VA Public Key Infrastructure

1
VA Public Key Infrastructure

• Presented by
• Booker Bailey, Kitty Koepping, Suzette Holston,
• Dan Maloney Fred Catoe.

2
Today youll learn

• Basic PKI Concepts
• Background of VAPKI
• Status of VAPKI
• Identity Proofing/Role of LRA
• Federal Government PKI
• How VA is Using PKI
• Future of PKI in VA
• VA PKI Web Site http//www.va.gov/vapki.htm
• This presentation can be found at
  http//vaww.va.gov/proj/vapki/documents.htm

3
Business Issues (1)

• How do I ensure that an electronic mail message I
  send or receive was not changed as it moved
  across the Network (VA WAN or Internet)?
• When receiving electronic mail from the Internet,
  how do I know who sent this message?
• Who verifies the sender is really who they say
  they are?
• How can I make my electronic mail message
  readable only by the intended recipient?

4
Business Issues (2)

• How can we strengthen the authentication process
  (something you know, have, are)?
• How can we create a standard way to control
  access to systems such as Web Servers?
• How do I know that I am communicating with the
  proper system?
• How can I be assured that the programming code I
  just received came from the stated source and has
  not been modified?

5
Basic PKI Concepts

• PKI Defined
• Combination of hardware, software, policies and
  procedures
• Framework for Public Key Cryptography
• Asymmetric Key Pair
• Digital Signature
• Authentication
• Encryption

6
Basic PKI Concepts

• PKI Provides
• Strong Authentication
• Data Integrity
• Confidentiality
• Non-Repudiation

7
PKI - BASIC PRINCIPLES

• A pair of related keys as opposed to a single key
• When either key encrypts, the other key decrypts
• The private key is closely guarded and never
  given out - PROTECT YOUR PRIVATE KEY
• The public key and who it belongs to are publicly
  available

8
VAPKI Background

• Established in Fiscal Year 1999
• Departmentally Managed and Funded
• VA CIO Council
• VA Cyber Security Working Group
• VA Office of Cyber Security
• Industry Partners
• Cygnacom Solutions, Inc.
• VeriSign

9
VAPKI Background

• Outsourced Certificate Authority
• Subscriber Certificates
• Signature
• Encryption
• Secure Socket Layer (SSL) for VA Servers
• VAPKI Help Desk -- (703)-848-2898 or
  (vapkihelp_at_cygnacom.com)
• VAPKI Website http//www.va.gov/vapki.htm

10
VAPKI Status

• VA Directive 6213, VA Public Key Infrastructure
  Signed 6/14/2001
• VAPKI Certificate Policy in Departmental
  Concurrence 6/20/2001
• VAPKI Subscriber Pre-approved Database
  Installed 6/10/2001 allowing one step application
  and certificate pick up

11
VAPKI Status

• VeriSign Onsite Enterprise Edition Installed
  6/11/2001
• VA Staff receive digital signature certificate
  and encryption certificate
• Encryption key is escrowed
• Partners receive one multi-purpose certificate
• VAPKI Local Registration Authority Documentation
  and Training expanded this year
• Direct Directory Lookup functionality available
  online using LDAP

12
VAPKI Status

• VPN service using VA PKI-issued certificates
  being established
• 34 LRAs total
• LRAs representing all agencies of the VA
• Over 1200 registered users
• Issuing VA PKI certificates to VA Partners

13
Total VA PKI Registrations
14
Identity Proofing

• Positive Identification of PKI Applicants
• Cornerstone of PKI Integrity
• VAPKI Requires Face-to-Face ID
• Compromise Abolishes PKI Trust

15
Role of the Local Registration Authority (LRA)

• Maintain Integrity of VAPKI Certificate Policy
• Positively Identify VAPKI Applicants and Issue
  PINs
• Maintain Subscriber Database for Facility
• Initiate Certificate Revocation and Recovery

16
Federal Government PKI

• Federal PKI Steering Committee (FPKISC)
• Chaired by the General Services Administration
  (GSA)
• Representation from Civilian and Military
  Agencies
• Bridging Governments Internationally and at the
  State Level
• VA Involved Since 1998

17
Federal Government PKI

• FPKISC Subcommittees
• Health Care Working Group
• Business Working Group
• Technical Working Group
• Legal and Policy Working Group
• VA received funds with SSA to support interagency
  PKI project
• Federal Bridge Certificate Authority (FBCA)
• Managed by FPKISC and GSA
• Creates trust paths among individual Agency PKIs
• Employs a distributed model
• Bridges the gap among dissimilar PKI products

18
Federal Government PKI

• FBCA (Continued)
• Open and Ready for Business
• VeriSign will Cross-Certify with FBCA
• Federal PKI Policy Authority
• Manage Federal Bridge Certificate Authority
  Certificate Policy
• Chaired by Treasury
• Voting Members are OMB, GSA, Treasury, DoD,
  Justice and State
• VA will become voting member once cross-certified
  with FBCA

19
Federal Government PKI

• Access Certificates for Electronic Services
  (ACES)
• Provides signature certificates for public
• Creates PKI for Government Paperwork Elimination
  Act (GPEA) Candidate Applications
• Administered by GSA
• Industry Partners are
• ATT
• Digital Signature Trust (DST)
• Operational Research Consultants (ORC)

