Email this Article Email   

CHIPS Articles: Identity Management Operations to Improve Cybersecurity

Identity Management Operations to Improve Cybersecurity
By Sonya Smith - January-March 2010
The December 2008 report written by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, "Securing Cyberspace for the 44th Presidency," began with one central finding: "The United States must treat cybersecurity as one of the most important security challenges it faces."

The report went on to state, "Creating the ability to know reliably what person or device is sending a particular data stream in cyberspace must be part of an effective cybersecurity strategy." The report urged the government to accelerate the adoption of identity authentication.

The administration's Cyberspace Policy Review, released in April 2009, stated very clearly that: "We cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people."

The National Security Telecommunications Advisory Committee's "Report to the President on Identity Management Strategy" of May 2009 states: "… this lack of trusted identification enables harmful and/or malicious activity and diminishes national security/emergency preparedness capabilities, endangering national and homeland security as well as individual privacy and security."

The Department of Defense understands the magnitude of the threat we face in cyberspace. The threat is advanced, persistent and constantly changing. In addition, the increasing popularity of collaborative Web applications, such as blogs, social networks, podcasts and wikis, and mobile devices, has brought a new set of challenges to cybersecurity.

There is a clear appreciation of the relationship between cybersecurity and identity management; we must be able to authenticate entities, as either human or nonhuman, with DoD resources and then be able to manage access privileges.

A major vulnerability on DoD networks is the use of usernames and passwords. Therefore, the DoD has increased assurance of user authentication by replacing the requirement for usernames and passwords with the DoD Common Access Card (CAC) and associated public key infrastructure (PKI) to cryptographically logon to DoD unclassified networks. This effort is now being extended to the classified network as well.

The DoD has seen the benefits of this effort. Retired Air Force Lt. Gen. Charles Croom, when director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations, said in January 2007 that successful intrusions to DoD unclassified networks had declined 46 percent due to CAC use. The DoD is now also requiring PKI-based user authentication to access the majority of its private Websites.

Those same PKI certificates are being used to encrypt personally identifiable information (PII) and sensitive information to ensure its confidentiality while in transit. Digital signatures, also using PKI, provide nonrepudiation services, enabling a higher level of assurance that the e-mail users receive is authentic. Digital signatures also help thwart e-mail spoofing attempts. In the Department of the Navy (DON), these protections are being extended to mobile personal electronic devices such as BlackBerrys.

Identity management initiatives utilizing the CAC with PKI certificates have changed the way the Defense Department does business. But, as with all things, there is always room for improvement. The use of Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standards-201 (FIPS-201) are mandatory across the federal government and provide a common language and standard to improve identity assurance.

The CAC is the DoD’s vehicle to HSPD¬12 compliance, and improvements are being made to the CAC to comply with FIPS-201. These include making the card/ token itself more resistant to tampering and counterfeiting, meeting interopera¬bility requirements, improving the vetting process before card issuance to ensure the applicant’s eligibility and uniqueness within the database, and the addition of biometrics to the CAC.

The CAC improvements to comply with the FIPS-201 standard are helping to raise the confidence level within the CAC infrastructure. Issuance is the critical point of identity management and because of the FIPS-201, DoD now requires:
• an individual’s eligibility for a CAC;
• verification of DoD affiliation from an authoritative data source instead of a paper form;
• completion of the FIPS-201 required background check; and
• verification of a claimed identity per FIPS-201.

The enterprise authentication solutions for cybersecurity are currently PKI-based. The DoD has deployed a significant num¬ber of “next-generation CACs,” or CACs that are being used as part of the HSPD-12 transition.

As part of the transition, some biomet¬rics information is being stored on the next-generation CACs. At a minimum, the fingerprints information on the CAC could be utilized as a stronger form of multifac¬tor authentication.

The focus of identity management must build on successes to date and move forward to a more all-encompass¬ing approach to include meeting the re¬quirements of interoperating with other HSPD-12 compliant federal credentials and securely sharing information with other mission partners.

The new CAC contains advanced tech¬nology that will enhance the security of federally controlled facilities and com¬puter systems and ensure a safer work en¬vironment for all federal employees and contractors.

Out with the old. In with the smart.

For more information about the Defense Department’s next-generation Common Access Card, go to the CAC Web site at www.cac.mil or the DON CIO Web site at www.doncio.navy.mil.

Sonya Smith is the deputy director of the DON CIO cybersecurity and critical infrastructure team.

The DoD is proud to be among the first government agencies to issue the HSPD-12 compliant federal credential — the next-generation CAC.

The gold standard of advanced identification.
This initiative is part of an ongoing effort to provide government personnel with the most secure and reliable forms of identification possible. The next-generation CAC repre¬sents significant strides in contactless technology and heralds a critical step in the evolu¬tion of personnel and national security.
• The next-generation CAC is more sophisticated:
• Increased data storage and memory capacity
• Integrated circuit chips, magnetic stripe, bar codes and contactless capability

DoD’s solution to the new federal credential The next-generation CAC is safer than ever:
• Used for identification purposes when entering federal buildings and controlled spaces
• Improved vetting and background check requirements
• Meets or exceeds requirements of all applicable privacy laws
• Electronic authentication to gain physical and logical access improves security
• The next-generation CAC can be used with complete confidence to:
-- Log on securely to DoD networks, systems and Web sites
-- Access public key infrastructure (PKI)-compliant systems
-- Encrypt and electronically “sign” e-mails and documents

Whether you are getting a CAC for the first time or renewing your current CAC, the same process is required for the next-generation CAC. Please note that you do not need to replace your CAC until your current card expires.

Renew your CAC in three easy steps.

1. Meet all Defense Enrollment Eligibility Reporting System (DEERS) requirements. To receive a next-generation CAC, all eligible personnel must be entered into DEERS. To establish a DEERS record, all personnel must undergo proper identity vetting.

A next-generation CAC can only be issued once:
• A Federal Bureau of Investigation (FBI) fingerprints check has been completed and approved
• A National Agency Check with Inquiries (NACI)* background security check is in the process of being completed
*Note: Since the NACI process can take up to 18 months, an individual may be issued a CAC before the process is completed. However, if the NACI process is completed and a person does not get “cleared,” his or her CAC will then be revoked.

2. Meet all Real-Time Automated Personnel Identification System (RAPIDS) requirements. Required RAPIDS documentation and information for active duty military personnel, Selected Re¬serve, DoD civilian employees, eligible contractor personnel, eligible federal personnel, and other DoD-sponsored eligible populations:
• Two Forms of ID. Both IDs must be among those listed on the I-9 Form (available from www.cac.mil). One must bear a photo (e.g., passport, driver’s license). A current/unexpired CAC is considered a valid form of ID
• A six (6) to eight (8) digit number to use as a personal identification number (PIN). All per¬sonnel will be asked to create a PIN that can be easily remembered. Please do not use easily traced numbers such as part of your Social Security number (SSN), birthday, anniversary date, telephone number or address.

3. Visit any of the 1,500+ RAPIDS centers worldwide to obtain your next-generation CAC.

Remember, you will only receive a CAC, if your DEERS account is vetted AND you have all required documentation and information. To locate a RAPIDS center near you, please visit the RAPIDS site locator at www.dmdc.osd.mil/rsl/owa/home.

Note: If you encounter a problem obtaining your next-generation card at the RAPIDS center, and the problem is related to vetting, please follow up with your personnel security representative to update your DEERS profile.

The Defense Department is making a number of improvements to the Common Access Card to enhance identity authentication and physical and network security.
The Defense Department is making a number of improvements to the Common Access Card to enhance identity authentication and physical and network security.
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer