70 likes | 83 Views
Learn about NASA's high-level PIV system constraints, status, requirements, issues, and major tasks for ensuring secure identity verification and access control.
E N D
NASA Personal Identity Verification (PIV) High Level System OverviewTice F. DeYoung, PhD 14th Fed/Ed Workshop December 14, 2006
NASA PIV System Constraints • The NASA PIV System will meet the following constraints: • Utilize the existing and evolving NASA networks • Utilize the NASA Operational Certificate Authority (NOCA) • Integrate with NASA authentication services; specifically those provided by the Agency Public Key Infrastructure (PKI), the Agency Enterprise Directory, and the Agency Active Directory • Integrate with existing and evolving identity data management products, tools and processes, specifically those provided by the NASA Integrated Services Environment (NISE) • Meet HIGH IT Security information categorization for Personal Identity and Authentication and Security Management • Reflect guidance, direction, and requirements provided by the NASA Office of the Chief Information Officer (OCIO), NASA Office of Security and Program Protection (OSPP), OMB and NIST
NASA PIV Status • NASA Operational CA (NOCA) Key Generation Ceremony completed 22 September ‘06 • PIV 1 process and PIV 2 compliance demonstrated with 27 October ‘06 cards issued to two people (Karen Petraska and Walter Hussey) • Completed draft of PIV Design Document • Completed Biometrics Requirements Document • Completed Test Card Procurement; production card award in process • Conducted successful PIV Preliminary Design Review (PDR), 15 November ‘06 • Received PDR comments; currently dispositioning them • Complete biometrics Proof of Concept by 22 December ‘06
NASA PIV High Level Requirements The NASA PIV System shall: • Comply with FIPS 201 requirements for applicant enrollment, card production, and card issuance for Federal employees • Create and store new identities for new NASA employees, contractors and partners • Track information related to identity proofing documents, fingerprints, and background checks • Issue a PIV-II compliant Smart Card badge that contains a PKI identity certificate and capability for optional PIV certificates • Manage the issuance lifecycle for PIV-II compliant Smart Cards • Flow information appropriately through interconnected NASA systems (AD, CIMS, CBACS) • Produce NASA PIV cards for which CBACS is able to enable physical access control • Provide NASA data via automated interface to Office or Personnel Management (OPM) and/or Federal Bureau of Investigation (FBI) in acceptable format • Support commercial bulk printing of NASA PIV cards as well as Face-to-Face NASA PIV printing • Within all subsystem components, meet NIST 800-53 HIGH controls
Issues • Storage of fingerprints during PIV process?? • Requirements for number of certificates to be accommodated by data model and plan for implementation phasing?? • Interim versus final identity proofing and registration processes • OPM questions (type 4 vs type 14, MOU, electronic links, etc.) • Document verification • Roles clarification (PIV process – FIPS 201, HR Desk Reference Guide, NASA OSPP processes and guidance, business architecture) • Processes for badges that require physical/logical access for fewer than 180 days • Training, change management and test strategy
Remaining Major Tasks • Decision/Input Point for Batch versus F2F printing • Finalizing production badge templates • Complete Use Cases and processes for life cycle management for card holders and cards • Key Management process between Oberthur and NASA • Clarify CMS Card Identification Number (CIN) • Complete Security Plan, Test Plan, Training Plan • Complete Biometric Proof-of-Concept & procurement • Workflow development and interface • NOCA production transition • Production card profiles and batch process
NASA PIV Target Architecture PIV Services Center DB Employee Data Employee Data, UUPIC Employee Data, UUPIC PIV Events Locator HR Name, CHUID, Legacy Prox IDMAX ACL Biometric Server OCSP BIO DB CMS DB CMS / BMS Employee Data, UUPIC PACS CIMS Enrollment & Encoding Data Certificates & Requests Digital Camera Enrollment / Finalization NDC AD Enterprise LDAP PKI x.500 Verification Certificate Certificate Authority Smart Card Account Authorization Contactless LACS NOCA Biometric Live Scan Fargo Printer (w/ magstripe) PACS – Physical Access Control System LACS – Logical Access Control System IDMAX – Identity Management and Account Exchange CIMS – Cyber Identity Management System