Document Revision Progress - HSPD-12
advertisement
Interagency Advisory Board (IAB) Meeting February 15, 2006 Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up First Responder Partnership Initiative Planning Approach for Trust & Verification of Identity and Role Across Multi-Jurisdictions Mr. Tom Lockwood/NCR FRPI Planning Approach Trust & Verification of identity & role across multi-jurisdictions Federal DOJ DHS HHS Strategic EPA Strategic Strategic Strategic Plan Plan Plan Plan HSPD NIMS/NRP State Local State Strategic Plan Local Strategic Plan NIPP Guidance Template Private Sector Regional Profit Critical Infrastructure Associations Chambers NCR Strategic Plan Regional Orgs & Hosted International Private Sector WashCOG REG-ECP (2002) 8 Commitments to Action (2002) UASI Strategy CAO-SPG Priorities Not-For-Profit Community Round Table Organizations (Detailed Objectives) Regional Emergency Support Functions #1 Trans #2 Comm #9 Urban S&R #3 PW/ Engin #10 Hazmat #4 Fire #11 Agric #5 Emerg Mgmt #12 Energy #13 Public Safety #6 Mass Care #7 Res Supp #14 Recov & Mitig #8 Health #15 Ext Affairs Planning Approach Trust & Verification of identity & role across multi-jurisdictions “What are we doing?” Incident Management: To get the right people with the right attributes to the right places at the right times thus reducing response/recovery times and promoting restoration to preincident quality of life conditions Planning Approach Trust & Verification of identity & role across multi-jurisdictions Strategic Objectives 1. Establishment of a multi-jurisdictional identity trust model in accordance with existing standards and technology that enables interoperability for dynamic identity and emergency attribute management 2. Categorize all emergency response or critical infrastructure support personnel in accordance with the National Response Plan (NRP) or National Infrastructure Protection Plan (NIPP) 3. Integrate identity and NRP/NIPP category information into existing authoritative human resources databases/directories for use with current technology tool sets that support the electronic proliferation of trusted and secure information for access decisions 4. Standardize NRP/NIPP occupation sub-categories and qualifications in accordance with national and international personnel qualification standards as appropriate 5. Conduct exercises to integrate use with response requirements and applications development for trusted and secure electronic incident management with accountability Planning Approach Trust & Verification of identity & role across multijurisdictions Goal: Multi-jurisdictional Identity Interoperability To demonstrate multi-jurisdictional identity interoperability by electronically binding personalized First Responder Authentication Cards (FRACs), that were issued from different back-end infrastructures, to authorized responder in a communication-in or out environment Disaster recovery area DOD within Planning Approach Trust & Verification of identity & role across multijurisdictions Common Process 1) Applicant - Existing, or new enrollee 2) Sponsor - Practitioner/stakeholder community authoritative official 3) Enrollment Official - PIV data and documents collection/verification 4) Registrar - PIV data and documents validation/confirmation 5) Issuance Official - PKI certificate download and card distribution 6) Validation & Revocation Authority – Sponsor’s authoritative database/directories trigger for OCSP distribution Planning Approach Trust & Verification of identity & role across multi-jurisdictions “HSPD – 12” Logical access Physical access Preparedness Identity Management “FRAC” Planning Approach Trust & Verification of identity & role across multi-jurisdictions PC Federal DOJ DHS HHS Strategic EPA Strategic Strategic Strategic Plan Plan Plan Plan HSPD… H.R. 418 NRP NIPP NCRC Provide a continual process improvement loop to incorporate best practices across jurisdictions and ensure continued architectural alignment and interoperability. FIPS-201 Private Sector Regional Virginia D.C. Strategic Strategic Plan Plan Regional Orgs & Hosted International Maryland Strategic Plan Profit Critical Infrastructure Associations Chambers UASI Funded Private Sector County & Local PM County Strategic Plan County Strategic Plan County Strategic Plan Not-For-Profit Community Round Table Organizations Planning Approach Trust & Verification of identity & role across multi-jurisdictions Partnership Members Federal - Lemar Jones, Director, Antiterrorism/Force