of core references.”
VA plans to allow its employees and veterans to verify their identities online once each session they log in via a secure Web portal. VA awarded a contract in November to LS-3 Technologies and Aquilent to establish a secure access Web portal for veterans this year. If all goes well, it will be initially operational in 2009 and fully operational in 2010.
VA officials also are working with program managers internally to implement single sign-on capabilities and demonstrate how access and identity management will benefit them.
To advance the concept of ID superiority, departments such as VA and DOD must modify many of their policies to take into account the capabilities of smart credentials issued under the HSPD-12 program, said Randy Vanderhoof, executive director at the Smartcard Alliance, which represents the smart-card industry.
Vanderhoof said new policies that would require employees to digitally sign e-mail messages and authenticate work orders or expense vouchers are advantages that agencies can expect to enjoy as soon as they have an infrastructure that supports HSPD-12. But agencies must do additional work to take advantage of the more complex functions of the HSPD-12 credentials, he said.
Hymes said agency chief information officers must perform much of the additional work because it involves collaboration with human resources officials, building security officers and other partners with whom relationships are not yet well-established.
“It is hard for people to give up control to the CIO,” Hymes said, adding that “there has to be a consensus of what is necessary and sufficient for identity to operate.”
DOD is developing an ID superiority road map to help identify people, services and devices so it can enhance building and network security, Hymes said. A cross-agency team is working on the road map, which he expects will be completed by late spring.
To prepare for the era of ID superiority, Spencer said, FICC and NIST are developing additional documents that will help agencies meet the challenges that the new capabilities present.
“If ID superiority were in a vacuum in which other features were not in place, we would be wondering how to get there,” Spencer said. “But now we are looking forward to making this new tool benefit government.”