“PIV – I Deployment in the ICAM environment:

State level deployment of trusted identity credentials”

Presentation Will Cover States are independent

Introduction of NASCIO

NASCIO Identity Working Group

Identity Vetting Work by the States

Actions to Achieve Enhanced Identification Credentials

PIV-I Opportunities

Industry Federal and Stakeholder Opportunities!

National Association of State Chief Information Officers (NASCIO) Represents the 50 States , Territories and the District of

Columbia CIO’s and has a representative with the Federal CIO Council

Has a Governance Body Similar to the Smart Card Alliance as the Alliance supports the Interagency Advisory Board at the behalf of their membership.

Is a body that has a Philosophy to support the Harmonization of Architectures and Requirements across the 50 States, Territories and the District of Columbia and Supports a Lot of Work for the States with Nine Major Initiatives.

http://www.nascio.org/

NASCIO has many Advantages over this Prestigious Body

Best Practices of PIV Operations Across the Federal Sector are in Steady State Operations with Continuous Improvements Ongoing!

PIV Credentials are supported by a Stable Standard via FIPS-201 and the Accompanying Special Publications.

FIPS-201 has a mature Suite of Tests available and are continuously visited to meet the needs of the Federal Sector and is the basis of PIV-I testing.

Over 5 Million CAC/PIV Credentials are in use in Relying Party Infrastructures across the Federal Landscape.

Products to support PIV and PIV-I are on the GSA APL and are approaching 500

NASCIO Sees the Challenge!

“Every Aspect of our Work across the States and with NASCIO has a dependency directly related to Identity

and Credential Management”

NASCIO President:

Stephen Fletcher,

Chief Information Officer,

State of Utah

NASCIO has a Plethora of Cool Graphics that exist to Tell the story!

EnrollmentBroker

`

225+ geographically distributed & shared Enrollment Stations

• Card Mgmt System• ID Mgmt System

GSA Shared Service

SIP

`

`

`

`

`

`

`

`

`

FBI

Station 1

Station 2

Station 3

Station 4

Station 5

Station 6

Station 7

Station 8

Station “n”

Add. NeedsStations

The Shared Service Enrollment Stations transmit enrollment data to the SIP for consolidated FTS fingerprint transactions to OPM directly from the SIP.

OPM

MSO

Enrollment

& Biometrics

Data

NASCIO’s and Their Member State Identity Challenge in Addition to the 9 Major Initiatives Meet the Needs of their Governments and their Citizens as to their

requirements of Identity, Credential and Access Management as NASCIO works through a Harmonization Process

A Work Group was established at the NASCIO Digital Identity Workshop as part of their mid-year conference.

A great deal of interest was confirmed by NASCIO board members and member states and staff.

NASCIO is working through an ad-hoc working group and put together a charter for a NASCIO Digital Identity Working Group approved by their Executive Committee.

NASCIO is following the White House Draft Cyber Identity, Authentication Strategy calling for

National Strategy for Trusted Identities in Cyberspace which will recommend policy changes and create federal offices on digital identity.

Policy is in Place for PIV-I Personal Identity Verification Interoperability For

Non-Federal Issuers Issued by Federal CIO Council May 2009

http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers_May2009.pdf

Again Endorsed by Standards Bodies both Public and Private, National and International

Organizations like AAMVA and NASPO are looking to improve the Identity Proofing and Vetting Processes

PIV/PIV-I is Uniquely Elegant An Issued PIV/PIV-I represents uniquely a Personal Proper

Name or Identity more so than any other representation or document.

It can be used for Authentication or Access

It enables digital signatures , and approaches or is comparable to a Notarized Signature.

It enables enhanced encryption through portability of the encryption keys separating the keys from the material encrypted.

PIV-I implementation is the most predictable Strategy to achieve all 4 levels of Credential for Privacy, Security and Use at a predictable Cost and Value!

NASCIO is not beginning from Scratch, They Have Made Major Progress In Identity Vetting and

Verification As You Recall: HSPD-12 has Four Control Objectives:

Issue Identification based on sound criteria to verify an individual’s identity.

Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation.

Personal Identity can be rapidly authenticated electronically.

Issued by providers who’s reliability has been established by an official accreditation process.

National Impact Analysis In February 2006, the National Governors Association,

National Conference of State Legislators, and the American Association of Motor Vehicle Administrators published the “The Real ID Act: National Impact Analysis”.

Responses were completed by 47 of 51 polled jurisdictions representing 89.6% of all state issued DL/ID cards. At the time the Read ID Act was under fire mostly related to the implementation cost and privacy concerns.

States move Toward WHTI/Real ID In January 2008, the State of Washington began issuing

Enhanced Drivers Licenses (EDL) and Enhanced Identification (EID) Cards that securely denotes identity and citizenship, and is an acceptable alternative to a passport for re-entry into the U.S. at land and sea border crossings.

Vermont followed in Feb 2009,

New York State in Jun 2009,

and Michigan in Oct 2009.

In May 2010, Minnesota enacted a law enabling EDL and EID. Minnesotans will begin receiving the new credentials June 2012.

Additionally the State of Delaware began issuing Real ID Act Compliant Drivers Licenses and Identity Cards to everyone who wish as of Jul 2010 and are not WHTI compliant.

Other States Progress 16 States Now Use Central Printing and Require Multiple

People in the Identity Vetting and Issuance Process for their Drivers License and their Identity Credentials

Social Security Matching. New York DMV cross-checked Social Security numbers provided by applicants for driver’s licenses and IDs against the Social Security Administration database. This practice was upheld by the New York Supreme Court, creating a precedent for other states to use.

