FIPS201 Implementation: The Work Is Just Beginning

1
FIPS-201 Implementation The Work Is Just
Beginning

• Judith Spencer, Chair, Federal Identity
  Credentialing
• April 15, 2005

2
FIPS-201 Phased Implementation Approach

• Agency Plans due to OMB June 25, 2005
• Current Capability
• Meeting PIV-1
• Self-Assertion
• Milestones/Timelines for Meeting PIV-2
• Identify additional areas of consideration
  August 25, 2005
• What outside Federal facilities and networks
  needs to comply with HSPD-12
• Comply with PIV-1 October 25, 2005
• Meet Control Objectives of HSPD-12

3
FIPS-201 Phased-Implementation Approach
(continued)

• Part I Common Identification and Security
  Requirements - October 27, 2005
• HSPD 12 Control Objectives
• Identity Proofing Requirements
• Agency Self-Assertion
• Migration Timeframe (i.e., Phase I to II)
• Full implementation of FIPS-201 begun
• FIPS compliant Smart Cards, PKI etc
• Part II Common Interoperability Requirements
• Fully compliant with FIPS-201, SP800-73, SP800-77
• Agency timeframe recommendation

4
The Identity Management Handbook

• Released March 11,2005
• Provides information and resources for agency
  implementation
• Provides a guide for completing OMB-required
  Implementation Plan
• Establishes a government-wide acquisition
  strategy
• Describes Best practices/Lessons learned
• Offers Evolutionary/Migration advice

5
Roadmap to Success

• Understand HSPD-12 and FIPS 201 requirements
• Review OMBs guidance
• Review requirements for completing the HSPD-12
  Agency Plan
• Understand your agencys current policies for
  Physical Access Control, Logical Access Control,
  Graduated Security Criteria and Information
  Privacy.
• Involve the primary Agency Stakeholders in the
  process.

6
Roadmap (continued)

• Establish list of objectives your agency wants to
  achieve while meeting the directive.
• Develop an initial list of requirements for the
  project
• Analyze budget requirements and funding sources
• Compare the agencys current identity proofing to
  the compliance requirements to meet FIPS-201 Part
  1
• including registration, issuance, and maintenance
  process
• identify gaps and add these to the plan.

7
Stakeholders

• Chief Information Officer Logical Access
• Chief Human Resources Officer Identity Proofing
• Head of Building Security Physical Access
• Chief Financial Officer All
• Chief Privacy Officer All

8
Implementing PKI in accordance with FIPS-201

• X.509 Certificate Policy for the Federal Common
  Policy Framework
• Provides minimum requirements for Federal agency
  implementation of PKI
• Certified PKI Shared Service Provider Program
• Evaluates services against the Common Policy
  Framework
• Conducts Operational Capabilities Demonstrations
• Populates Certified Provider List with service
  providers who meet published criteria
• Agencies must buy PKI services from certified
  providers
• Federal Agencies cross certified with FBCA at
  Medium or High Assurance meet the requirements of
  the Common Policy Framework

9
Acquiring FIPS-201 Compliant Smart Card Systems

• Government Smart Access Card Contract
• Ensure SP800-73 compliance
• Smart Card program implementation
• GSA Schedules
• Develop Special Item Number under Schedule 70
• Public Key Technology
• NIST will publish FIPS-201 Conformance Test
  Suites by mid-summer.
• Successful product conformance testing will be
  required for smart cards, middleware, ancillary
  devices.
• Align and execute aggregated buys to maximize
  efficiencies.

10
GSA Acquisition Program

• Government Smart Access Card Contract
• Ensure SP800-73 compliance
• Smart Card program implementation
• GSA Schedules
• Develop Special Item Number under Schedule 70
• Public Key Technology
• Align administration of service lines in a
  consolidated program management office for
  authentication.
• Provide common, viable acquisition approach for
  current and new service and products.
• Align and execute aggregated buys to maximize
  efficiencies.

11
Wrap Up
12
For More Information

• Visit our Website
• www.cio.gov/ficc
• Or contact me
• Judith Spencer
• judith.spencer_at_gsa.gov