| Followers | 45 |
| Posts | 3352 |
| Boards Moderated | 0 |
| Alias Born | 04/23/2004 |
Saturday, September 17, 2005 2:13:59 PM
Warning: A Theme Too Darned Big For One Post…
Folks hereabouts have been patient with me as I birddog various links and tidbits involving Wave and the Federation for Identity and Cross-Credentialing (FIXS) and TRY to understand just how FIXS connects up with other organizations inside and out of government… and even beyond our shores.
Now here comes a MONSTER post that is meant only for those with a great deal of patience and not a tiny amount of time. It’s the POSTING equivalent (in terms of time involvement at least) of the slog we’ve all endured, hopefully without any of the acrimony and occasional “outcrappings” of our least favorite characters.
This post COULD get into Homeland Security Presidential Directive-12 (HSPD-12) and other government initiatives and regulations, e.g. PIV and FIPS-201. However, I’ve decided to skip those. Suffice it to say, that FIXS **seems** to be a REAL good start on implementing HSPD-12.
But, before getting underway in earnest, here’s the short story:
What began within the Department of Defense as the Defense Cross-Credentialing Identification System (or DCCIS or DCIS, depending upon which bureaucrat is doing the acronym-izatation-itude-ality), subsequently merged with FIXS via a pilot at the Defense Manpower Data Center (or DMDC). That highly successful pilot helped secure an award for FIXS from the government:
DoD and Industry Coalition Win Public/Private Sector Partnership Award for Credential Verification System
Herndon, Virginia, May 3, 2005 - The Department of Defense (DoD) Defense Manpower Data Center and the Federation for Identity and Cross-Credentialing Systems (FiXs) have won the Government Solution Center's first annual Successful Public/Private Partnership Award. The organizations are being recognized for the results of a proof-of- concept project in which credentials issued by one employer were electronically accepted in other employers' work locations. This "cross-credentialing" is enabled by FiXs' interoperable infrastructure and operating rules. The Defense Manpower Data Center and FiXs will receive the award at the Government Solutions Center conference on June 2, 2005 in Washington, DC.
"A federated credentialing system can improve security, protect privacy and reduce costs," said Mary Dixon, Deputy Director, Defense Manpower Data Center. "Serious consideration should be given within the government and by our commercial partners to a federated credentialing system such as this."
"The Federation for Identity and Cross-Credential Systems, partnering with the Department of Defense, has developed a new system to independently verify credentials via electronic means," said Dr. Mike Mestrovich, Co-Chair of FiXs. "This new method provides significant improvements in security and reliability compared to systems using human verification. In . addition, the structure allows identity information to be stored by the employee's organization, rather than in a master database."
"This system represents a model for private/public cooperation that leverages government technology and industry best practices to address an increasingly important national issue - secure and authoritative authentication of identity. DMDC is proud of the work it has done with the FiXs to successfully implement this capability," said Robert Brandewie, Director, Defense Manpower Data Center.
FiXs makes possible the electronic, real-time verification of a credential and the person carrying the credential. The FiXs system electronically, through its interoperable infrastructure, validates and authenticates the credential, matching it to the person presenting the credential using the biometrics and digital pictures captured when the credential was issued.
The proof-of-concept program between FiXs and the DoD demonstrated that there are many benefits to this system:
It is more secure and reliable than current systems;
Privacy of individuals to whom credentials are issued is not compromised, because of the use of federated databases;
Validation and authentication processes are consistent and uniform across organizations;
The system is easy to use;
Companies and government agencies can terminate or invalidate an identity credential in a timely, electronic manner;
Each organization maintains its own database - no "master" database; and
Fraud is more difficult.
The key to FiXs is interoperability. Interoperability means a set of policies, operating rules, and technical specifications that allow various parties to act and exchange information on an equal basis. Interoperability in the FiXs system is analogous to electronic payment systems, where operating rules and standard file formats allow numerous parties to participate on an equal basis.
The FiXs Federation is a coalition of industry and not-for-profit organizations whose objective is to support efforts to create and deploy an interoperable identity cross-credentialing "network." Participating companies and organizations are: Anteon, BearingPoint, Inc., Data Systems Analysts, Inc., Electronic Data Systems, Inc., Intelli-Check, Lockheed Martin, NACHA - The Electronic Payments Association, Northrop Grumman Corporation, SRA International, Inc., SafLink and Wave Systems Corporation. Information about FiXs and how organizations can participate will be featured during a public forum on May 4, 2005 in McLean, Virginia. For information about the forum, contact Jaime Hill at 703/561-3945 or jhill@nacha.org.
(PAUSE FOR A DR. PEPPER)
The FIXS/DCIS pilot and the award has subsequently led to a great deal of interest in other quarters: including the Electronic Authentication Partnership (or EAP)—a group that we know SKS has presented to and that Wave has representatives within; the Transatlantic Secure Collaboration Program (TSCP), which is a business-driven initiative to provide guidelines of policies, procedures, and mechanisms for the secure sharing of sensitive electronic information among international defense companies and their governments; and NACHA—The Electronic Payments Association. NACHA is of particular interest to me because it “represents more than 12,000 financial institutions through direct memberships and a network of regional payments associations, and 650 organizations through its industry councils. NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits transfer (EBT).” In my opinion, the connection (which seems to be growing by the day) between FIXS and NACHA brings Wave right back to its significant and valuable FINREAD experience and its deep expertise in understanding what is needed to secure electronic transactions.
