USDA HSPD-12 Implementing PIV cards @ USDA...Authorization Employees Customers Identity Stores...
Transcript of USDA HSPD-12 Implementing PIV cards @ USDA...Authorization Employees Customers Identity Stores...
U.S. Department of AgricultureHSPD 12 Program
USDA HSPD-12 Implementing PIV cards @ USDA
April 2009
2
U.S. Department of Agriculture HSPD 12 Program
USDA and the GSA HSPD-12 Shared SolutionUSDA has been at the forefront of driving a shared solution for HSPD-12
across the Federal Government…
Co-chairing the HSPD-12 Executive Steering CommitteeContributed to the development of the General Services Administration (GSA) Statement of Work for HSPD-12Serving on the vendor evaluation committee
To that end, USDA is prepared to adopt the GSA HSPD-12 Shared Solution as it’s USDA Enterprise-side solution.
3
U.S. Department of Agriculture HSPD 12 Program
HSPD-12 PIV card - LincPass cards
LincPass Process Logical AccessPhysical Access
Getting a Card Using a Card
HR Sponsors BI Is Completed
Person Activates
Card Is Issued
Person Enrolls
For Access to Computers For Access to Buildings
4
U.S. Department of Agriculture HSPD 12 Program
Identity and Access ManagementNon-RepudiableeGov Services
HSPD-12CHUID
PKI Certificates
eAuth
Password
AD Domains eAuthMain
frame
LACSVPN
Application RBAC
Win 2K3 AzMan
Entitlement Mgmt
Role Based Access Control
E PACS
802.1XSecurity Profile Mgmt
Network Admission Control
QuarantineDevice AuthUser Auth
InCommon FederationAuthentication Authorization
Disk Encryption Authentication
Identity
Credentials
Accounts
Access Control
Application Integration
Authorization
Employees
Customers
Identity Stores
Contractors
Username
PACS
Role Attribute Mgmt
Org Position Location
Persistent ConnectivityMobile Computing
IPSec/SSL VPN
Collaboration
Audi
ting
Non-RepudiableeGov Services
HSPD-12CHUID
PKI Certificates
eAuth
Password
AD Domains eAuthMain
frame
LACSVPN
Application RBAC
Win 2K3 AzMan
Entitlement Mgmt
Role Based Access Control
E PACS
802.1XSecurity Profile Mgmt
Network Admission Control
QuarantineDevice AuthUser Auth
InCommon FederationAuthentication Authorization
Disk Encryption Authentication
Identity
Credentials
Accounts
Access Control
Application Integration
Authorization
Employees
Customers
Identity Stores
Contractors
Username
PACS
Role Attribute Mgmt
Org Position Location
Persistent ConnectivityMobile Computing
IPSec/SSL VPN
Collaboration
Audi
ting
HSPD-12CHUID
PKI Certificates
eAuth
Password
AD Domains eAuthMain
frame
LACSVPN
RBAC Attributes
Rules Engine
Identity Mgmt
Enterprise Entitlement Management System (EEMS)
E PACS
Remote/Wired/Wireless
Network Access Control and Endpoint Security
Device PKI PIV User Auth
FederationAuthentication Authorization
Enhanced Services
Identity
Credentials
Accounts
Access Control
Application Integration
Authorization
Employees
Customers
Identity Stores
Contractors
Username
PACS
Health State ValidationFile IntegrityHB IPS/FW
Identity
Audi
ting
Entitlement Mgmt
Workflow Engine
RemediationDLP
EncryptionDig/SigNon-Repudiation
5
U.S. Department of Agriculture HSPD 12 Program
HSPD-12 Business Process
General HSPD-12 Concept
Adjudication CredentialUsageSponsorship Enrollment Issuance Activation
Capture applicant
information& authorize
PIV card
Identity proof & capture
biometrics
Complete BI and record results
Produce card and issue to applicant
Authenti-cate
applicant and activate
card
Manage card
lifecycle
IDMS GUI
IDMS DB
IDMS GUI
IDMS DB
CertificateAuthority
CMS
`
FinalizationWorkstation
CardReader
CA
Enrollment
Finalization
CPS
CMS & IDMS
PRO
CES
SC
OM
PON
ENTS
6
U.S. Department of Agriculture HSPD 12 Program
LACS, PACS, and HR
ContractorsEmployees
AppServer
CHMS DB
AppServer
Reporting
OPM /FBI
RegistrationWKS
Document Scanner
CardReader
Camera
Finger Print Scanner
Interaction
Card Printing
Card Distribution
CMS
CPS
Interaction
PKI
CRL
Certificate authority
Key Mgt .
