EIIP Virtual Forum Presentation — January 14, 2009

Emergency Response Official Credentials
A Smart Card Alliance White Paper

Salvatore D’Agostino
Secretary, Identity Council Steering Committee
Smart Card Alliance (SCA)
CEO, IDmachines

Amy Sebring
EIIP Moderator

The introduction, presentation, and closing parts of the transcript are prepared remarks and not necessarily verbatim. The Q&A portion is prepared from a transcription of the recording. The complete slide set (Adobe PDF) may be downloaded from http://www.emforum.org/vforum/SmartCard/ERO_sda_a.pdf for ease of printing.


[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone and Happy New Year! Welcome to EMforum.org and our first program for 2009. Today’s topic is "Emergency Response Official Credentials: A Smart Card Alliance White Paper."

Our topic is timely in that NIMS currently has a Guideline for the Credentialing of Personnel out for review and comment. Comments are due by January 21, a week from today. A copy of the guideline is also available as a handout. The related Federal Register notice and comment review form are also linked from today’s Background Page [http://www.emforum.org/vforum/090114.htm].

Also note the related poll on our homepage. "Any ID/credential system should be implemented at the: national, state, regional or local level." Please take time to participate by voting and review the results thus far.

Now it is my pleasure to introduce today’s guest speaker: Salvatore D’Agostino is Secretary of the Identity Council Steering Committee of the Smart Card Alliance (SCA), and principal author of the white paper that is our topic of discussion today.

The Identity Council is focused on promoting the need for technologies and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers

Sal is also CEO of IDmachines, Cambridge, MA and has helped provide DHS and FEMA with the initial first responder authentication credential (FRAC) system as well as many of the subsequent deployments and use of the FIPS 201 based FRAC.

Welcome Sal, and thank you for being with us today. I now turn the floor over to you to start us off please.

[Presentation]

[Slide 1]

Sal D’Agostino: The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance invests heavily in education on the appropriate uses of technology for identification, payment and other applications and strongly advocates the use of smart card technology in a way that protects privacy and enhances data security and integrity.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart card technology, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America.

[Slide 2]

The Alliance is comprised of over 170 members worldwide, including participants from financial, government, enterprise, transportation, mobile telecommunications, healthcare, and retail industries. A mix of issuers and adopters of smart card technology work in concert with leading industry suppliers of the full range of products and services supporting the implementation of smart-card based systems for secure payments, identification, access, and mobile communications.

[Slide 3]

This Emergency Response Official White Paper is the joint effort of the Smart Card Alliance Identity and Physical Access Councils. In addition a number of people from the Department of Homeland Security also participated in the process as indicated on the slide. A number of other individuals from state and local government also contributed.

[Slide 4]

The white paper recommends the use of Federal Information Processing Standard 201 as the basis for a credentialing program. The reasons for this include the use of standards bases commercial off the shelf products, to leverage a multi-billion dollar US Government investment in identity assurance, to use a multi-purpose smart card technology and to follow the FEMA lead on how to obtain interoperability.

[Slide 5]

Why focus on identity? It turns out that this is something that is used every day and becomes particularly crucial on "the day". It needs to be easy to use, reliable and very robust. Simply it has to work under almost any circumstance. To be able to unequivocally answer: who are you, is clearly a good thing.

[Slides 6 and 7]

What is being set up?

FEMA is setting up an infrastructure to support the use of FIPS 201 based credentials in the National Capitol Region. It complements an existing DoD infrastructure in support of the Pentagon. This infrastructure is expected to be rolled out nationally. It provides a "dial tone" for the electronic validation of credentials. The system has been undergone years of testing and is in production.

[Slide 8]

So what does it do?

It basically answers two questions, who are you and what are you allowed to do. It does this in a manner that does not require any connections at the time the questions are being asked, it can use up to 4 factors of identification, checks to make sure the credential is not revoked and then displays the emergency support functions and/or national infrastructure protection plan sector that the individual is associated with at that time.