Now, one more piece of business here at the top. There are names that keep cropping up in my own research about all of this. Here they are in no particular order:
Mary Dixon--In a 2004 GCN article, Ms. Dixon was described in the following terms:
As the daughter of an Air Force officer, Mary Dixon was born to high expectations.
“I am a driven person, so I am always trying to make things better,” said the program manager of the Defense Department’s Common Access Card program.
When Dixon was assigned the project of developing the system in 1999, she barely knew what a smart card was. Five years later, she’s leading the charge on federal smart-card use.
“Dixon doesn’t oversee the program, she drives the program with personal dedication and unquestioned integrity,” said Randy Vanderhoof, executive director of the Smart Card Alliance industry association.
“My word for her is ‘visionary,’ ” said Tim Dwyer, vice president of government solutions for EDS Corp. of Plano, Texas, an integrator supporting the Common Access Card program. “When something goes wrong, she is not looking to try to make a bad process better, she is looking to reinvent process so that it is done right.”
David Temoshok: I first became aware of David Temoshok when I saw him sitting at a lunch table with SKS at the first Digital Identity World conference in Denver some years back. Here’s an excerpt from his biography:
“David Temoshok is the PKI Policy Manager for the Office of Governmentwide Policy of the General Services Administration, which develops the policies and services to enable governmentwide electronic transactions with citizens, businesses, and governments. In this capacity, David serves as the Policy Authority for the Federal ACES Program that provides PKI services across the Federal Government. David also serves on the Federal PKI Policy Authority which administers the Federal Bridge Certification Authority to provide cross-certification PKI services across government.
Prior to this appointment, David served as the Inter-Agency Director for the Access America Program. This program provides public access to a wide range of government services electronically on a nationwide basis. David also served as Chairman of the Federal Smart Card Task Force to provide leadership and coordination for the development and implementation of federal smart card systems through the government-wide Common Access ID Card Program.”
Perry Tsacoumis , project manager, FiXS/DCIS, Northrop Grumman Information Technology
Helena Sims is Senior Director of Public/Private Partnerships for NACHA.
Jack Radzikowski, Director, Commercial Authentication & ID, Northrop Grumman. Jack is, among other things, the former chief of federal financial systems for the United States Office of Management and Budget.
Michael Mestrovich is the former Chairman, Federal Electronic Commerce Coalition and is currently helping to lead FIXS.
Okay, thus ends all the housekeeping and setting up. Here we go…
We begin with FIXING of FIXS overview and bylaws… which mentions Wave Systems:
http://155.212.219.228/Docs/Bylaws%20v1%202%20021105_2.pdf
Purpose/Objectives. The purpose and objectives of the Federation are generally set forth in the Articles of Incorporation and include but are not limited to the following specific purposes and objectives:
a. Define how industry will interface with government to manage the Federation “Network,” meaning the federation of organizations that have joined the Federation for the purpose of interconnecting and cooperating for the specific purpose of identity management and trust, including compliance with certain common trust models, business rules, policies, and technical specifications adopted by the Federation. (The first
instantiation of the Network will be with the Department of Defense (“DoD”) and will be completed by connecting the FiXs subsystems with the DoD’s Defense Cross-Credentialing Identification System (“DCCIS”).)
b. Establish a foundation for the interoperability of identity authentication and verification within the Network to include biometrics.
c. Maintain and enforce the provisions of documents that provide the foundation for the Federation Project, including the Trust Statement, the Policy Statement, the Operating Rules (“Rules”) and the Technical Interfaces and Specifications and any Memoranda of Understanding between government and industry.
d. Oversee the industry portion of the FiXs and DCCIS infrastructure, which is scheduled to commence implementation on November 1, 2004, and project operations during the transition to full production through July 31, 2005.
Classes of Membership. There are three classes of membership:
a. Founding Members. During the Initial Phase, only Founding Members will be entitled to a vote as specified in Article IV. The following organizations are Founding Members:
(1) Founding Full Members. Companies with more than 500 employees that enrolled and authenticated employees in the pilot shall be Founding Full Members. There are six Founding Full Members: Anteon, BearingPoint Inc., EDS, Lockheed Martin
Corporation, Northrop Grumman, and SRA International, Inc.
(2) Founding Small Businesses. Companies with fewer than 500 employees, whose employees were enrolled by another company (as described in Article I, paragraph 5(b)) into the pilot, shall be Founding Small Businesses. The Founding Small Business Members are: Data Systems Analysts, Inc., Intelli-Check Inc., Saflink Corporation and Wave Systems Corp.
(3) Founding Association Members. Associations or coalitions that participated in the project during the pilot are Founding Association Members. There are two Founding
Association Members: The Federated Electronic Government Coalition and NACHA
--The Electronic Payments Association.