RegistrationAD
CHMS
Agency 1 LACS
ADMIIS
RDBMS
Data Store
Agency 2 LACS
WorkStationWorkStation
Agency LACS
PACSEnterprise
Servers
Agency PACS
OCSP Responder
Personnel Management System
Interaction
Interaction
Interaction
Interaction
Interaction Interaction
AgencyController
PACSMaster DB
PACSMobile Unit
Facility
CMS DB Shared Service
USDA Responsibilities
7
U.S. Department of Agriculture HSPD 12 Program
Overall Architecture
EIMS
HSPD-12 Service Provider
Logical AccessControl Systems
Sponsorship & Adjudication Data Feed Done
QuerySIP Data FeedDone
EmpowHR
Non EmployeeIdentity System
(NEIS)
EIDS V3.1
EIDSConnector Done
PayrollPersonnel
PP Done
EmpowHRDone
NEISDone
AD Connector& Card Info FeedIn Progress –7 agencies done
Laptop UserLincPass
Domain LoginAll Agencies in Progress
ePACS
ePACSConnector (3/13/09)
8
U.S. Department of Agriculture HSPD 12 Program
Three Phases with NCE and GSA shared solution
June 9 – Sept 30, 2008 – Summer Mobile enrollmentsOctober 1 – April 30, 2009 – Winter Mobile enrollmentsMay 1 – Sept 30, 2009 – Sustainment and Operations
• General Services Administration• Office of Personnel Management• United States Department of Agriculture• United States Department of Energy• United States Department of Interior• US Department of Justice• United States Department of Treasury
9
U.S. Department of Agriculture HSPD 12 Program
An Example: Enrollment Answer from Mobile enrollment. Phase 1 and 2
SIOUX FALLSDOI
MINNEAPOLISUSDA/APHIS
FARGOUSDA/ARS
FALCON HEIGHTSGSA
PARK FALLSUSDA/FS
STEVENS POINT
USDA/RD
GRAND FORKSUSDA/ARS
POCAHONTASUSDA/RD
WAVERLYUSDA/RD
DULUTHUSDA/FS
MANKATOUSDA/FSA ROCHESTER
USDA/FSA
GRAND RAPIDSUSDA/FS
BAXTERUSDA/FSA
MORRISUSDA/ARS
MARSHALLUSDA/NRCS
1
2
3
5
4
1
2
1
2
3
1
MADISONUSDA/FS
HURONGSA
ABERDEENUSDA
1
5
Example of Enrollment Locations
SIOUX FALLSDOI
MINNEAPOLISUSDA/APHIS
FARGOUSDA/ARS
FALCON HEIGHTSGSA
PARK FALLSUSDA/FS
STEVENS POINT
USDA/RD
GRAND FORKSUSDA/ARS
POCAHONTASUSDA/RD
WAVERLYUSDA/RD
DULUTHUSDA/FS
MANKATOUSDA/FSA ROCHESTER
USDA/FSA
GRAND RAPIDSUSDA/FS
BAXTERUSDA/FSA
MORRISUSDA/ARS
MARSHALLUSDA/NRCS
1
2
3
5
4
1
2
1
2
3
1
MADISONUSDA/FS
HURONGSA
ABERDEENUSDA
1
5
Example of Enrollment Locations
10
U.S. Department of Agriculture HSPD 12 Program
Phase 3 Permanent Locations Example
* Klamath Falls
* LaGrande
* Pendleton
* Roseburg
* Tangent
* Yakima
11
U.S. Department of Agriculture HSPD 12 Program
Phase 3 Light Activation
Participants Identified:
Permanent Enrollment \ Activation centersShared Agency Only
Light Activation Stations Shared Agency Only Fingerprint Reader
Read/Write Smart Card Reader
Special Software
GSA’s Light Activation Station
12
U.S. Department of Agriculture HSPD 12 Program
USDA Report Card
• Over 160 Mobile Enrollment stations during Summer
• 225 Mobile Enrollment Stations during Winter
• Enrolled 74,000+ Employees across the Entire Country
• Enabled Two-Factor Authentication for almost 55,000 Laptops
• Implemented a National PACS Infrastructure & Began Connecting 100 MCF’s
13
U.S. Department of Agriculture HSPD 12 Program
USDA Next StepsPIV cards:
Continue issuing cards to Federal and contract staffComplete remaining investigations
Two-Factor Authentication: eAuthentication Two-Factor IntegrationVPN Two-Factor IntegrationDigital Signature Integration for Office, Outlook and AdobeEncryption Integration for Outlook
ePACS:Identify remaining MCF’sImplement solution at all MCF’S
Other:Continue to share information with NCE participantsEnd Point Security \ VPN
14
U.S. Department of Agriculture HSPD 12 Program
Distribution Layer Switch
WiredHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health Check
Endpoint Security AgentHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health Check
Endpoint Security AgentHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health Check
Host-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health CheckHealth Check
Endpoint Security Agent
Conceptual Strategy:Network & Endpoint Security
Network Access Controller
Host-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VPN
Health Check
Endpoint Security AgentHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VPN
Health Check
Endpoint Security AgentHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VPN
Health Check
Host-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VPN
Health CheckHealth Check
Endpoint Security Agent
Remediate
United States Government
OCT2012
USDA
Bloggs, Joseph
G
Expires 2012OCT22
Affiliation ContractorAgency/DepartmentDepartment of Agriculture
United States Government
OCT2012
USDA
Bloggs, Joseph
G
Expires 2012OCT22
Affiliation ContractorAgency/DepartmentDepartment of Agriculture
Wireless Access Point
WirelessHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health Check
Endpoint Security AgentHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health Check
Endpoint Security AgentHost-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health Check
Host-Based Firewall
802.1x Supplicant
Hos
t-Bas
ed IP
S
SSL
VP
N
Health CheckHealth Check
Endpoint Security Agent
USDA Enterprise Directory
VPN
IDS
Health Check: Pass
Health Check: Fail
NAC Agent
BigFixAnti-XPatch ManagementDisk EncryptionFDCC
File Integrity CheckingHost-Based FWHost-Based IPSData Loss Prevention
User Roles
ISOC Auditing and Reporting
RemoteAccess
Local Access
15
U.S. Department of Agriculture HSPD 12 Program
USDA Contacts \ Questions
Owen [email protected](970) 295-5538
Meria A. [email protected](970) 295-5198