It’s important to note the division and sharing of responsibility in answering these questions. The Federal government has a standard and provides and infrastructure to determine if you are who you say you are. Local entities with responsibility for the employment and qualification of the responders are responsible for the issuance of the credential and assigning the privileges or attributes. These are then uploaded to FEMA, which makes them available via its infrastructure. Individual organizations then use this infrastructure to make access control decision, provide situational awareness, log activity, etc.

[Slide 9]

So if we turn to the credential, what is it?

The difference here is that the means of determining the credential is valid is based on cryptographically sound electronic authentication techniques. What this means is that the basis of the decision is primarily a digital one. Each of these credentials has the digital equivalent of a birth certificate (and other certificates) that is effectively unbreakable. A card reader is used to check the identity certificate, in combination with PIN, photo and fingerprint.

It is a multipurpose credential capable of a wide range of applications that we will get into.

I’d like to take a minute to go through the different groups of cardholders that will be getting FIPS 201 credential. The first are those covered by Homeland Security Presidential Directive 12 (HSPD-12). This applies to government employees and contractors. Technically these are the only credentials COMPLIANT with FIPS 201.

The next are the INTEROPERABLE credentials, these require the use of the same cryptographically sound technique and as importantly are issued to a process that allows TRUST of the issuer.

[Slide 10]

The trust anchor from a security (Public Key Infrastructure) perspective for these credentials is the Federal Bridge Certificate Authority. The other source of trust is that the sponsorship, enrollment, adjudication, production/personalization, activation is done absolutely according to agreed processes as defined in FIPS 201. Another webcast could be spent on the roles and responsibilities in this process, the Smart Card Alliance white paper and the FIPS 201 documents provide an excellent primer.

COMPATIBLE credentials simply match the technical specification; I could make them in my kitchen by following the specification. This means that they probably will work with all of the COTS products being developed, including Microsoft, Apple, Sun, Novell, Oracle, and Probaris and with many physical access control system vendors.

[Slides 11 and 12]

Here are two pictures, front and back of a FIPS 201 credential. It’s important to realize that the physical "token" of the identity credential can have many forms. Smart cards are the current means of deploying FIPS 201 in the US Federal government but a variety of form factors already exist, including options to use cell phones with multiple radios.

[Slides 13 and 14]

Again, this is a rigorous process. This drawing gives a good graphical representation of the process. Importantly as you go through sponsorship, enrollment, adjudication, production/personalization, activation and then finally use you need to have designated individuals, with qualifications and the work flow definitions to support them. FIPS 201 lays this out making it easy to comply, albeit at significantly more cost than current back office badging solutions. But with that you get security and interoperability enabling the local and wider enterprises.

[Slides 15 and 16]

To repeat, the benefit here is the ability to have strong authentication and high assurance. This is an essential building block and significantly better that the multiple ID types, flash passes and cryptographically unsound things used today. The goal is one credential that works across applications and the same security model for not only people but things.

How is it being used?

[Slide 17]

It is a physical access control credential used every day, e.g. building access, lockers, and parking

[Slide 18]

Materiel logistics, post-event reconstruction and liability issue assessment.

[Slide 19]

Emergency response gets immediate (20 second) access to high security zones and situational awareness related to the activity in that zone, and well as other reporting functions.

[Slide 20]

Among the categories of emergency response where security and interoperability are crucial are mutual aid and enduring constitutional government. In both these cases the FEMA and DoD infrastructure support this for FIPS 201 credentials.

[Slides 21 and 22]

So besides physical access and emergency response what can a FIPS 201 credential be used for?

Desktop and web site access, sign and encrypt email, again the use of PKI and digital certificates are part of most current operating systems. It can be used for transit and payments and other things depending on how the organization implements it.

[Slide 23]

DHS and FEMA are working to expand this in cooperation with the Federal Bridge, cross-certification exists for the bio-pharma industry via the SAFE-Bio Pharma bridge and the Certipath bridge for aerospace, credentialing for ports and airports (TWIC and ACIS) are also aligning with FIPS 201. This represents tens of millions of credentials that will be activated in the next several years.

[Slide 24]

State and local activity has spiraled out from the National Capitol Region. There is a particular emphasis on the Pentagon after 9-11 Northern Virginia was the first to issue the credentials in any significant quantity; they are now looking to expand this statewide. Other organization in the National Capitol Region are following suit and are in process with establishing or expanding their interoperable credential programs.