Now, for most of us the first inkling we got of anything about all of this stuff was in a somewhat cryptic reference by SKS during the Q2 2003 conference call.
http://www.unclever.com/wavx/WAVX2Q03.html
We continue also to work with a number of federal and state opportunities in secure input, and different identity card technologies. Recently Northrop Grumman showed a presentation that included Wave as part of the solution for the DCIS [Defense Cross-credentialing Identification System] technology. And we look forward to continuing to work with them, to help build some of that cross credentialing technology for different identities.
Of course, bashers and others of our “outcrappers” NEVER believe anything SKS says. But, that’s their problem.
So what exactly is the Defense Cross-Credentialing Identification System?
http://www.gcn.com/22_29/dodcomputing/23658-1.html
09/29/03; Vol. 22 No. 29
Defense plans pilot test of cross-credentialing system
By Dawn S. Onley
GCN Staff
The Defense Department next month will begin testing a prototype credential-checking system.
The pilot will help DOD’s Directorate of Information Assurance and Defense Manpower Data Center develop a system that can validate the identities of people trying to gain access to military installations and contractor facilities where Defense work is performed.
The center, which oversees the Defense databases storing identity information, will work with Northrop Grumman Corp. on the test. The directorate, within the Office of the Assistant Secretary of Defense for Networks and Information Integration, is paying $500,000 for the test, which will run through March.
Northrop Grumman and a team of vendors developed the Defense Cross-Credentialing Identification System as a proof-in-concept project for the department. The DCIS prototype will process smart cards issued under DOD’s Common Access Card program as well as other standardized IDs in use at the agencies and contract sites participating in the prototype test.
“DCIS will provide a vital service for force protection,” said Wood Parker, vice president and general manager of the government IT division of Northrop Grumman’s mission systems group.
Northrop Grumman will administer tests at vendor and Defense facilities in Maryland and Virginia and at Kirtland Air Force Base, N.M., and Wright-Patterson Air Force Base, Ohio.
The pilot has several objectives:
Develop interoperable system concepts for accessing and validating contractor and government credentials at U.S. facilities and temporary overseas duty stations
Satisfy current policies, standards and processes with an automated access control system
Create a federated credentialing system between government and industry where the information on individuals remains under the control of their parent organizations.
Northrop Grumman’s team includes BearingPoint Inc. of McLean, Va.; EDS Corp.; the Federated Electronic Government Coalition of Washington and SRA International Inc. of Fairfax, Va.
After the aforementioned DCIS pilot, a curious thing happened: it seems that somebody got the bright idea that DCIS was bigger than just DCIS (Defense, that is.) So, later in 2003, we get this…
http://www.fegc.org/documents/FiXS-DCIS%20Policy%20Document%202%5B1%5D.0._Sep.%2024,%202003_.pdf.
1.1 Summary
It is the intent of the Department of Defense (DoD) to continually review existing Common Access Card (CAC) Policy and Identity Management Policy. Within this cycle, the DoD proposes to review its policies on the issuance of CAC badges to contractor personnel and review options for these companies to issue a GSC-IS-compliant card. In pursuance of this continuing policy review, the DoD has agreed to sponsor the proof-of-
concept below with its concomitant policy, trust model and operating rules.
The Federated Electronic Government Coalition (FEGC), Federal Agencies and the Department of Defense (DoD) – Defense Manpower Data Center (DMDC) have entered into a relationship to provide an operational proof of concept that would demonstrate the interoperability of credentials for physical access control. This proof of concept and pilot will implement a federated identity management and credential system between DoD, Federal Agencies and Industry participants who have a need for identification and authentication as part of their joint working environment. The following criteria will be considered.
1.1.1 Interoperable and compatible “federated” system concepts for the accessing and validating of government and contractor credentials at select government and contractor facilities and locations for physical access.
1.1.2 Future logical access requirements and compatibility with the Federal PKI Bridge and other identified links or applications as necessary.
This program will be referred to as the Federated Identity Management and Cross-credentialing System (FiXs), with the DoD portion known as the Defense Cross-credentialing System (DCIS)
Then in 2004, Mary Dixon reports on the DMDC pilot to the Electronic Authentication Partnership.
http://www.eapartnership.org/docs/Apr2004/fixS-DCIS_Dixon.ppt
So what is the Electronic Authentication Partnership?
http://www.eapartnership.org
About the Electronic Authentication Partnership
The Electronic Authentication Partnership (EAP) is the multi-industry partnership working on the vital task of enabling interoperability among public and private electronic authentication (e-authentication) systems.
Interoperability of e-authentication systems is essential to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.
Well, as luck would have it, it seems that EAP got pretty interested in where FIXS leaves off and where there work begins… and certain overlaps. Now, as of August of this year, it became clear that FIXS and EAP have decided upon a FIRST pilot for EAP. Please check out the Radzikowski PowerPoint below.
http://www.eapartnership.org/docs/Aug2005/August_2005_Radzikowski.ppt
(From Agenda notes from the August 11th meeting)
00 – 2:30 Pilot Planning
During the afternoon session, participants will begin the process of planning for the first EAP pilot test. The first pilot sets a precedent for the future and paves the way for a second and third pilot by informing the process through lessons learned. The first test will be a joint initiative with the Federation for Identity and Cross-Credentialing (FiXs). To date FiXs has focused on physical access to buildings and facilities. The pilot will build on the work of FiXs and the EAP as it builds a foundation for physical access as well as logical access to computer systems, which is consistent with the goal of HSPD 12. This session will begin to identify the steps that must be taken in planning for the pilot. This session will examine:
Pilot purpose and strategy;
Criteria for shaping pilot activity;
What is in a pilot plan;
Identification of the rule sets and other documents must be aligned; and
How success will be measured.
Now, let’s back up a bit. Remember, FIXS/DCIS pilot at the Defense Manpower Data Center, which is led by Mary Dixon. Here’s a little more about that from June of last year. In particular, note WHO is the source of this information… listed at the end of the article.
http://www.findbiometrics.com/viewnews.php?id=1187
DoD, Partners Begin Test of Identity Management Interoperability Project - June 02, 2004
ARLINGTON, Va., - A cross-credentialing pilot to test the interoperability of credentials issued by the Department of Defense (DoD) and private employers is underway and is expected to continue through the summer of 2004. The ground-breaking pilot of the Federated Identity Cross- credentialing System/Defense Cross-credentialing Identification System (FiXs/DCIS) will test the ability of participating organizations to authenticate and validate credentials issued by another organization, whether DoD or a government contractor.
Under the project, DoD and a coalition of private-industry partners are implementing a federated identity management and interoperable credentialing system that enables certain DoD facilities to authenticate contractor personnel who present existing contractor-issued credentials. Under the pilot, private industry participants can also authenticate DoD personnel at participating facilities by relying on the employees' existing Common Access Cards (CACs). Each of the founding organizations listed below is operating at least one pilot site. For a list of all founding organizations, including small businesses and associations, please visit http://www.fegc.org.
* Defense Manpower Data Center
* Anteon
* BearingPoint, Inc.
* Electronic Data Systems, Inc.
* Lockheed Martin Corporation
* Northrop Grumman Corporation
* SRA International, Inc.
The Department of Defense and its industry partners have a need for employee identification and authentication as part of their joint working environment. This public-private effort, which could eventually involve over four million CAC cards and three million contractor-issued credentials, can transform the way physical access to facilities is handled.
The keys to FiXs/DCIS are interoperability and mutual trust. Interoperability means a set of rules, requirements, and/or standards that allow various parties to act and exchange information on an equal basis. Mutual trust is achieved by agreeing to a common model and uniform processes for vetting employees and enrolling them into each employer's database.
The FiXs/DCIS project will enable participating DoD facilities to rely on contractor-issued FiXs/DCIS credentials. Likewise, participating contractor locations are capable of accepting FiXs/DCIS credentials from any other participating company, as well as the CAC. Information on each credential holder will be maintained in a separate database by his or her employer so that minimal data sharing is required. To ensure and protect credential holders' privacy, no single, centralized master database is created. Facility access will be granted based on local, pre-existing policies and procedures. FiXs/DCIS permits DoD and its partners to maintain their existing security system and policies.
The pilot, which is co-sponsored by the Defense Manpower Data Center and the Office of the Secretary of Defense, Networks Information and Integration, is being conducted under the auspices of the Federated Electronic Government Coalition (FEGC). For more information on this project, and the latest news and status of the pilot, please visit the FEGC web site at http://www.fegc.org.
Source: NACHA - The Electronic Payments Association
Okay, are you still with me? What the heck is NACHA?
http://www.nacha.org/About/default.htm
NACHA - The Electronic Payments Association is the leading organization in developing electronic solutions to improve the payments system.
NACHA represents more than 12,000 financial institutions through direct memberships and a network of regional payments associations, and 650 organizations through its industry councils. NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits transfer (EBT).
NACHA's Mission is to promote the development of electronic solutions that improve the payments system for the benefit of its members and their customers.
NACHA is dedicated to improving the payments system through its eight primary functions. These are:
Rule-making for the ACH Network and other payments systems;
2. Facilitating the development of new payment applications;
3. Identification and implementation of risk management initiatives;
4. Providing and supporting education programs;
5. Instituting and monitoring quality controls in the payments system;
6. Improving member communications/relations;
7. Responding to regulatory and government relations issues; and
8. Marketing electronic payment services.
Now, let’s GO INTERNATIONAL. FIXS has been seen presenting, as of September 8 of this year, to this organization:
http://www.tscp.org
“The Transatlantic Secure Collaboration Program (TSCP) is a business-driven initiative to provide guidelines of policies, procedures, and mechanisms for the secure sharing of sensitive electronic information among international defense companies and their governments, to meet the requirements for increasing collaboration and through life contractor logistic support in an increasingly regulated environment.”
In particular, FIXS has been presenting to this SUB-GROUP of the TSCP:
The purpose of the International Collaborative Identity Management (I-CIDM) activity is to enable 2 end users of applications in different organisations that have different PKI Certificate Authorities (CAs) to be able to establish a path of trust across 2 bridges at a medium level of assurance with a hardware token and at such other levels as required. The objective for 2005 is to get 3 industry bridges cross-certified with the US Federal Bridge. TSCP requires to I-CIDM to have these in place so that a government agency can establish trust with a company via 2 bridges working to a Common Policy, based on an Identity Proofing & Vetting Framework being developed.
Folks hereabouts have been patient with me as I birddog various links and tidbits involving Wave and the Federation for Identity and Cross-Credentialing (FIXS) and TRY to understand just how FIXS connects up with other organizations inside and out of government… and even beyond our shores.
Now here comes a MONSTER post that is meant only for those with a great deal of patience and not a tiny amount of time. It’s the POSTING equivalent (in terms of time involvement at least) of the slog we’ve all endured, hopefully without any of the acrimony and occasional “outcrappings” of our least favorite characters.
This post COULD get into Homeland Security Presidential Directive-12 (HSPD-12) and other government initiatives and regulations, e.g. PIV and FIPS-201. However, I’ve decided to skip those. Suffice it to say, that FIXS **seems** to be a REAL good start on implementing HSPD-12.
But, before getting underway in earnest, here’s the short story:
What began within the Department of Defense as the Defense Cross-Credentialing Identification System (or DCCIS or DCIS, depending upon which bureaucrat is doing the acronym-izatation-itude-ality), subsequently merged with FIXS via a pilot at the Defense Manpower Data Center (or DMDC). That highly successful pilot helped secure an award for FIXS from the government:
DoD and Industry Coalition Win Public/Private Sector Partnership Award for Credential Verification System
Herndon, Virginia, May 3, 2005 - The Department of Defense (DoD) Defense Manpower Data Center and the Federation for Identity and Cross-Credentialing Systems (FiXs) have won the Government Solution Center's first annual Successful Public/Private Partnership Award. The organizations are being recognized for the results of a proof-of- concept project in which credentials issued by one employer were electronically accepted in other employers' work locations. This "cross-credentialing" is enabled by FiXs' interoperable infrastructure and operating rules. The Defense Manpower Data Center and FiXs will receive the award at the Government Solutions Center conference on June 2, 2005 in Washington, DC.
"A federated credentialing system can improve security, protect privacy and reduce costs," said Mary Dixon, Deputy Director, Defense Manpower Data Center. "Serious consideration should be given within the government and by our commercial partners to a federated credentialing system such as this."
"The Federation for Identity and Cross-Credential Systems, partnering with the Department of Defense, has developed a new system to independently verify credentials via electronic means," said Dr. Mike Mestrovich, Co-Chair of FiXs. "This new method provides significant improvements in security and reliability compared to systems using human verification. In . addition, the structure allows identity information to be stored by the employee's organization, rather than in a master database."
"This system represents a model for private/public cooperation that leverages government technology and industry best practices to address an increasingly important national issue - secure and authoritative authentication of identity. DMDC is proud of the work it has done with the FiXs to successfully implement this capability," said Robert Brandewie, Director, Defense Manpower Data Center.
FiXs makes possible the electronic, real-time verification of a credential and the person carrying the credential. The FiXs system electronically, through its interoperable infrastructure, validates and authenticates the credential, matching it to the person presenting the credential using the biometrics and digital pictures captured when the credential was issued.
The proof-of-concept program between FiXs and the DoD demonstrated that there are many benefits to this system:
It is more secure and reliable than current systems;
Privacy of individuals to whom credentials are issued is not compromised, because of the use of federated databases;
Validation and authentication processes are consistent and uniform across organizations;
The system is easy to use;
Companies and government agencies can terminate or invalidate an identity credential in a timely, electronic manner;
Each organization maintains its own database - no "master" database; and
Fraud is more difficult.
The key to FiXs is interoperability. Interoperability means a set of policies, operating rules, and technical specifications that allow various parties to act and exchange information on an equal basis. Interoperability in the FiXs system is analogous to electronic payment systems, where operating rules and standard file formats allow numerous parties to participate on an equal basis.
The FiXs Federation is a coalition of industry and not-for-profit organizations whose objective is to support efforts to create and deploy an interoperable identity cross-credentialing "network." Participating companies and organizations are: Anteon, BearingPoint, Inc., Data Systems Analysts, Inc., Electronic Data Systems, Inc., Intelli-Check, Lockheed Martin, NACHA - The Electronic Payments Association, Northrop Grumman Corporation, SRA International, Inc., SafLink and Wave Systems Corporation. Information about FiXs and how organizations can participate will be featured during a public forum on May 4, 2005 in McLean, Virginia. For information about the forum, contact Jaime Hill at 703/561-3945 or jhill@nacha.org.
(PAUSE FOR A DR. PEPPER)
The FIXS/DCIS pilot and the award has subsequently led to a great deal of interest in other quarters: including the Electronic Authentication Partnership (or EAP)—a group that we know SKS has presented to and that Wave has representatives within; the Transatlantic Secure Collaboration Program (TSCP), which is a business-driven initiative to provide guidelines of policies, procedures, and mechanisms for the secure sharing of sensitive electronic information among international defense companies and their governments; and NACHA—The Electronic Payments Association. NACHA is of particular interest to me because it “represents more than 12,000 financial institutions through direct memberships and a network of regional payments associations, and 650 organizations through its industry councils. NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits transfer (EBT).” In my opinion, the connection (which seems to be growing by the day) between FIXS and NACHA brings Wave right back to its significant and valuable FINREAD experience and its deep expertise in understanding what is needed to secure electronic transactions.
Now, one more piece of business here at the top. There are names that keep cropping up in my own research about all of this. Here they are in no particular order:
Mary Dixon--In a 2004 GCN article, Ms. Dixon was described in the following terms:
As the daughter of an Air Force officer, Mary Dixon was born to high expectations.
“I am a driven person, so I am always trying to make things better,” said the program manager of the Defense Department’s Common Access Card program.
When Dixon was assigned the project of developing the system in 1999, she barely knew what a smart card was. Five years later, she’s leading the charge on federal smart-card use.
“Dixon doesn’t oversee the program, she drives the program with personal dedication and unquestioned integrity,” said Randy Vanderhoof, executive director of the Smart Card Alliance industry association.
“My word for her is ‘visionary,’ ” said Tim Dwyer, vice president of government solutions for EDS Corp. of Plano, Texas, an integrator supporting the Common Access Card program. “When something goes wrong, she is not looking to try to make a bad process better, she is looking to reinvent process so that it is done right.”
David Temoshok: I first became aware of David Temoshok when I saw him sitting at a lunch table with SKS at the first Digital Identity World conference in Denver some years back. Here’s an excerpt from his biography:
“David Temoshok is the PKI Policy Manager for the Office of Governmentwide Policy of the General Services Administration, which develops the policies and services to enable governmentwide electronic transactions with citizens, businesses, and governments. In this capacity, David serves as the Policy Authority for the Federal ACES Program that provides PKI services across the Federal Government. David also serves on the Federal PKI Policy Authority which administers the Federal Bridge Certification Authority to provide cross-certification PKI services across government.
Prior to this appointment, David served as the Inter-Agency Director for the Access America Program. This program provides public access to a wide range of government services electronically on a nationwide basis. David also served as Chairman of the Federal Smart Card Task Force to provide leadership and coordination for the development and implementation of federal smart card systems through the government-wide Common Access ID Card Program.”
Perry Tsacoumis , project manager, FiXS/DCIS, Northrop Grumman Information Technology
Helena Sims is Senior Director of Public/Private Partnerships for NACHA.
Jack Radzikowski, Director, Commercial Authentication & ID, Northrop Grumman. Jack is, among other things, the former chief of federal financial systems for the United States Office of Management and Budget.
Michael Mestrovich is the former Chairman, Federal Electronic Commerce Coalition and is currently helping to lead FIXS.
Okay, thus ends all the housekeeping and setting up. Here we go…
We begin with FIXING of FIXS overview and bylaws… which mentions Wave Systems:
http://155.212.219.228/Docs/Bylaws%20v1%202%20021105_2.pdf
Purpose/Objectives. The purpose and objectives of the Federation are generally set forth in the Articles of Incorporation and include but are not limited to the following specific purposes and objectives:
a. Define how industry will interface with government to manage the Federation “Network,” meaning the federation of organizations that have joined the Federation for the purpose of interconnecting and cooperating for the specific purpose of identity management and trust, including compliance with certain common trust models, business rules, policies, and technical specifications adopted by the Federation. (The first
instantiation of the Network will be with the Department of Defense (“DoD”) and will be completed by connecting the FiXs subsystems with the DoD’s Defense Cross-Credentialing Identification System (“DCCIS”).)
b. Establish a foundation for the interoperability of identity authentication and verification within the Network to include biometrics.
c. Maintain and enforce the provisions of documents that provide the foundation for the Federation Project, including the Trust Statement, the Policy Statement, the Operating Rules (“Rules”) and the Technical Interfaces and Specifications and any Memoranda of Understanding between government and industry.
d. Oversee the industry portion of the FiXs and DCCIS infrastructure, which is scheduled to commence implementation on November 1, 2004, and project operations during the transition to full production through July 31, 2005.
Classes of Membership. There are three classes of membership:
a. Founding Members. During the Initial Phase, only Founding Members will be entitled to a vote as specified in Article IV. The following organizations are Founding Members:
(1) Founding Full Members. Companies with more than 500 employees that enrolled and authenticated employees in the pilot shall be Founding Full Members. There are six Founding Full Members: Anteon, BearingPoint Inc., EDS, Lockheed Martin
Corporation, Northrop Grumman, and SRA International, Inc.
(2) Founding Small Businesses. Companies with fewer than 500 employees, whose employees were enrolled by another company (as described in Article I, paragraph 5(b)) into the pilot, shall be Founding Small Businesses. The Founding Small Business Members are: Data Systems Analysts, Inc., Intelli-Check Inc., Saflink Corporation and Wave Systems Corp.
(3) Founding Association Members. Associations or coalitions that participated in the project during the pilot are Founding Association Members. There are two Founding
Association Members: The Federated Electronic Government Coalition and NACHA
--The Electronic Payments Association.
Now, for most of us the first inkling we got of anything about all of this stuff was in a somewhat cryptic reference by SKS during the Q2 2003 conference call.
http://www.unclever.com/wavx/WAVX2Q03.html
We continue also to work with a number of federal and state opportunities in secure input, and different identity card technologies. Recently Northrop Grumman showed a presentation that included Wave as part of the solution for the DCIS [Defense Cross-credentialing Identification System] technology. And we look forward to continuing to work with them, to help build some of that cross credentialing technology for different identities.
