The 4BF

1. The 4BF The Four Bridges Forum Jeff Nigriny CertiPath

2. CertiPath Trust Fabric

3. The “Bridge” between LACS and PACS 1 Traditional LACS space marked by PKI, OTP, and UID/Password leveraged through Smart Card Logon, Federated Access Gateways, SSL, S/MIME 2 Traditional PACS space marked by Magstripe and Prox, however PKI on PIV/-I and CAC is quickly becoming best practice for Federal Facilities 2 1 3 3 Credentials which work in either application are the missing link to gaining situational awareness through logical and physical networked “intelligence points”

4. Growing Pains • PKI in PACS is easier said than done • PACS Vendors and integrators are commercially aligned to avoid interoperable credentials • Poor implementations hurt everyone • All of the supporting infrastructure for interoperable credential usage in LACS is missing for PACS

5. GSA Trusted PACS Specification Version 1 of the Trusted PACS Specification was published by GSA on March 9th, 2010

6. Policy - LACS & Credentials vs. PACS Interoperable high assurance LACS and Credential standards/policies exist to: Interoperable high assurance PACS standards/policies exist to: Define the need Few e.g., SP 800-116, DTM-09-012 Define the form Closest to date is TWIC, FRAC Define audit/C&A None and worse, FIPS-201 APL is causing confusion Define interoperability One, GSA Trusted PACS Specification Define the requirement for industry None • Define the need • Many e.g., OMB M-04-04, SP 800-79, ISO 27799, etc. • Define the form • Many, e.g., x.509, SP 800-73, SAML • Define audit/C&A • Many, e.g. FIPS-201 APL, FISMA, SOX, etc. • Define interoperability • Many, e.g., The 4BF’s CPs, OpenID, Kantara • Define the requirement for industry • None

7. OEMs Implementations Trusted PACS Implementers General