20
How VA is Using PKI

• VAPKI for Secure Electronic Mail
• Digitally Signed Messages
• Encrypted for Recipient Only (e.g., for
  transmittal of sensitive patient data)
• Disaster Emergency Management Program (DEMPS)
• First VA application PKI-enabled
• Web-based application PKI-enabled for
  authentication and authorization
• Testing with VPN software vendors for VA
  deployment

21
How VA is Using PKI

• VAPKI and VAs Computer Incident Response
  Capability (VACIRC)
• Currently Digitally Signed Bulletins and Alerts
• Future Testing of Encrypted Alerts
• VA/SSA Medical Evidence Exchange
• VA Express Smart Card for veterans through ACES

22
Secure Exchange of Medical Evidence with SSA

• Issue - how to minimize the time needed for
  Social Security Administration to receive medical
  evidence from VA for a benefits claim
• Major privacy, integrity, and confidentiality
  requirements
• Solution in pilot to minimize paper
• Use standardized extracts from VA Medical
  automation systems
• Return using encrypted electronic mail messages

23
Secure Exchange of Medical Evidence with SSA

• Pilot at Jackson and Biloxi Mississippi VAMCs
• Evaluation period ended September, 2001, but
  VAMCs are still using the new process
• Reduced turnaround time from 30 days to 4 days
• Additional features and sites to be added this
  year
• Partially funded by the Federal PKI Steering
  Committee

24
VA/SSA Secure EmailWorkstation VistA Data
Extract Delivery Flow
Step 1) Create VistA Data Attachment
VistA Data Capture
VistA
Network Drive
1. Open VistA. Use Health Summary
2. Initiate Data Capture in terminal emulator
software with Incoming Data command
3. Store the file on the network drive and close
the data capture process
Step 2) Create Email with Data File Attachment

4. Within Outlook, create a new email including
the VistA data capture file as an attachment
5. Apply encryption for message contents and
attachments and send email to Social Security
Administration
6. Delete all VistA data capture files that have
been saved to the network drive. Files will be
automatically deleted daily by the system if not
done so manually.
25
Prescriptions for Controlled Substances

• Issue - Electronic prescriptions are allowed by
  Drug Enforcement Administration (DEA) for non
  controlled substances. DEA approached VA to help
  to pilot the use of strong technical controls
  like PKI with prescriptions for controlled
  substances
• Based upon the results, DEA will consider
  revising existing regulations
• Major authentication, integrity, non repudiation,
  privacy and confidentiality requirements
• Proposed solution to be piloted is to use PKI and
  smart cards
• Requires major review and adaptation of existing
  VA Medical Automation Systems
• VistA in programming and development stage

26
Future of PKI in VA

• Will PKI get beyond a Pilot status?
• Will PKI ever be considered an emerging
  technology?
• PKI is a technology of the future and always
  will be
• Who will pay for this program?

27
Why PKI?

• Restrict access to VA resources to only
  authorized users (authentication)
• Protect data against modification (integrity)
• Prevent against unauthorized disclosure
  (confidentiality)
• Comply with Federal and VA Mandates (HIPAA, GPEA,
  OMB Circular A-130, E-Sign Act)

28
Current PKI Status/Resources

• VA PKI Working Group Identifying New Business
  Needs for PKI
• PKI Contract extended for One Year
• Purchased approximately 3,000 certificates
• Help desk available to support users
• Contractor support for VA PKI project

29
Exploding PKI Requirements

• Growing need for PKI
• Additional requests for using PKI
• VISNs
• Office of General Counsel (OGC)
• Contracts
• Inspector General (IG)
• Remote/VPN Users
• Information Security Officers (ISOs)
• Computer Incident Response Capability (CIRC)

30
PKI Future Plans

• Expand PKI to VA Wide System
• Issue certificates to remote users/VPN
• Issue PKI certificates on Smart Cards for secure
  key storage
• Issue certificates to devices for device
  authentication/IPSec
• Enable VAs applications to use VA PKI
  certificates for authentication

31
Whats Required for Success?

• Formal Acquisition Process
• PKI Program going through a formal acquisition
  process in order to obtain necessary funding for
  a VA Wide PKI
• VA Wide Support
• As VA organizations identify a need for PKI, the
  program can expand accordingly

32
For Questions Contact
Fred Catoe VA Office of Cyber Security fred.catoe_at_
mail.va.gov 202.273.8122
VA PKI Web Sites http//www.va.gov/vapki.htm
(Internet) http//vaww.va.gov/vapki.htm (Intranet)
Help Desk vapkihelp_at_cygnacom.com 703 848-2898
Luigi Tenore Veterans Benefits Administration-VACO
irmlteno_at_vba.va.gov 202.273.7012
Suzette Holston VHA OI, HISS suzette.holston_at_med.v
a.gov 785-350-4546

• Dan Maloney
• VHA OI, Director of Emerging Technologies
• daniel.maloney_at_med.va.gov
• 301.734.0107

Kitty Koepping kitty.koepping_at_mail.va.gov NCA (20
2) 273-5204