Of course, bashers and others of our “outcrappers” NEVER believe anything SKS says. But, that’s their problem.
So what exactly is the Defense Cross-Credentialing Identification System?
http://www.gcn.com/22_29/dodcomputing/23658-1.html
09/29/03; Vol. 22 No. 29
Defense plans pilot test of cross-credentialing system
By Dawn S. Onley
GCN Staff
The Defense Department next month will begin testing a prototype credential-checking system.
The pilot will help DOD’s Directorate of Information Assurance and Defense Manpower Data Center develop a system that can validate the identities of people trying to gain access to military installations and contractor facilities where Defense work is performed.
The center, which oversees the Defense databases storing identity information, will work with Northrop Grumman Corp. on the test. The directorate, within the Office of the Assistant Secretary of Defense for Networks and Information Integration, is paying $500,000 for the test, which will run through March.
Northrop Grumman and a team of vendors developed the Defense Cross-Credentialing Identification System as a proof-in-concept project for the department. The DCIS prototype will process smart cards issued under DOD’s Common Access Card program as well as other standardized IDs in use at the agencies and contract sites participating in the prototype test.
“DCIS will provide a vital service for force protection,” said Wood Parker, vice president and general manager of the government IT division of Northrop Grumman’s mission systems group.
Northrop Grumman will administer tests at vendor and Defense facilities in Maryland and Virginia and at Kirtland Air Force Base, N.M., and Wright-Patterson Air Force Base, Ohio.
The pilot has several objectives:
Develop interoperable system concepts for accessing and validating contractor and government credentials at U.S. facilities and temporary overseas duty stations
Satisfy current policies, standards and processes with an automated access control system
Create a federated credentialing system between government and industry where the information on individuals remains under the control of their parent organizations.
Northrop Grumman’s team includes BearingPoint Inc. of McLean, Va.; EDS Corp.; the Federated Electronic Government Coalition of Washington and SRA International Inc. of Fairfax, Va.
After the aforementioned DCIS pilot, a curious thing happened: it seems that somebody got the bright idea that DCIS was bigger than just DCIS (Defense, that is.) So, later in 2003, we get this…
http://www.fegc.org/documents/FiXS-DCIS%20Policy%20Document%202%5B1%5D.0._Sep.%2024,%202003_.pdf.
1.1 Summary
It is the intent of the Department of Defense (DoD) to continually review existing Common Access Card (CAC) Policy and Identity Management Policy. Within this cycle, the DoD proposes to review its policies on the issuance of CAC badges to contractor personnel and review options for these companies to issue a GSC-IS-compliant card. In pursuance of this continuing policy review, the DoD has agreed to sponsor the proof-of-
concept below with its concomitant policy, trust model and operating rules.
The Federated Electronic Government Coalition (FEGC), Federal Agencies and the Department of Defense (DoD) – Defense Manpower Data Center (DMDC) have entered into a relationship to provide an operational proof of concept that would demonstrate the interoperability of credentials for physical access control. This proof of concept and pilot will implement a federated identity management and credential system between DoD, Federal Agencies and Industry participants who have a need for identification and authentication as part of their joint working environment. The following criteria will be considered.
1.1.1 Interoperable and compatible “federated” system concepts for the accessing and validating of government and contractor credentials at select government and contractor facilities and locations for physical access.
1.1.2 Future logical access requirements and compatibility with the Federal PKI Bridge and other identified links or applications as necessary.
This program will be referred to as the Federated Identity Management and Cross-credentialing System (FiXs), with the DoD portion known as the Defense Cross-credentialing System (DCIS)
Then in 2004, Mary Dixon reports on the DMDC pilot to the Electronic Authentication Partnership.
http://www.eapartnership.org/docs/Apr2004/fixS-DCIS_Dixon.ppt
So what is the Electronic Authentication Partnership?
http://www.eapartnership.org
About the Electronic Authentication Partnership
The Electronic Authentication Partnership (EAP) is the multi-industry partnership working on the vital task of enabling interoperability among public and private electronic authentication (e-authentication) systems.
Interoperability of e-authentication systems is essential to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.
Well, as luck would have it, it seems that EAP got pretty interested in where FIXS leaves off and where there work begins… and certain overlaps. Now, as of August of this year, it became clear that FIXS and EAP have decided upon a FIRST pilot for EAP. Please check out the Radzikowski PowerPoint below.
http://www.eapartnership.org/docs/Aug2005/August_2005_Radzikowski.ppt
(From Agenda notes from the August 11th meeting)
00 – 2:30 Pilot Planning
During the afternoon session, participants will begin the process of planning for the first EAP pilot test. The first pilot sets a precedent for the future and paves the way for a second and third pilot by informing the process through lessons learned. The first test will be a joint initiative with the Federation for Identity and Cross-Credentialing (FiXs). To date FiXs has focused on physical access to buildings and facilities. The pilot will build on the work of FiXs and the EAP as it builds a foundation for physical access as well as logical access to computer systems, which is consistent with the goal of HSPD 12. This session will begin to identify the steps that must be taken in planning for the pilot. This session will examine:
Pilot purpose and strategy;
Criteria for shaping pilot activity;
What is in a pilot plan;
Identification of the rule sets and other documents must be aligned; and
How success will be measured.
