Securing Federal Identity 2019 Recap: Executives Share Insights on Evolving Initiatives, Policies, Technologies for Secure Identity and Access in Government
PRINCETON JUNCTION, N.J., June 13, 2019 – Government agency executives, security experts and technology providers gathered at the Secure Technology Alliance’s Securing Federal Identity 2019 conference in Washington, D.C. last week to discuss the latest developments and innovations in federal identity credentialing and access security.
Speakers at this year’s event looked to the future, focusing on the need for evolving security standards and solutions to keep up with emerging threats, advancements in identity management, and improvements around current practices for logical and physical access control.
Keeping Up with Modern Security Threats Through Evolving Technologies, Standards
Ross Foard, Department of Homeland Security (DHS), kicked off the event with a central theme: as use of new identity technologies such as mobile devices and cloud grows in government settings, organizations need to adapt their security practices to combat potential risks.
One speaker put identification and authentication into perspective through a unique use case: drones. Robert Segers, Federal Aviation Administration (FAA), shared how drones and other unmanned aircraft systems (UAS) pose new threats such as kinetic attacks, critical infrastructure disruptions, surveillance and smuggling.
In the case of UAS, Segers said the first step to mitigating these risks is by clearly identifying drones and their operators. Segers suggested leveraging public key infrastructure (PKI) to secure the authenticity and integrity of UAS using a two-step signing approach to bind a manufacturing drone ID to an operator ID.
Some speakers discussed using mobile authentication factors such as FIDO when PIV cards are not practical – a concept that David Temoshok, National Institute of Standards and Technology (NIST), called “bring your own authenticator” (BYOA). Temoshok shared that NIST is evaluating additional ways to secure federal identities that align with the recent release of OMB M-19-17. This directive gives agencies new flexibility beyond PKI and PIV for authentication to services and systems that aren’t able to support PKI or PIV cards. Temoshok said this examination of authenticators will help streamline authentication and make it more usable.
Cindy Czayer and Stewart Clatterbaugh, U.S. Citizen and Immigration Services (USCIS), highlighted the use of PIV credentials in government access control. Czayer and Clatterbaugh reported that USCIS is now 100% PIV-compliant for logons. The speakers shared that their organization has found great value in implementing PIV and is now looking at new opportunities to utilize the credentials.
Addressing Challenges for Managing Identities in Government
Speakers throughout the conference shared their perspectives on managing identities and exploring challenges and potential solutions around some of the most important identity questions today: what is the best way to keep identities secure and private? How can agencies improve interoperability for more fluid identity management across agencies? With different approaches to managing digital identity, how can the government ensure user control?
Ian Grossman, American Association of Motor Vehicle Administrators, provided an update on the status of mobile driver’s licenses (mDL) to enable a shared, international standard of identification beyond the operation of motor vehicles. Grossman outlined that the driver’s license is already a trusted, strongly proofed identity, making it a natural fit for expanded use.
Many speakers echoed the need for an interoperable identity system. In industries such as healthcare, non-interoperable systems can be a major cause of identity issues that impact delivery of care. Blake Hall, ID.me, stated that 50% of patient records in hospital transfers were not matched. One in five CIOs linked at least one case of patient harm within the last year to patient record mismatch, pointing towards healthcare’s need for federated identities. Hall cited the challenge of balancing usability and security as a key issue, and referenced mDL and FIDO authentication as potential solutions.
Looking to the Future of PACS
With so much innovation happening in identity management, speakers also shared their visions to continue these advances for standards and technologies impacting physical access control systems (PACS).
In a panel, several speakers addressed updated recommendations for implementation of government PACS based on recent revisions to NIST SP 800-116, which provides technical guidance for successful implementation of PIV-enabled PACS in government facilities. Panelists also discussed anticipated changes for streamlining the procurement of security technology and services for federal agencies under the modernization efforts led by General Services Administration (GSA) Federal Acquisition Services.
One panelist, William Windsor of DHS, posed the question to the audience: can technology get to a point where government employees have options in addition to a PIV or derived PIV credential to access facilities and information? He urged the industry to evaluate facility risks, key stakeholders and necessary levels of assurance as a starting place to initiate conversations within their own organizations to improve their PACS systems based on the latest OMB and NIST guidance.
Throughout the event a number of speakers referenced the Secure Technology Alliance’s, “Industry Recommendations for Implementing PIV Credentials with Physical Access Control Systems,” a complementary guide to NIST Special Publication (SP) 800-116 R1, for clarifying essential requirements within the NIST publication and providing recommendations for PACS implementors deploying PIV-enabled PACS.
Hildegard Ferraiolo, NIST, gave an inside look at work being done to update FIPS 201. Notable change requests include an addition of other form factors beyond smart cards, non-PKI derived PIV credentials and mobile devices for PACS. Ferraiolo also went in-depth on the role federation is expected to play in shifting interagency interoperability requirements of HSPD-12.
With a similar focus, Will Morrison, FAA and Interagency Security Committee (ISC), gave an update on ISC guidance for enterprise PACS implementation. The organization recommends strategies for CISO, CIO and CSO communities to identify and meet PACS requirements to be PIV-compliant while maintaining interoperability across the federal government.
About the Secure Technology Alliance
The Secure Technology Alliance is the digital security industry’s premier association. The Alliance brings together leading providers and adopters of end-to-end security solutions designed to protect privacy and digital assets in payments, mobile, identity and access, healthcare, transportation and the emerging Internet of Things (IoT) markets.
The Alliance’s mission is to stimulate understanding, adoption and widespread application of connected digital solutions based on secure chip and other technologies and systems needed to protect data, enable secure authentication and facilitate commerce.
The Alliance is driven by its U.S.-focused member companies. They collaborate by sharing expertise and industry best practices through industry and technology councils, focused events, educational resources, industry outreach, advocacy, training and certification programs. Through participation in the breadth of Alliance activities, members strengthen personal and organizational networks and take away the insights to build the business strategies needed to commercialize secure products and services in this dynamic environment.
For more information, please visit www.securetechalliance.org.
Montner Tech PR