I turn you back to our Moderator.

Amy Sebring: Thank you very much Sal. Now, to proceed to our Q&A.

[Audience Questions & Answers]

Question:
Patrick McLaugh: Is this program for only the public side? Can the private side take advantage of the credentialing program? My audio is not working so I cannot hear the presentation. I work for a financial institution that wants credentialing for key employees.

Sal D’Agostino: The answer is yes. If you look at the National Infrastructure Protection Plan, there are 15 or 17 critical infrastructure components; finance is one of them. In the National Capital Region, there is a consortium called NCR First which, just as I was describing, SAFE Bio Pharma and the Certipath bridge for aerospace, there is a certain trust bridge that is being established among financial institutions. A lot of people are interested in having these things for their continuity of operations of critical infrastructure, and finance qualifies.

Not surprisingly, there is some information about the financial industry ISAC, which is their infrastructure security coordinating council. It’s pretty far along at looking at FIPS 201 for the financial sector, so I’d be glad to try to provide some of those specific references to Patrick if he’s interested. [See https://www.fsscc.org/fsscc/.]

Amy Sebring: And if I may add, that issue is specifically addressed in that NIMS draft guidance for credentialing, correct? You may want to refer to that as well.

Question:
John Bowman: 1) What do you see as the greatest barrier to widespread adoption of this approach? 2) Is the same approach being adopted in other countries?

Sal D’Agostino: Funding is the biggest issue. Because it’s infrastructure, it takes time. This is not the sort of thing that can be done here and there. So, the fact that it ends up being large scale, it’s not surprising that it takes awhile. If you look at all the communities of interest that are involved--emergency response and recovery and critical infrastructure, ports and airports and all the various programs--I think it covers most people. Because it’s that big, I think that’s one of the things that will cause it to be awhile and slow in getting there. But in the meantime, I think it’s finally taking off where over the next 5 years you’ll have tens of millions of these credentials. That is certainly some progress.

The digital certificates that are used in the FIPS 201 credential are basically the same being used in national ID programs around the world. In fact, outside the United States, there are hundreds of millions of people who have chip ID cards which are either their national ID or their national health card. RealID got a really hard time here in the U.S. so that we’re not nearly as far along there.

Question:
Melanie Hooks: What is the cost, and are organizations still going to have to verify medical credentials?

Sal D’Agostino: The cost is the cost of an identity credential. What it’s used for: whether it’s medical, whether it’s public safety, federal government or independent, the court. If you look at what the General Services Administration charges, (that’s the aggregated U.S. government program), it’s about $85 for the first year and then $36 every year after that, for this credential and all the additional certificates, and a good bit of the infrastructure that comes along with it. There’s a certain number of enrollment, etc. etc.

I also have the highway transportation worker identification credential. That cost $135 and it was good for 5 years. There are different price points out there for what a FIPS 201 interoperable level, compatible credential, but the credential itself is basically $100 and it lasts 3 to 5 years. Your paying maintenance on it for being able to use it and its related infrastructure, and that’s comparable to what it costs to produce these things for the population in other countries.

Amy Sebring: The second part of her question may have had to do with the credentialing process. Let’s say an individual has a medical credential such as an EMT or something like that.

Sal D’Agostino: In that sense, in that credential, what you’re doing is that you then are able to associate with that FIPS 201 credential what we would refer to as the attributes for your certification. Your privileges are your other credentialing certs. What we’re saying at this point is that you’re being thrown into a broad ESF category. The infrastructure that FEMA has put in place is in the process of defining beyond EMT what you are, at this time.

Question:
Shannon Strother: Has this expanded to include VOADs and truck drivers transporting emergency supplies during the initial emergency response?

Sal D’Agostino: The truck drivers should probably be covered by TWIC. If they’re not, that could be an option. In terms of volunteer organizations, this exact credential is also being looked at. At this point I’m not aware of any VOADs who have FIPS 201 credentials, but certainly some of the large ones are looking at it, as well as some of the natives and other groups that in reality could qualify for one of these. It certainly is applicable, but I don’t know of any that have done it yet.