Now, let’s back up a bit. Remember, FIXS/DCIS pilot at the Defense Manpower Data Center, which is led by Mary Dixon. Here’s a little more about that from June of last year. In particular, note WHO is the source of this information… listed at the end of the article.
http://www.findbiometrics.com/viewnews.php?id=1187
DoD, Partners Begin Test of Identity Management Interoperability Project - June 02, 2004
ARLINGTON, Va., - A cross-credentialing pilot to test the interoperability of credentials issued by the Department of Defense (DoD) and private employers is underway and is expected to continue through the summer of 2004. The ground-breaking pilot of the Federated Identity Cross- credentialing System/Defense Cross-credentialing Identification System (FiXs/DCIS) will test the ability of participating organizations to authenticate and validate credentials issued by another organization, whether DoD or a government contractor.
Under the project, DoD and a coalition of private-industry partners are implementing a federated identity management and interoperable credentialing system that enables certain DoD facilities to authenticate contractor personnel who present existing contractor-issued credentials. Under the pilot, private industry participants can also authenticate DoD personnel at participating facilities by relying on the employees' existing Common Access Cards (CACs). Each of the founding organizations listed below is operating at least one pilot site. For a list of all founding organizations, including small businesses and associations, please visit http://www.fegc.org.
* Defense Manpower Data Center
* Anteon
* BearingPoint, Inc.
* Electronic Data Systems, Inc.
* Lockheed Martin Corporation
* Northrop Grumman Corporation
* SRA International, Inc.
The Department of Defense and its industry partners have a need for employee identification and authentication as part of their joint working environment. This public-private effort, which could eventually involve over four million CAC cards and three million contractor-issued credentials, can transform the way physical access to facilities is handled.
The keys to FiXs/DCIS are interoperability and mutual trust. Interoperability means a set of rules, requirements, and/or standards that allow various parties to act and exchange information on an equal basis. Mutual trust is achieved by agreeing to a common model and uniform processes for vetting employees and enrolling them into each employer's database.
The FiXs/DCIS project will enable participating DoD facilities to rely on contractor-issued FiXs/DCIS credentials. Likewise, participating contractor locations are capable of accepting FiXs/DCIS credentials from any other participating company, as well as the CAC. Information on each credential holder will be maintained in a separate database by his or her employer so that minimal data sharing is required. To ensure and protect credential holders' privacy, no single, centralized master database is created. Facility access will be granted based on local, pre-existing policies and procedures. FiXs/DCIS permits DoD and its partners to maintain their existing security system and policies.
The pilot, which is co-sponsored by the Defense Manpower Data Center and the Office of the Secretary of Defense, Networks Information and Integration, is being conducted under the auspices of the Federated Electronic Government Coalition (FEGC). For more information on this project, and the latest news and status of the pilot, please visit the FEGC web site at http://www.fegc.org.
Source: NACHA - The Electronic Payments Association
Okay, are you still with me? What the heck is NACHA?
http://www.nacha.org/About/default.htm
NACHA - The Electronic Payments Association is the leading organization in developing electronic solutions to improve the payments system.
NACHA represents more than 12,000 financial institutions through direct memberships and a network of regional payments associations, and 650 organizations through its industry councils. NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits transfer (EBT).
NACHA's Mission is to promote the development of electronic solutions that improve the payments system for the benefit of its members and their customers.
NACHA is dedicated to improving the payments system through its eight primary functions. These are:
Rule-making for the ACH Network and other payments systems;
2. Facilitating the development of new payment applications;
3. Identification and implementation of risk management initiatives;
4. Providing and supporting education programs;
5. Instituting and monitoring quality controls in the payments system;
6. Improving member communications/relations;
7. Responding to regulatory and government relations issues; and
8. Marketing electronic payment services.
Now, let’s GO INTERNATIONAL. FIXS has been seen presenting, as of September 8 of this year, to this organization:
http://www.tscp.org
“The Transatlantic Secure Collaboration Program (TSCP) is a business-driven initiative to provide guidelines of policies, procedures, and mechanisms for the secure sharing of sensitive electronic information among international defense companies and their governments, to meet the requirements for increasing collaboration and through life contractor logistic support in an increasingly regulated environment.”
In particular, FIXS has been presenting to this SUB-GROUP of the TSCP:
The purpose of the International Collaborative Identity Management (I-CIDM) activity is to enable 2 end users of applications in different organisations that have different PKI Certificate Authorities (CAs) to be able to establish a path of trust across 2 bridges at a medium level of assurance with a hardware token and at such other levels as required. The objective for 2005 is to get 3 industry bridges cross-certified with the US Federal Bridge. TSCP requires to I-CIDM to have these in place so that a government agency can establish trust with a company via 2 bridges working to a Common Policy, based on an Identity Proofing & Vetting Framework being developed.
Join the InvestorsHub Community
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
