Smart Card Alliance Government Conference Concludes with Updates on Usage of PIV and PIV-I, and Progress in NSTIC and Mobile Credentialing Efforts
PRINCETON JUNCTION, N.J., December 3, 2012–The 11th Annual Smart Card Alliance Government Conference, known as the leading event for government identity management, security, and healthcare ID security, was held last week at the Walter E. Washington Convention Center in Washington, DC. More than 700 people attended the three-day conference and exposition. Below are highlights from the conference.
PIV and HSPD-12 Implementations
Government agencies are continuing to make progress implementing physical and logical access control using their PIV credentials, and representatives shared lessons learned and provided updates on their progress with their peers at the conference.
J’Son Tyson, FEMA’s chief for Identity Credential and Access Management Support Operations, reported that his agency has successfully updated its 105 locations to a single physical access control system now used by its 22,000 employees. The new system fully supports PIV, CAC and PIV-I credentials and data. PIV-I support is crucial for the agency to fulfill their mission by being able to authenticate first responders and other state and local individuals’ identities, qualifications and privileges under post-disaster conditions; for example, after Katrina the agency had as many as 72,000 people actively working on assistance and clean up. For logical access control, 90% of FEMA employees now have the option to use their PIV cards for secure login. He reported that interest in issuing PIV-I credentials for first responders continues to grow rapidly at the state and local levels.
As for the Department of Health and Human Services and its 120,000 employees, virtually 100 percent of those located in the continental United States have been issued a PIV card, and 50 percent are now required to use the PIV card to access networks either directly or remotely. Ken Calabrese, associate director of the Office of Security Strategic Information and HSPD-12 program manager, anticipates successfully achieving the goal of 85 percent using PIV for logical access control by FY2013.
The Department of Defense is spearheading the use of PIV and PIV-I credentials to pay public transit fares using either bank-issued open payment contactless EMV accounts or closed-loop programs with employee transit benefits. The DoD has already demonstrated savings of $19 million using a separate “Smart Benefits Card” in a joint program with Washington, DC, transit operator, WMATA. Two proof-of-concept trials are planned in Salt Lake City and Philadelphia. Program leader Bob Gilson issued a call to action for other federal agencies to participate in the trial by providing additional volunteer users in those regions.
Disaster Response Security
FEMA uses the PIV card along with visual identification as a countermeasure to mitigate risk for many access control issues the organization faces. FEMA’s Charles Luddeke praised the card, saying “the PIV card, when issued and used correctly, is a tamper-proof key to the multiple layers of protection to facilities and sites.” Responding to the problem of imposters claiming to be FEMA housing inspectors during disasters, Luddeke said that PIV-I cards will be required of all housing inspectors within the next year, and also envisions a future where citizens can use their mobile devices to validate PIV cards and the identity of the person entering their home. The priority, according to Luddeke, is to “give our customers–the disaster survivors–more security and more assurance of who they can trust in a disaster.”
PIV-I in Aerospace and Defense
Members of the Transglobal Secure Collaboration Program (TSCP) have reached the milestone of more than one million smart card-based PIV and PIV-I credentials issued, according to estimates made by Stephen Race, VP of operations. The organization provides a common framework for federated trust including identity management and data protection between stakeholders in the global aerospace and defense industry and its government clients.
Conference attendees were given updates on four of the pilots awarded for the proposed U.S. identity ecosystem, the National Strategy for Trusted Identities in Cyberspace (NSTIC). Catherine Tilton from Daon, Inc. detailed the Daon Smart Mobile Device Pilot, which is “off and running” to prove “the suitability of strong, mobile-based authentication–including biometrics–for online authentication.” The pilot has an aggressive deployment plan with team members AARP, PayPal, Purdue University, and the American Association of Airport Executives.
David Coxe, ID/DataWeb, Inc., outlined Criterion Systems Consumer-selected Attributes Exchange Pilot that will start in January 2013. The pilot will focus on an “attribute exchange ecosystem” that will replace the use of passwords, more accurately validate identities, and create online IDs. Consumers can opt in to have their attributes such as age, address and other personal details verified by “trusted attribute providers” like LexisNexis and Experian, and create online IDs that can be managed and controlled by the consumer.
Paul Blanchard from the American Association of Motor Vehicle Administrators (AAMVA) talked about the AAMVA Cross Section Digital Identity Initiative Pilot, a cross sector digital identity initiative that will allow users to “level up” a Windows Live ID credential and use it to apply online for Virginia state services more securely. AAMA plans two proof-of-concept phases and one pilot phase over the next two years.
The Resilient Network Systems Secure Health & Educational Systems Pilot will focus on identity ecosystems for two industries–healthcare and education–to provide “very high assurance authentication using public infrastructure and ubiquitous devices.” The healthcare pilot, Patient-Centric Coordination of Care, will enable multi-factor, on-demand identity proofing and authentication of patients, physicians, and staff, Resilient’s Jonathan Hare told attendees. The education pilot aims to coordinate interactions among parents, students, educational institutions, and media providers to address the online safety and security of children–all while staying compliant with the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA).
State Identity Management
Chad Grant of the National Association of State Chief Information Officers (NASCIO) told attendees of the organization’s work to provide a standard, unified identity access and management framework for states to utilize and adopt. The framework, called State-Issued Identity Credentialing and Access Management Framework (SICAM), aims to tackle the “lack of trust within the state systems” by defining the programs, processes, technologies, and personnel needed to create trusted identities. The same day Grant spoke to conference attendees, NASCIO released a “call to action” for states to adopt the SICAM, embrace the principles of the NSTIC, and adopt interoperability and a federated approach to identity.
Mobile Credentialing and Security
Panelists in several mobile panels engaged in spirited debate over the ideal method to securely store identity credentials in devices. Options include in an embedded secure element in the device, within the UICC or SIM card, or within an external MicroSD card. NIST’s Salvatore Francomacaro “likes the idea of the UICC” personally, citing the propensity for people to change devices often and the UICC is “easy to move from one device to another.” Gemalto’s Neville Pattinson explored the merits of a combination of the UICC, which provides a tamper-proof container for credentials, with a standardized trusted execution environment in the mobile device, which enables credentials to be securely used with multiple apps. He posited this could effectively deliver high security while providing compatibility across the rapidly changing landscape of devices and operating system versions.
The Smart Card Alliance has an active cross-council project to draft guidance on supporting the PIV credential and application in mobile devices. The Identity, Access Control and Mobile and NFC Councils are all participating.
For more information on this project and other Smart Card Alliance activities, please contact the Alliance office via email at email@example.com or via telephone at (800) 556-6828.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.securetechalliance.org.