Amy Sebring: Again I refer you to this NIMS draft credentialing guide because they do anticipate or suggest that VOADs should be included in this program.

Question:
Wally Miyasaki: Why is the cost for maintenance with the Federal Bridge so expensive ($40/50 a year per card). Do you see the cost being reduced in the future?

Sal D’Agostino: It’s basically the identity service, so rather than having to stand up the servers and other associated infrastructure to manage where you’re storing your background documents, your biometric information, issuance of your digital certificates, the keys that are associated with that--there’s a whole identity infrastructure which is essential in order to make this work--either you put in place all the servers and some things that are associated with that, or you can get a card which is produced by someone who already has that in place. Those people exist, whether it’s GSA or Transportation Security Administration, via their contract or whoever it may be.

The way that’s typically bought is by software. You can either buy it as a service on a year-by-year basis, or you end up buying it like it is regular software, where there’s an initial license of $100 and typically something around 20% maintenance for 24/7 support on these things. Believe me, you want that—it’s your identity. That’s where the pricing comes from. It is different; you may not be used to buying software to some extent. At the end of the day, really you’re buying software, not a Smart Card.

Amy Sebring: So the Federal Bridge is housed in GSA?

Sal D’Agostino: GSA FIPS 201 credential issuance infrastructure is cross-certified to the Federal Bridge, so there’s a Federal Bridge Certificate Authority which is the trust anchor for all the United States government cards, whether you’ve got a common access card with the Department of Defense, etc. There’s a certain cost that’s associated with maintaining that hardware infrastructure through an assurance level, with disaster recovery and all these things based in identity. And then, besides that, there’s a process associated with the enrollment officers, the adjudicators. These are people who individually have been vested with the storing of your identity documents, basically one time but very well, and locking it down then forever ordinarily. It’s not obvious when you work with a Smart Card.

Amy Sebring: That bridge is providing the capability for example, the transportation credential, to be recognized by other agencies and so forth?

Sal D’Agostino: You get that as a result of following that process. You can trust something which has been very carefully issued, bound to a cryptographically sound thing, and then locked down but also set up so that you can have disaster recovery. It’s easy to leverage it.

Question:

Kevin Reardon: Do you think that in states and locals to buy into this will be difficult?

Sal D’Agostino: Always because it’s new, to some extent, and always again because it’s big, because it covers all uses of credentials. If you look at what it does and what it costs, many state organizations are already spending this on identity ______. They’re running around with LCDs, one-time password devices, etc. What you will find if they look at it as an IT and security enterprise, is that this will save them money. It will save them money on shipping, on mailing, on administration, on insurance, on all sorts of fun things. There are a few states which are beginning to do it. A lot of states have implemented PKI, and have used it for a number of years and are now interested to know that they can use it for other things. I think it will be hard, but I don’t think it’s impossible.

Amy Sebring: Are you aware of any grant guidance that currently includes compliance with this?

Sal D’Agostino: The Responder Knowledge Base, which has been up for a long time, has got a lot of stuff related to this, but I don’t remember the URL. [See https://www.rkb.us/.]

To a certain extent there is guidance to use FIPS 201 for credentialing in federal grants certainly. The UASI funding for the National Capitol Region was used specifically for that so it’s relatively easy to go back and say "I want to get some of that."

Question:
BK: What are the three basic problems and use cases being addressed by a FRAC card?

Sal D’Agostino: Access control, getting into the Northern Virginia Transportation Center building, responding from that building to the Pentagon and getting past its security, and I guess a third would be the ability to then show up somewhere else in the country and establish the fact that you are a qualified transportation emergency responder. Quickly, these three.

Question:
Melanie Hooks: Will this expand to Medical Reserve Corps (MRC) or Emergency System for Advanced Registration of Volunteer Health Professionals [ESAR-VHP], being that these groups can be used as state assets?

Sal D’Agostino: A number of the DHS demonstrations that FEMA has been doing for years now has reached out and included, as an example, the ESAR-VHP community of states like Pennsylvania. And the Health Volunteer Corps are an ESF typing easily supported, has been demonstrated with this for some time now. And a number of the states are going forward and are looking at that as a driver in its use case.