North Carolina followed suite and 27,000 license and ID applicants SSNs were considered false.

Digital Photo-Matching Pilot. Matching found 100 individuals had multiple licenses in the system. Law Enforcement arrested 35 individuals. One individual was on New York’s 100 Most Wanted list.

Identity Vetting and PIV-IThe Question or What If?

If States are completing PIV-I Vetting or better, including binding individuals with Biometrics to the enrollment application process, this could be considered enrollment and provide and easy road-map for anyone meeting this standard for a PIV-I .

The Smart Card Alliance is looking at a Survey or Gap Analysis Process and Tool to Assist NASCIO and the States in their self determination as to the Progress they have made toward a PIV-I Enrollment/Application Process

PIV-I Identity Vetting in an IDMS/CMS redundant Infrastructure that has the NIST SP Protection of encrypted data and separation of roles that is protected by PIV-I Credentials is an Asset to Any State and their Population! This Data has an Intrinsic Value.

Many Leaders in States with PIV-LiteDeployments or Strategies looking forward to

PIV-I

Illinois

Virginia

Colorado

District of Columbia

Pennsylvania

Hawaii

New York

New Jersey

Rhode Island

Texas

West Virginia

PIV-I Infrastructure Built for Industry Certipath for Aerospace

and Defense Contractors

Verizon Business is issuing PIV-I FRAC Credentials to their Own First Responders by this August!

STRAC is issuing Credentials to Doctors and Emergency Medical Personnel

Relying Party Infrastructure Built Out in One State has Application for Reuse across the U.S.

The District of Columbia PIV-I Enabled Smart Meter Solution

Has Application for First Responder Vehicles, for Fire, Police and Ambulances

Has Application for Hazardous Material Transportation Purposes

NASCIO Leading State Deployment by Illinois PKI Migration to PIV-I Already Demonstrates The Realized Value of PKI http://www.idmanagement.gov/docume

nts/RealizedValueFederalPKI.pdf PKI qualitative benefits include: 1. Strong digital signature; 2. Support for technical non-

repudiation; 3. Strong authentication; 4. Strong Encryption; and 5. Trusted interoperability between

disparate systems.

PKI quantitative benefits (measured by return on investment) include:

1. Synergy with HSPD-12; (or PIV-I) 2. Multi-factor authentication; 3. Network security; and 4. PKI-enabled applications.

Demonstrates the Reuse Capabilities and Improvement of Electronic Business to any and all jurisdictions across the U.S.

The Cost Benefit with PIV-I has improved vastly over the cost of the Illinois deployment that was cross certified in 2003.

Many Reasons for the State to Invest in Infrastructure to Support State ICAM Goals Versus the Federal ICAM

State Discussions are focused based upon Stakeholder.

Emergency Management Staff on FRAC

CIO Staff have focused on Citizen Credentials

CIO wants a Business Focus Following the Illinois Experience

Opportunities Exist for Federal Agencies to Support States Broaden Grant Activities Should DHS FEMA or HHS

Grants be limited to FRAC or Health Care deployments?

Should Grants cross Agencies and Target States, Universities, etc to build PIV-I Infrastructure

PIV-I Relying Party Laboratories are very reasonable to build out to demonstrate functionality and aid in the to be architecture

Federal Agencies should consider e-signing or other use for PIV-I Credentials being issued by States, Businesses and Locals for all Business and the www.business.gov website.

The Federal DOT is accepting DC’s PKI signatures from DC DOT

Lot of Carrots! 490 Items Currently Exist

on the APL

Beyond the APL Physical Access Systems are in Steady State and many can tie to Energy Management and other Building Systems

Simple Sign-on out of the Box with current Enterprise OS with built in capabilities

Support Alternative Workplace Strategies

Support Electronic Health Records

Support Smart Grid

Issue Once Reuse Across Businesses, Universities, Cities, Counties, States and the Federal Space.

Steady State ROI Experiences.

And Plenty of Sticks! The California Department of

Public Health (“CDPH”) recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records

To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million

The Past, Present, and Future of CybersecurityWalter Gary Sharp, Sr.*

As of September 14, 2009, more than 10,450,000 U.S. residents had beenvictimized by identity theft in 2009 alone, and that number increases by onevictim each second. Fifteen million victims will lose more than fiftybillion dollars each year.

http://www.jnslp.com/read/vol4no1/03_Sharp.pdf

Journal of National Security Law & PolicyPublished by the Pacific McGeorge School of Law & Syracuse University Institute for National Security and Counter Terrorism.

PIV-I is Uniquely Elegant And an Architectural Approach for Identity, Credential

and Access Management will Meet the Harmonized Needs and Requirements for the States, Territories, the District of Columbia and Businesses

For All Levels of Credentials Defined by OMB Memorandum 04-04, NIST SP-800-63 and Endorsed by Standards Bodies both Public and Private, National and International

Let’s All Help Citizens receive the Infrastructure they Need to Experience a True Evolution of Business, Security and Privacy.

`Contact Information Bob Donelson – 888-316-8881

Member of the Smart Card Alliance

Member of the Physical Access Committee

Leading a White Paper Development Effort

Personal Identification Verification Interoperability for Non-Federal Issuers: PIV-I Trust for Citizens across States, Counties, Cities and Businesses