The Case for Personal Identity Verification (PIV)
Personal Identity Verification - Interoperable (PIV-I)
May 23, 2012 at 10:30
Under the National Strategy for Trusted Identities in Cyberspace (NSTIC), the federal government is
moving to take advantage of the burgeoning on-line culture and service delivery through ever expanding
ways to interact over the Internet. Unlike social networking activities, in many cases, federal
government services and electronic business processes must be delivered to non-anonymous citizens,
employees, or subscribers in order to limit fraud and waste. The federal government has realized there
are vulnerabilities associated with conducting electronic business with employees, commercial partners
and vendors. Where that business entails exchanging or using sensitive or protected information,
those vulnerabilities can lead directly to enormous costs to remediate data spills, exfiltrated data
or loss of personal identity information.
The use of PIV and PIV-Interoperable (PIV-I) identity credentials for authentication and logon to electronic
business systems can significantly reduce the risk of operating on-line systems while providing an opportunity
to reduce operating costs and make government on-line services and processes more efficient and effective.
While there are few, if any, published studies to confirm the claim that PIV and PIV-I use will deliver the
asserted results, adoption and use of these credentials are highly touted by OMB as part of the way to
transition federal government services to achieve the NSTIC vision.
To that end, OMB and the Federal CIO Council have provided a lot of guidance trying to make PIV and PIV-I a
reality. That guidance includes:
- OMB 05-24, Policy for a Common Identification Standard for Federal Employees and Contractors
- OMB 06-16 "Protection of Sensitive Agency Information"
- OMB 07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information"
- Federal Identity, Credentialing and Access Management (FICAM) Roadmap
- OMB 11-11 - "Continued Implementation of HSPD-12" guidance
To align with this direction, the Department of Defense has developed several department-wide policies that
help to implement OMB guidance and move the DoD toward alignment with the FICAM initiative.
DoD was an early adopter of a PKI-based identity credential solution for performing strong authentication to
its most critical information resources. The policy mandating the use of the Common Access Card for accessing
the Department's critical networks was implemented in 2004. In 2008, DoD developed the policy and process for
accepting and using other PKI-based credentials including the federal PIV and commercial PKI credentials. In 2011,
DoD released their Identity Authentication policy, DoD Instruction 8520.03, that provides the guidance and
direction to implement authentication to all DoD information resources using federated identity credentials
issued from approved providers; where the credential and authentication protocol strength aligns with the risk
to and sensitivity of the data in the system. This policy allows DoD IT system operators to accept and use
qualified PIV-I credentials.
The PIV-I and the PIV in particular are expected to provide strong authentication for both logical and physical
access. While adoption of PIV/PIV-I for logical access faces education and business case challenges; adoption
of PIV/PIV-I faces additional physical access challenges. Optional features of standards create a "risk canyon"
for relying-party, and reduce interoperability to the least-common-denominator. Physical access in
high-throughput applications is limited by the PIV standards' optional-state of strong contactless identity
authentication. In addition, the PIV-I lacks the suitability assurance offered by the PIV issuance process
and the PIV-I requires "out-of-band" suitability assurance.
To spur further acceptance and use of PIV/PIV-I for the DoD and other Federal Departments, the discussion must
center around the implementation impacts these credential solutions can have and what actions Industry and
the government can take to gain efficiency, effectiveness and security.
The discussion will touch on:
- Understanding (or lack thereof) of the existing policies.
- Making the business case for adopting PIV-I
- Insourcing or outsourcing issuance within a company
- Identity Management "as a service"
- Risk and liability issues
- Governance and federation
- "Opt In" or mandatory usage?
Real life examples will be used provided from early attempts to issue identity credentials and have them accepted
by government application owners. These examples will include both government and industry cases.
Mr. Fuller will develop the background for identity management within the federal government and discuss how DoD
has developed policy and governance that facilitates that strategy. Dr. Mestrovich will turn the discussion to
an examination of the impacts the federal strategy will have on the community doing business with DoD and the
rest of the federal government agencies.
Dr. Michael Mestrovich
Federation for Identity and Cross-Credentialing Systems (FiXs)
MICHAEL J. MESTROVICH, PhD, is President and CEO of Unlimited New Dimensions, LLC. (www.undllc.com).
He is also President of the Federation for Identity and Cross-Credentialing Systems (FiXs), a not for
profit trade association.
The Federation for Identity and Cross-Credentialing Systems (FiXs), www.fixs.org is a coalition of
commercial companies and not-for-profit organizations whose mission is to establish and maintain a
worldwide, interoperable identity and cross-credentialing network built on trust, security, privacy,
standard operating rules, policies and technical standards. The FiXs network provides application
support for the verification and authentication of the identity of individuals who are seeking access
privileges to physical or logical sites in the DoD and other government areas/networks, as well as
commercial infrastructures that have been certified to operate on the FiXs network.
UNDLLC provides strategic consulting services to commercial and government entities that are
developing/implementing their enterprise and operational environments for the continually changing
environments of the 21st century. These services are focused on the areas of: life cycle e-Business
management, and internet/intranet based solutions; enterprise level services/architectures; information
assurance, identity management, credentialing and critical infrastructure protection; network-centric
solutions and executive education in enterprise information management.
Prior to his current position Dr. Mestrovich served nearly thirty years in the Department of Defense,
where he was a member of the Senior Executive Service, and held positions as: the Deputy Assistant
Secretary of Defense for Health Information Systems; the Information Management Executive for the
Office of Under Secretary of Defense for Acquisition and Technology; and the Director of the Center
for Integration and Interoperability at the Defense Information System Agency (DISA).
He is a past Chair of the E-Gov. Program Advisory Board for Homeland Defense/Information Assurance/
Security and for Government Health IT; and Chairman Emeritus of the AFCEA International Technical Committee.
His undergraduate degree is from the University of Notre Dame, his Masters from Duquesne University and his
Doctorate of Philosophy in Economics from the University of Notre Dame.
Dr. Mestrovich and his wife Jane reside in Montclair, Virginia.
Mr. Don Fuller
Booz Allen Hamilton
has been with Booz Allen Hamilton for over 10 years, working in the Public Key Infrastructure (PKI)
and identity policy areas with DoD clients in the Air Force and in the DoD CIO. Don has worked closely
with senior DoD CIO leadership and the Identity Protection and Management Senior Coordinating Group
(IPMSCG) and has been instrumental in coordinating PKI and Common Access Card (CAC) policy and
implementation guidance across the DoD Components. He was the primary author for DoD's PKI and
Authentication policies. His most recent work has been to align DoD with the Federal Identity,
Credentialing, and Access Management (FICAM) Roadmap and guidance and establish the policy and
processes that enable interoperable use of PIV and PIV-I credentials by information systems within
the Department. Don is a 1977 USMA graduate, retired from the US Army Reserves with 30 years of service
and was deployed to Afghanistan during Operation Enduring Freedom. He has a Masters in Information
Systems from George Mason University and is a certified information systems security professional (CISSP).