Cross-Agency Exercise Proves HSPD-12 Model
DOD, DHS, first responders test smart-card interoperability
- By Jason Miller
- Apr 17, 2006
"We are trying to come up with a trust model to be used across federal, state and local jurisdictions." 'Lemar Jones, Force Protection Agency
Photo courtesy Defense Department
The Defense and Homeland Security departments, along with first responders from Maryland and Virginia, recently showed just how important trust is under Homeland Security Presidential Directive-12.
In a one-day exercise called Winter Fox, employees from the four organizations used their own smart cards and digital certificates'compliant with Federal Information Processing Standard-201'to obtain validation at another's location.
'We are trying to come up with a trust model to be used across federal, state and local jurisdictions,' said Lemar Jones, director of the Pentagon's Force Protection Agency's anti-terrorism and force protection office. 'We want to verify someone's identity, whether they are public or private, and decide whether to grant them access to a building or reservation.'
Winter Fox, sponsored by DHS' National Capital Region, took place at four locations: the Pentagon's Navy Annex, Frederick County, Md., the port of Baltimore and the Virginia Transportation Department.
'We are basing everything off of HSPD-12 and FIPS-201,' Jones said. 'This was a proof of concept, and we had a successful demonstration of interoperability at a federal, state, county and private venue.'
Winter Fox focused on first responders because of their need to move and communicate easily across jurisdictions.
Jones said that during the Sept. 11, 2001, attacks, Virginia State Police would not accept DOD's building pass as identification to get through roadblocks and to the Pentagon.
In the future, officials don't want first responders to have similar problems. HSPD-12-compliant first-responder cards will be color-coded, and states are following the same scheme, said Ken Wall, deputy director of DHS' Office of the National Capital Region Coordination.
DHS plans on distributing 200,000 smart cards to first responders in the National Capital Region, officials have said.
'Whether the first responder is a firefighter, HazMat technician or federal employee, we want to be able to keep track of their role in an incident,' Wall said of the eventual goal in using the technology.
Officials hoped Winter Fox would prove that the cards and certificates would be validated no matter who issued them and which company supplied the back-end infrastructure, as long as the providers followed the federal standards outlined in FIPS-201.
That's how access worked for Winter Fox's 300 participants, Wall said.
About 180 of them used first-responder cards issued by DHS' National Capital Region and about 120 used DOD's Common Access Card or some other card issued by Maryland or DHS, Wall said.
All the cards were single-chip, dual-interface 64KB cards with either two-factor or three-factor authentication. The cards met FIPS-201, Personal Identification Verification I standards. The smart cards used different certificate authorities, but they all met federal standards outlined under the Federal Public Key Infrastructure Policy.
DOD and DHS set up their own separate certificate authorities, while Maryland used a certificate authority from Cyber- trust Inc. of Columbia, Md.
'What made this work was that everyone followed the same standard to put their certificate on their card,' said Tom Greco, a vice president with CyberTrust. 'Winter Fox showed you can create and distribute these kinds of credentials called for by FIPS-201 now, and the technology can carry out the mission.'
The responders placed their cards into handheld readers and entered their personal identification numbers. The device used the PIN to verify information stored on the card and in the reader.
Wall said information is pushed to the reader every night and encrypted on memory cards in the device.
'The first-responder community is moving more quickly under HSPD-12 than others in the federal community,' said Patrick Hearn, director of business development for government identification at Oberthur Card Systems of Rancho Dominguez, Calif. 'From what I've heard, people were pretty excited about this whole thing.'
The Pentagon's Jones said the next step would be to use PIV II cards and continue to build the trust model among federal, state and local first responders and agencies.
Additionally, officials said they want to make sure first- responder cards are interoperable in all future exercises at all levels of government for physical and logical access, and continue implementing FIPS-201 throughout Virginia and Maryland.
'Winter Fox was about perimeter control,' Greco said. 'It pointed out that credential technology can be applied to very specific use cases. I hope this exercise generates more interest in these things.'