1 / 20

Enterprise PACS Best Practices

Enterprise PACS Best Practices. J’son Tyson & Will Morrison Co-Chair, ICAMSC Modernized Physical Access Working Group (MPAWG). June 18, 2013. Agenda. Review Evolution of PIV and PACS Discuss PACS-enabled Authentication Mechanisms Identify the PACS in EPACS Requirements

Download Presentation

Enterprise PACS Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise PACS Best Practices J’son Tyson & Will Morrison Co-Chair, ICAMSC Modernized Physical Access Working Group (MPAWG) June 18, 2013

  2. Agenda • Review Evolution of PIV and PACS • Discuss PACS-enabled Authentication Mechanisms • Identify the PACS in EPACS Requirements • Review the MPAWG and get involved!

  3. Evolution of PIV and for PACS Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems. HSPD-12 aimed to: • Enhance security • Increase Federal Government efficiency • Reduce identity fraud • Create government-wide standard for secure and reliableforms of identification

  4. Evolution of PIV and for PACS SP 800-116 November 2008 FIPS 201 February 2005 HSPD-12 August 2004 M-05-24 August 2005 FIPS 201-1 March 2006 2000 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2013 2012 M-11-11 February 2011 FIPS 201-2 Anticipated 2013 ICAMSC PIV in EPACS Guidance (update to federated PACS Guidance) Anticipated 2013 FICAM Roadmap & Implementation Guidance v1.0 November 2009 *FICAM Roadmap & Implementation Guidance v2.0 Dec. 2011 2011 *Including Chapter 10: Modernized PACS

  5. Evolution of PIV and for PACS What is next for the PACS world? Federal Information Processing Standards Publication 201-2 (FIPS 201-2) Anticipated: • Nexus for updating NIST SP 800-116 • Deprecates use of CHUID as an authentication mechanism (low) • CAK becomes mandatory • Impose use of PKI-AUTH (PAK) or CAK for token authentication

  6. PACS-enabled Authentication Mechanisms • An agency PACS cannot be considered PIV-enabled if it is not leveraging the authentication mechanisms in accordance with the guidance in SP 800-116. • Federal Agency Smart Credential Number (FASC-N): • A fixed length (75 Bit) data object;the primary identified on the PIV Card for physical access control. • FASC-N Identifier: A subset of the FASC-N, it is a unique identifier. • For full interoperability of a PACS it must at a minimum be able to distinguish fourteen digits (i.e., a combination of an Agency Code, • System Code, and Credential Number) when matching FASC-N • based credentials to enrolled card holders. • Cardholder Unique Identifier (CHUID): • An authentication mechanism that is implemented by transmission of the data object from the PIV Card to the PACS. Source: NIST SP 800-116

  7. PACS-enabled Authentication Mechanisms • Card Authentication Key (CAK) [‘keyk’]: Defined in NIST SP 800-73; An authentication mechanism that is implemented by a key challenge/response protocol • Public Key Infrastructure (PKI):Defined in X.509 Certification Policy for the Federal Bridge Certification Authority (FBCA); A set of policies, processes, server platforms, software, and workstations used for administering certificates and public/private key pairs, including the ability to issue, maintain, and revoke public key certificates. • PKI-PIV Authentication Key (PKI-AUTH) or (PAK):Defined in FIPS 201-2; A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV authentication key of the PIV card and a contact reader.

  8. Discussion Items • How is your agency planning to accommodate potential PACS-related changes (i.e., FIPS 201-2, NIST SP 800-116-1, etc.)? • Is your agency facing challenges around use of PKI-Auth or CAK for token authentication and if so, what types of challenges?

  9. PACS-enabled Authentication Mechanisms • What are the Challenge Factors? • Something you Have • e.g., PIV or PIV-I Card (Challenge/Response) • Something you Know • e.g., PIN (to unlock card) • Something you Are • e.g., Biometrics (fingerprint, iris)

  10. PACS-enabled Authentication Mechanisms Source: NIST SP 800-116

  11. PACS-enabled Authentication Mechanisms       CL? = Authentication Mode is available on the contactless interface INT? = Authentication Mode is interoperable across cards from other PIV issuers

  12. PACS-enabled Authentication Mechanisms     CL? = Authentication Mode is available on the contactless interface INT? = Authentication Mode is interoperable across cards from other PIV issuers

  13. PIV in EPACS PACS will need to: • Provision or register the PIV Authentication Key (PKI-AUTH / PAK) or Card Authentication Cert (CAK) OR • Provision or register a PKI credential derived from PAK/CAK AND • Electronically validate PKI certificate • Validate/Challenge the private key of registered PIV/PKI certificate

  14. Discussion Items • What steps is your agency taking to implement an enterprise PACS?

  15. MPAWG Overview

  16. MPAWG Docket

  17. Discussion Items • In what areas does your agency need more guidance to support implementation of an enterprise PACS? • What approaches or “best practices” to implementing an enterprise PACS have successfully worked for your agency? • What advice or “lessons learned” would you give to other agencies in the initial stages of implementing an enterprise PACS?

  18. Get Involved in the MPAWG • Will Morrison, FAA • William.Morrison@faa.gov • J’sonTyson, FEMA • J'son.Tyson@fema.dhs.gov

  19. Challenge Factors • Grayed areas do not appear in NIST SP 800-116 • Low assurance factors indicate no cryptographic verification • The CAK may be a symmetric or asymmetric key

More Related