160 likes | 332 Views
DOE Lab Directors’ System of Labs Computing Coordinating Committee (SLCCC). Roy Whitney. June 9, 2005. HSPD-12 Implementation. Background.
E N D
DOE Lab Directors’ System of Labs Computing Coordinating Committee (SLCCC) Roy Whitney June 9, 2005 HSPD-12 Implementation
Background • HSPD-12 via NIST FIPS 201 requires deployment of a biometric Personal Identity Verification (PIV) system for controlling physical and computer access to Federally-controlled facilities and information systems. • Acquiring a full-scale PIV card requires many assurances, including (1) a National Agency Check with Written Inquiries, (2) an in-person visit before the issuance of a card, and (3) a valid State or Federal picture ID. • DOE has the authority and responsibility to determine the degree of applicability and implementation of HSPD-12 to all of its varied facilities.
SLAC Concerns with Implementation • The diversity of facilities within the DOE mission has not been taken into account in the directive, leaving ambiguity in the interpretation of HSPD-12. • The large international user/research communities do not fit with some standard implementations under discussion. • Depending on DOE’s choices, HSPD-12 could be disruptive to the mission and expensive in costs, negative ROI. Look ahead: DOE can choose a mission friendly, a low impact, low cost graded approach. JLab PPPL BNL Ames
Desired Implementation Concept • Work within HSPD-12, NIST FIPS 201, and guidance from OMB and GSA. • Put the highest priority on achieving the DOE mission. • Consider the diversity of facilities with their tens of thousands of users, guests, and visitors. • Include the need for remote access, remote access by foreign nationals, etc., that are critical to the DOE mission. • Go for a positive ROI. • Integrate security and safety risk. Particle Physics Data Grid
HSPD-12 & Draft OMB Guidanceis Consistent with a Graded Approach • HSPD-12, item 1: PIV is intended to be issued “by the Federal Government to its employees and contractors.” • HSPD-12, item 4: Identification meeting the PIV standard must be used “in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.” • Scientific user facilities at M&O contractor sites are Federally owned, but are not Federally controlled; control for these facilities is delegated as part of the contract with the contractor accountable. • Draft OMB guidance: “Individuals under contract to the Federal government, to whom you would issue long-term Federal agency identity credentials, consistent with your existing [i.e. no high impact extension required] security policies.” [Bolding added]
Draft OMB & GSA Guidance is Consistent with a Graded Approach D0 Collaboration • OMB’s draft guidance for PIV: “Applicability of the directive to other agency specific categories of individuals (e.g., guest researchers) is an agency decision.”, “Directive does not apply to short-term guests and occasional visitors to Federal facilities to whom you would issue temporary identification.”, and “Applicability for the access of Federal systems by remote access is a department or agency decision (e.g. researchers’ up-loading data through a secure website).” • GSA's March 2005 draft of the Federal Identity Management Handbook: “2.2.3 Agency Affiliates and Agency Partners – Many agencies have affiliates or partners that require logical and/or physical access to do their jobs and that do not fall under the category of employee or contractor. Examples of affiliates and partners are visiting professors, guest faculty or fellowship recipients, interns or temporary help, and task-force members. Each agency must determine whether these individuals require a PIV card. …” [Bolding added] Tevatron @ FNAL
SLCCC Recommendations on HSPD-12 May 20, 2005 White Paper The rollout of the Personal Identify Verification (PIV) standard across the federal government is now being planned, with implementation to begin in the summer of 2005. The PIV standard and related implementation details are described in a number of documents from NIST, OMB, and GSA. As appropriate, these specifications and guidance documents leave much of the scope of implementation open to the implementing agency and DOE is now generating its agency specific guidance. In that regard,SLCCC strongly encourages the DOE implementation of PIV to adopt one of two approaches: • Require M&O contractors to use PIV cards when accessing federal systems, but not require the use of PIV for access to contractor-operated facilities such as the laboratories. • Require M&O contractors to acquire PIV cards but exempt fundamental research from applicability to PIV. This option is less preferred.
