C4I Center

   Symposium 2012 Home

   2012 Agenda

   Venue & Local Info

   C4I Home

George Mason University

GMU C4I Center-AFCEA Symposium
May 22-23, 2012

SESSION 4: Identity Management


The Case for Personal Identity Verification (PIV)
and Personal Identity Verification - Interoperable (PIV-I)
Identity Credentials

May 23, 2012 at 10:30


Under the National Strategy for Trusted Identities in Cyberspace (NSTIC), the federal government is moving to take advantage of the burgeoning on-line culture and service delivery through ever expanding ways to interact over the Internet. Unlike social networking activities, in many cases, federal government services and electronic business processes must be delivered to non-anonymous citizens, employees, or subscribers in order to limit fraud and waste. The federal government has realized there are vulnerabilities associated with conducting electronic business with employees, commercial partners and vendors. Where that business entails exchanging or using sensitive or protected information, those vulnerabilities can lead directly to enormous costs to remediate data spills, exfiltrated data or loss of personal identity information.

The use of PIV and PIV-Interoperable (PIV-I) identity credentials for authentication and logon to electronic business systems can significantly reduce the risk of operating on-line systems while providing an opportunity to reduce operating costs and make government on-line services and processes more efficient and effective. While there are few, if any, published studies to confirm the claim that PIV and PIV-I use will deliver the asserted results, adoption and use of these credentials are highly touted by OMB as part of the way to transition federal government services to achieve the NSTIC vision.

To that end, OMB and the Federal CIO Council have provided a lot of guidance trying to make PIV and PIV-I a reality. That guidance includes:

  • OMB 05-24, Policy for a Common Identification Standard for Federal Employees and Contractors
  • OMB 06-16 "Protection of Sensitive Agency Information"
  • OMB 07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information"
  • Federal Identity, Credentialing and Access Management (FICAM) Roadmap
  • OMB 11-11 - "Continued Implementation of HSPD-12" guidance

To align with this direction, the Department of Defense has developed several department-wide policies that help to implement OMB guidance and move the DoD toward alignment with the FICAM initiative.

DoD was an early adopter of a PKI-based identity credential solution for performing strong authentication to its most critical information resources. The policy mandating the use of the Common Access Card for accessing the Department's critical networks was implemented in 2004. In 2008, DoD developed the policy and process for accepting and using other PKI-based credentials including the federal PIV and commercial PKI credentials. In 2011, DoD released their Identity Authentication policy, DoD Instruction 8520.03, that provides the guidance and direction to implement authentication to all DoD information resources using federated identity credentials issued from approved providers; where the credential and authentication protocol strength aligns with the risk to and sensitivity of the data in the system. This policy allows DoD IT system operators to accept and use qualified PIV-I credentials.

The PIV-I and the PIV in particular are expected to provide strong authentication for both logical and physical access. While adoption of PIV/PIV-I for logical access faces education and business case challenges; adoption of PIV/PIV-I faces additional physical access challenges. Optional features of standards create a "risk canyon" for relying-party, and reduce interoperability to the least-common-denominator. Physical access in high-throughput applications is limited by the PIV standards' optional-state of strong contactless identity authentication. In addition, the PIV-I lacks the suitability assurance offered by the PIV issuance process and the PIV-I requires "out-of-band" suitability assurance.

To spur further acceptance and use of PIV/PIV-I for the DoD and other Federal Departments, the discussion must center around the implementation impacts these credential solutions can have and what actions Industry and the government can take to gain efficiency, effectiveness and security.

The discussion will touch on:

  1. Understanding (or lack thereof) of the existing policies.
  2. Making the business case for adopting PIV-I
  3. Insourcing or outsourcing issuance within a company
  4. Identity Management "as a service"
  5. Risk and liability issues
  6. Governance and federation
  7. "Opt In" or mandatory usage?

Real life examples will be used provided from early attempts to issue identity credentials and have them accepted by government application owners. These examples will include both government and industry cases.

Mr. Fuller will develop the background for identity management within the federal government and discuss how DoD has developed policy and governance that facilitates that strategy. Dr. Mestrovich will turn the discussion to an examination of the impacts the federal strategy will have on the community doing business with DoD and the rest of the federal government agencies.


Dr. Michael Mestrovich
Federation for Identity and Cross-Credentialing Systems (FiXs)


MICHAEL J. MESTROVICH, PhD, is President and CEO of Unlimited New Dimensions, LLC. (www.undllc.com). He is also President of the Federation for Identity and Cross-Credentialing Systems (FiXs), a not for profit trade association.

The Federation for Identity and Cross-Credentialing Systems (FiXs), www.fixs.org is a coalition of commercial companies and not-for-profit organizations whose mission is to establish and maintain a worldwide, interoperable identity and cross-credentialing network built on trust, security, privacy, standard operating rules, policies and technical standards. The FiXs network provides application support for the verification and authentication of the identity of individuals who are seeking access privileges to physical or logical sites in the DoD and other government areas/networks, as well as commercial infrastructures that have been certified to operate on the FiXs network.

UNDLLC provides strategic consulting services to commercial and government entities that are developing/implementing their enterprise and operational environments for the continually changing environments of the 21st century. These services are focused on the areas of: life cycle e-Business management, and internet/intranet based solutions; enterprise level services/architectures; information assurance, identity management, credentialing and critical infrastructure protection; network-centric solutions and executive education in enterprise information management.

Prior to his current position Dr. Mestrovich served nearly thirty years in the Department of Defense, where he was a member of the Senior Executive Service, and held positions as: the Deputy Assistant Secretary of Defense for Health Information Systems; the Information Management Executive for the Office of Under Secretary of Defense for Acquisition and Technology; and the Director of the Center for Integration and Interoperability at the Defense Information System Agency (DISA).

He is a past Chair of the E-Gov. Program Advisory Board for Homeland Defense/Information Assurance/ Security and for Government Health IT; and Chairman Emeritus of the AFCEA International Technical Committee.

His undergraduate degree is from the University of Notre Dame, his Masters from Duquesne University and his Doctorate of Philosophy in Economics from the University of Notre Dame.

Dr. Mestrovich and his wife Jane reside in Montclair, Virginia.


Mr. Don Fuller
    Booz Allen Hamilton


DON FULLER has been with Booz Allen Hamilton for over 10 years, working in the Public Key Infrastructure (PKI) and identity policy areas with DoD clients in the Air Force and in the DoD CIO. Don has worked closely with senior DoD CIO leadership and the Identity Protection and Management Senior Coordinating Group (IPMSCG) and has been instrumental in coordinating PKI and Common Access Card (CAC) policy and implementation guidance across the DoD Components. He was the primary author for DoD's PKI and Authentication policies. His most recent work has been to align DoD with the Federal Identity, Credentialing, and Access Management (FICAM) Roadmap and guidance and establish the policy and processes that enable interoperable use of PIV and PIV-I credentials by information systems within the Department. Don is a 1977 USMA graduate, retired from the US Army Reserves with 30 years of service and was deployed to Afghanistan during Operation Enduring Freedom. He has a Masters in Information Systems from George Mason University and is a certified information systems security professional (CISSP).


Mr. Hank Morris
    Strategic Operational Solutions, Inc.


HANK MORRIS is a Principal Systems Engineer at Strategic Operational Solutions, Inc., where he leads development and fielding of identity-enabled solutions for the DoD and Intelligence Communities. Mr. Morris is a 20-year veteran of the USAF. A graduate of University of Maryland in Computer Science, Mr. Morris earned a Master of Science in Computer Science from University of Texas, and is a certified information systems security professional (CISSP).

Last updated: 10/29/2013