DOD, contractors try sharing credentials
Contractor IDs are currently accepted at face value
- By William Jackson
- Jun 18, 2004
The Defense Department and six contractors are cooperating on a summer-long interoperability test for credentials.
The pilot, funded by the Defense Manpower Data Center, will have a central broker to verify IDs of persons entering military and contractor facilities.
'We see this as a big advantage for the department,' said Bill Boggess, chief of access and authentication technology at the center.
Thousands of contractors enter DOD facilities each day, some carrying the military's Common Access Card but many others with only company IDs.
'Right now, we have to take their word for it' that an ID is valid, Boggess said.
The participating contractors will accept the CAC at company facilities, and DOD will validate private IDs at some military bases. The contractors can also validate one another's credentials.
The pilot is an effort of the Defense Cross-credentialing Identification System and the Federated Electronic Government Coalition, an industry group that promotes electronic transactions with government.
The pilot's federated trust system is designed to interfere as little as possible with each organization's credentialing process. Software at entry points links to a gateway trust broker hosted by the Defense Manpower Data Center's western office in Monterey, Calif. When credentials are presented, the gateway routes an authentication request to the issuer's database for validation.
'The system lets each party hold its own data' without a central database, Boggess said. 'We're talking about Web services to achieve this.'
Although the pilot does not specify a credential, it requires the issuer to maintain a secure database and meet DCIS' standards for issuing and managing credentials.Based on financial network
The National Automated Clearing House Association of Herndon, Va., helped develop the standards behind the pilot.
'Operating rules are our specialty,' said Helena Sims, NACHA's senior director of public-private partnerships. The association's main job is to set rules for the Automated Clearing House Network, which makes direct payroll deposits, automatic payments and other money transfers among financial institutions. ACHN serves 14,000 financial institutions, 3.5 million businesses and millions of consumers.
Although the clearinghouse network carries financial transactions and the DOD program is for physical access, 'it is the same basic model,' Sims said.
The model requires not only database interoperability but also common standards for confirming identity before credentials are issued. The pilot has only one high-assurance level for credentials; an expanded program could include multiple levels of assurance.
Setting policy for a shared trust system is trickier than coming up with the technology, Boggess said.
'Technically, I can do things much more quickly than the policy agencies can develop the policy,' he said.
The pilot dovetails with the efforts of the federal ID Credentialing Committee, which seeks standards for a common governmentwide ID card authenticated across agencies and interoperable with DOD's Common Access Card.
If the pilot is successful, future plans probably would involve a third party to host the gateway trust broker now housed at the Defense Manpower Data Center, Boggess said.
The pilot uses only fingerprints as a biometric identifier. Other identifiers, and an option for matching biometrics on the ID card, could be added later.
William Jackson is freelance writer and the author of the CyberEye blog.