Protection Directorate, Pentagon Force Protection Agency – Gordon Woodrow, Regional Director, Region 3 U.S. Department of Health and Human Services NCR - Robert LeGrande, Deputy Director, Office of the Chief Technology Officer, District of Columbia Virginia - Mike McAllister, Deputy State Director, Security and Emergency Management, Virginia Department of Transportation Maryland - Brad Jewitt, Director, Office of the Fleet, Facilities and Administrative Services, Maryland Department of Transportation Private – John N. Petrie, Assistant Vice President for Public Safety & Emergency Management, The George Washington University NCR Data Interoperability Communications Architecture Data Exchange Hub Concept of Operations ESF-1..N USERS FEDERAL USERS EXECUTIVE USERS EXECUTIVE ADMIN PUBLIC USERS ARCHITECTURE REVIEW BOARD ADMIN UI CREDENTIALING DATA DATA EXCHANGE EXCHANGE DATA SEARCH HUB APPLICATION ACCESS FEDERAL SOURCES FEDERAL INFORMATION ESF-2 ESF-1 ESF-1 ESF-2 Jurisdiction - 1 Jurisdiction - 3 ESF-2 Jurisdiction - 2 ESF-1 ESF-1 ESF-2 Jurisdiction - N Goal: Standardized Incident Identity Management PKI identity smart card will provide the relying party with machine-read information to determine access privileges for granting access into, out of, and within various areas as required Disaster Recovery Area Multi-Jurisdictional Recognition (mobile identity management) INFORMATION FEED: FEDERAL STATE LOCAL PRIVATE First Responder Validation Authority (Produced and Synchronized Nightly) PDA INFORMATION FORMAT: • DATA • TEXT • IMAGE Proposed Implementation Timeline Phase I: Regional “as-is” and “to be” analysis Limited implementation for interface analysis Mobile device and interoperability analysis 01/03/06 - 02/28/06 01/03/06 - 02/28/06 01/03/06 - 02/28/06 Phase II: NCR sponsored pilot exercises Commence regional implementation NCR sponsored exercises FEMA sponsored Forward Challenge 06 03/15/06 - 03/30/06 04/01/06 - 07/30/06 04/03/06 - 04/27/06 06/19/06 - 06/22/06 Phase III: Complete implementation NCR sponsored exercises 07/30/06 - 09/30/08 09/04/06 - 09/30/08 NCR Program Deliverables Pilot Objectives: Leverage existing technologies to better define long term solutions. I-Net Project BB Project EOC Int Project DEH Project High level Pilot plans High level Pilot plans High level Pilot plans High level Tech assessments Light up at least 4 regional fiber connections (Locations TBD) External to District Pilots, but interoperable to DC • 1x EVDO –RE-A • WI MAX • 4.9 GHz • WI FI • Flarion • Mesh • Web EOC to Web EOC Pilot • Web EOC to/from other CIMS (DC-Montgomery) • Federal (TBD) • Web EOC to/from DEH Tech Assessment of Existing Solutions • CAPWIN • CAP STAT • HSIN • SHIELD • Research Other Options May ‘05 NCR Requirements Efforts NCR Design Effort Requirements and design SOW Awarded Requirements and design SOW Awarded Req. RFP Due out 9-10 Design SOW TBD. Depends on completion of requirements work Awarded Design SOW TBD Depends on completion of requirements Interoperability Program summary Interoperability Imperatives Task Description Project Benefit to the National Capital Region Offices Operational Centers Connect Emergency Operations Center s(EOCs). Leverage existing off-the-shelf solutions to seamlessly integrate the Emergency Operations Centers. Select a jurisdiction to develop a pilot application and serve as an NCR model. This will facilitate testing and validation of the EOC interoperability solution This integration will allow for increased coordination, faster regional response times , and backup in case of system failure or center outages. Field Mobile Operations Design and procure the physical pathways (I-Net) necessary for interconnection among regional public network. Engineer and procure an integrated solution for interoperable interconnection. Develop pilot application for incident command and control management and sharing o public safety resources related to E9-1-1, and protocols for interoperating in a regional crisis. Specific benefits of private network interconnections (I-Nets) include the ability to interconnect the region’s 9-1-1 Centers, and to create an interoperable regional communications fabric supporting public safety broadband wireless systems. Field Mobile Operations Design a regional interoperable /interconnected broadband wireless network providing outdoor coverage for the NCR. Collect NCR first responder broadband application security, functional and performance requirements. A regional wireless broadband network will