TeraScale Supernova Initiative Approach 1 (Preferred) – Federal Systems Only Require M&O contractors to use PIV only when accessing Federal systems • Only require PIV for those who, under existing security policies receive a DOE security identification credential, (i.e. do not include those with local lab only credentials) as well as all other Federal and Lab employees who access federal systems. • Lab employees who only work with their local (non-Federal, i.e. government owned but contractor operated) M&O Laboratory physical and IT systems will continue to use their current local lab card and identification (ID) systems for physical and IT access. • Visiting researchers, guests, etc. including researchers making use of off-site access to IT systems will use existing local lab cards/security systems and management controls. This approach is consistent with DOE Directives and flexibility granted to agencies in PIV guidance as well as a risk-based cost/benefit/ROI approach to security and safety. LLNL ORNL
Approach 1 (Preferred) – Lab Populations Half of users are typically foreign Nationals. Feds with PIV Lab Staff with Local Security Onsite Users with Local Security Lab Staff with PIV Offsite Users with Local Security Onsite Guests, Visitors, etc., with Local Security
RHIC @ BNL LANL – LBNL – LLNL - ORNL Approach 2 – Federal Systems + Contractors Only Require M&O contractors to acquire PIV cards but exempt fundamental research • Under this approach M&O contractors would have PIV cards, but the cards would not be required for any fundamental research activities including local lab business systems integrated into research activities. • Magnetic strips, barcodes, proximity functions, etc., on the PIV cards could be used with existing local lab systems. • Visiting and remote researchers, guests, etc., would only have local lab cards used for existing systems with magnetic strips, barcodes, proximity functions, etc., as they currently do for security and safety. ORNL
Approach 2 – Lab Populations Half of users are typically foreign Nationals. Lab Staff with PIV Feds with PIV Lab Staff with Local Security Onsite Users with Local Security Offsite Users with Local Security Onsite Guests, Visitors, etc., with Local Security
DOE/SciDAC Supernova Science Center Physical & Logical Access • Under Approaches 1 & 2 there would be minimal changes in the current physical and logical access systems currently at the Labs. • This would greatly reduce the initial projected costs. • Possible exception: If the open (fundamental) science activities at the Labs must move from .gov to another domain such as .org, some Labs (particularly the NNSA Labs) would experience significant changes in their operations and networking architectures.
BNL - FNAL Risks to Science Mission • Approach 1 may have a positive ROI for science. • Some standard implementations under discussion for PIV would have a negative ROI. • The hostile environment created by the foreign based security checks with their inherent delays would drive the world’s scientists to non U.S. laboratories. The best and the brightest would not come to the U.S. or remotely access U.S. facilities. • In addition, European Union and Japanese privacy rules and laws likely make it impossible to even do the security checks. • Much of the rest of the world is in the process of implementing similar laws. • With half of the users at many facilities being foreign nationals, their loss would shut down much of the DOE science mission, and from repercussions terminate most U.S. participation at international laboratories by DOE scientists.
EMSL @ PNNL Non PIV Security Enhancements • The Laboratories, in ongoing cooperation with DOE programs, will continue to evaluate and implement security models and technologies appropriate to provide protection to collaborative research. This includes DOE Grids Certificate Authorities, the ESnet Radius Authentication Fabric, and further deployment of One Time Password systems. ESnet LBNL
Threat to Stewardship • DOE (AEC & ERDA) has been responsible for over a half a century of stewardship for the largest laboratory enterprise in the world. • National and international scientific relationships and collaborations with universities and other research centers are crucial to achieving the DOE mission. • Some standard implementations under discussion for PIV could undermine this stewardship and destroy the relationships and collaborations overnight necessary to achieve DOE’s science mission. ITER @ PPPL Nano @ ANL
HSPD-12 Implementation Summary Some standard implementations for PIV under discussion would be highly detrimental to the DOE science mission. Desirable graded approaches are available to the Department that are mission friendly, low impact and low cost. [One More]