DOD, vendors to test secure access

The Defense Department and the vendors it works with plan to test a system later this year that would give them access to each other's employee credentials as part of an effort to bolster the security of their facilities.

The interoperability demonstration pilot project, scheduled for this fall, would test the feasibility of creating a cross-credentialing system between DOD and industry.

As envisioned, the Defense Cross-credentialing Identification System would consist of a collection of shared government and contractor databases, but the control and management of that information would remain with the agency or company that collected it.

A device would read the data stored on a smart identification card, such as a person's photograph and fingerprint, and validate it against information stored in the appropriate database via a Web-based interface. If it's a match, the person would be granted access to the facility.

"There is a big move to identify individuals and authenticate who they are," said Michael Mestrovich, co-chairman of the Federated Electronic Government Coalition, which is helping develop the pilot project. The problem, he said, is that even smart cards with public-key infrastructure certificates built into them "don't solve the problem of someone stealing the card or creating one."

Mestrovich said the pilot project has "applications across the board" and, once proven, could be expanded beyond the national security domain into other areas. DOD officials are considering a future pilot project that would apply the concept to network and system access.

The Defense Manpower Data Center, which manages DOD's identity databases, has developed a prototype National Visitor's System that will play a central role in the pilot project, said Rob Brandewie, deputy director of the center. The system "allows you to check the validity of DOD credentials within DOD," he said. "Cross-credentialing takes it one step further."

In addition to improving facility security, the pilot project aims to streamline business processes. "There is a big payoff in security," Brandewie said. "It also provides a shortcut way of validating or authenticating a business partner and getting them where they need to be. It complements what we've been doing...to improve identity management in DOD."

Defense employees participating in the pilot project will continue to use their Common Access Cards, which are becoming the standard DOD identification, and contractors will continue to use their company-issued ID cards, but with some modifications — for example, biometrics and "pointers" to relevant data will be added.

SRA International Inc. is participating in the pilot project as a natural extension of its current work with the the Defense Manpower Data Center, said Danny Michael, vice president and director of joint support systems at SRA. In addition to modifying its ID card, the company will invest in hardware and software and establish a communications link with DOD databases.

"The beauty is, with standards established, everyone is not required to adopt a single card," Michael said. "This process allows each company to maintain [its] own internal security controls. It leaves the security officers in control of granting access."

Reconciling the policies and processes between DOD and contractors is likely to be a bigger challenge than deploying the technology, said Chuck Alvord, head of business development for global information technology at Northrop Grumman Mission Systems, which is also participating in the pilot project.

"It's really [about] systems administration and getting a common lexicon" between DOD and contractors, he said. The pilot project will seek to address "how we adjudicate trust policies that exist at the DOD level and within the defense industry." Northrop Grumman is "a good example of a company that has a tremendous amount of defense work, and we're looking at a way to simplify the process."

***

Access granted

The Defense Department and its industry partners plan to test the idea of sharing identity credentials on each other's employees to beef up building security.

Among the project's objectives:

* Develop concepts for accessing and validating employees' credentials at U.S. facilities and temporary overseas duty stations.

* Incorporate current policies, standards and processes into an automated access-control system.

* Create a pilot architecture, then develop a Defense Cross-credentialing Identification System.

* Create a system that allows organizations to retain control of their employees' information.