Question:
John Smith: Are you familiar with or working with Paragon Technologies out of the D. C. area? They are currently working with DHS and King County Washington OEM on resource management and personnel credentialing.

Sal D’Agostino: I’m not specifically aware of what Paragon is doing in King County. What I am familiar with is the fact that there is the WHTI card, which is the Western Hemisphere Travel Initiative, which is slightly different. It’s not a FIPS 201 card; it’s a different kind of radio frequency card very much akin to what is used for electronic product code or sort of package tracking. That’s sort of being applied to people being tracked as packages going across the border. But I don’t know if that is a specific King County application. There are around the country a number of people who have issues--access control badges to first responders. Again there’s a difference between that and a FIPS 201 credential.

Question:
Dave Roop: Is any SWOT (strength, weaknesses, opportunity and threat) analysis available on using Smart Card identity system in emergency response?

Sal D’Agostino: The white paper sort of goes through that. If you look at the threats associated with a Smart Card, other than environmental which is the contact chip. If it works, that’s what NIST does, the National Institutes for Standards for Technology. They’ve got several special publications on computer assurance, information assurance, and identity assurance. This has been vetted by our nation’s experts and in fact, there are people that are using what I’ve described here today who don’t talk about it. This stuff has gone through that level of scrutiny and comment criteria, and all sorts of federal security standards. It’s well over that bar.

Question:
LaChelle LeVan: Can you explain a little about the revocation process and why this is so important for the emergency responders and incident response? What is the difference between this federal FIPS 201 revocation process and just carrying around a regular badge with the privileges on it?

Sal D’Agostino: That’s a great question. The difference is the FIPS 201 credential is not a flash pass. You can electronically validate whether or not that card is still good. And as LaChelle pointed out, it’s because the revocation, the status of that credential is public information. It’s part of that cloud that I showed, but anybody who is issued a credential which uses a certificate of authority cross-certified by the Federal Bridge, in the place where they’re very careful about keeping this information, one of the basic things that they share is if the card is still good. That information can be distributed so that it is available almost anywhere. There are ways of compressing that information and making it random, so to speak, so that no one can use it, but yet at the same time being able to tell that that card is good.

It doesn’t matter who is looking at it. If they have the authority to start and use a device that can accept that card, they can make that decision. It’s very different from other credentials, including access control badges, which unfortunately haven’t gone through the rigor of making something that can’t be copied. A lot of cards have been cloned and can be cloned, which are of generations earlier than this Smart Card technology. This is on the other side of that, I imagine.

If you can’t clone it and you know whether or not it’s good or bad, and that person in front of you can show you, either through a PIN or a fingerprint or a facial image, that it’s you, you can trust it and it’s very, very different than previous generation of badges. I call them badges very specifically because they’re different from credentials.

Amy Sebring: When you refer to public information, Sal, you are talking within some constraints of privacy for personally identifiable information?

Sal D’Agostino: That’s the beauty of it that the revocation information contains no personal identity information. It’s simply the status of whether a credential is still good or bad. There’s no negative to making that information known, from a security perspective, from a privacy perspective. Getting out the fact that a person’s credential has been lost or stolen or suspended or revoked is just a really good thing that everybody agrees to. And that just takes place as a result of taking this approach.

[Closing]

Amy Sebring: Time to wrap for today. Thank you very much Sal for an excellent job. Please stand by just a moment while we make a couple of quick announcements...

Again, the recording should be available later today and the transcript on Friday. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page to Subscribe.

Don't forget to vote in our poll, and PLEASE take a moment to do the rating/review! Note: We are asking you to rate the relevance of the information, and this will assist our future visitors.

Please join us next time, January 28th when the current Chair of the National Emergency Management Association, (NEMA) will be with us to observe the 35th anniversary of that organization.

Thanks to everyone for participating today. We stand adjourned.

[Note: Mr. D'Agostino may be reached at sal@idmachines.com . He would be happy to get people in touch with their counterparts, in State, Local, Critical Infrastructure, Emergency Response and Federal government if they are interested in follow up or more details. He would also be happy to answer any additional questions that we didn’t get to.]