DOD, vendors to test secure access

The Defense Department and the vendors it works with plan to test a system later this year that would give them access to each other's employee credentials as part of an effort to bolster the security of their facilities.

The interoperability demonstration pilot project, scheduled for this fall, would test the feasibility of creating a cross-credentialing system between DOD and industry.

As envisioned, the Defense Cross-credentialing Identification System would consist of a collection of shared government and contractor databases, but the control and management of that information would remain with the agency or company that collected it.

A device would read the data stored on a smart identification card, such as a person's photograph and fingerprint, and validate it against information stored in the appropriate database via a Web-based interface. If it's a match, the person would be granted access to the facility.

"There is a big move to identify individuals and authenticate who they are," said Michael Mestrovich, co-chairman of the Federated Electronic Government Coalition, which is helping develop the pilot project. The problem, he said, is that even smart cards with public-key infrastructure certificates built into them "don't solve the problem of someone stealing the card or creating one."

Mestrovich said the pilot project has "applications across the board" and, once proven, could be expanded beyond the national security domain into other areas. DOD officials are considering a future pilot project that would apply the concept to network and system access.

The Defense Manpower Data Center, which manages DOD's identity databases, has developed a prototype National Visitor's System that will play a central role in the pilot project, said Rob Brandewie, deputy director of the center. The system "allows you to check the validity of DOD credentials within DOD," he said. "Cross-credentialing takes it one step further."

In addition to improving facility security, the pilot project aims to streamline business processes. "There is a big payoff in security," Brandewie said. "It also provides a shortcut way of validating or authenticating a business partner and getting them where they need to be. It complements what we've been improve identity management in DOD."

Defense employees participating in the pilot project will continue to use their Common Access Cards, which are becoming the standard DOD identification, and contractors will continue to use their company-issued ID cards, but with some modifications — for example, biometrics and "pointers" to relevant data will be added.

SRA International Inc. is participating in the pilot project as a natural extension of its current work with the the Defense Manpower Data Center, said Danny Michael, vice president and director of joint support systems at SRA. In addition to modifying its ID card, the company will invest in hardware and software and establish a communications link with DOD databases.

"The beauty is, with standards established, everyone is not required to adopt a single card," Michael said. "This process allows each company to maintain [its] own internal security controls. It leaves the security officers in control of granting access."

Reconciling the policies and processes between DOD and contractors is likely to be a bigger challenge than deploying the technology, said Chuck Alvord, head of business development for global information technology at Northrop Grumman Mission Systems, which is also participating in the pilot project.

"It's really [about] systems administration and getting a common lexicon" between DOD and contractors, he said. The pilot project will seek to address "how we adjudicate trust policies that exist at the DOD level and within the defense industry." Northrop Grumman is "a good example of a company that has a tremendous amount of defense work, and we're looking at a way to simplify the process."


Access granted

The Defense Department and its industry partners plan to test the idea of sharing identity credentials on each other's employees to beef up building security.

Among the project's objectives:

* Develop concepts for accessing and validating employees' credentials at U.S. facilities and temporary overseas duty stations.

* Incorporate current policies, standards and processes into an automated access-control system.

* Create a pilot architecture, then develop a Defense Cross-credentialing Identification System.

* Create a system that allows organizations to retain control of their employees' information.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.