significantly enhance first responder communication capabilities, and will provide the infrastructure to enable true voice/data interoperability via voice over IP technology. Data & Applications Deploy a high performance search capability (neutral host) to allow authorized users access to data housed in individual jurisditions’ locations. This functionality will be available to any browser-based user whether connected throught eh Internet (VPN), or through a browsercompatible wireless service. A centrlized security model will insure authorized access. All data will remain under the administrative and technical control fo the owner jurisdiction By allowing real-time electronic exchange of data for public safety, emergency preparedness officials at all levels should realize immediate improvements and cost reductions in Homeland Security data communication activities. FRAC Implementation & Strategic Objectives Presenter: W. Duane Stafford Agency: Virginia Department of Transportation Office: Security & Emergency Management Division Date: February 15, 2006 Virginia & DHS Partnership ● The Commonwealth of Virginia is currently issuing First Responder Authentication Cards (FRACs) to Federal, State and local governments. ● Virginia is working with DHS to implement FIPS 201 as a part of its FRAC Initiative. FRAC Credential ● VDOT’s Security and Emergency Management Division (SEMD) Transportation Protective Security Section (TPS) is currently responsible for: - FRAC development - Testing - Implementation - Maintenance of the FRAC credentials and policies. VDOT has adopted a standard FRAC for use in : ● Identifying a person’s status within the Agency (Employee or Contractor) ● Gaining physical access ● Site access to identified critical incident areas as an Emergency Responder. VDOT FRAC Design FRAC Policy & Procedures ● VDOT has developed a FRAC policy which establishes: Procedures regarding the issuance and use of VDOT FRAC. Clarification regarding FRAC eligibility ● The policy embraces and supports both HSPD-12 and FIPS PUB 201. ● VDOT has developed a FRAC Usage Policy which establishes expectations for FRAC Holders. ● The policy explains: Uses of the FRAC Care and display of the FRAC Fraudulent use/abuse of the FRAC FRAC restrictions. FRAC Request Form ● VDOT, in conjunction with DHS, has developed a standard “First Responder Authentication Card (FRAC) Request” Form (SEMD 20105). ● VDOT is currently anticipating converting the SEMD 201-05 paper form to an electronic form. Note: The FRAC Request Form was derived originally from the Personal Identity Verification (PIV) Request for USDA ID Badge Form FRAC Marketing & Training ● VDOT has developed a FRAC “Frequently Asked Questions” brochure to hand out to all First Responders who are issued a FRAC through VDOT. ● The brochure explains to the FRAC holder what the FRAC is and how it is different from their regular Access Control and Identification Card. Post Winter Fox ● Further develop PIV Roles and pre-register individuals. ● Develop, test and implement Logical and Physical Access Control System (Pegasys) enhancements to track FRAC credentials with reports and management. ● Develop and implement a structured way of identifying First Responders requiring FRACs throughout the Commonwealth of Virginia. FRAC Issues to Resolve ● The cardholder’s digital photo must be accessible prior to PIN input. ● Approved Products/Vendor Lists and Accreditation (GSA). ● NACI requirement solution for State governments. ● Cardholder Naming convention must be clarified. ● Color-Coding for Employee Affiliation must be clarified. Post Winter Fox ● Further develop PIV Roles and pre-register individuals. ● Develop, test and implement Logical and Physical Access Control System (Pegasys) enhancements to track FRAC credentials with reports and management. ● Develop and implement a structured way of identifying First Responders requiring FRACs throughout the Commonwealth of Virginia. FRAC Issues to Resolve ● The cardholder’s digital photo must be accessible prior to PIN input. ● Approved Products/Vendor Lists and Accreditation (GSA). ● NACI requirement solution for State governments. ● Cardholder Naming convention must be clarified. ● Color-Coding for Employee Affiliation must be clarified. Status Brief: IAB Meeting 2/15/2006 Maryland First Responder Authentication Card • Port of Baltimore ACS Upgrade • Partnership with Baltimore Metro First Responders • Alpha Testing Phase: 2000 FRAC Seats (Mobile Solution) – Winter Fox Demonstration 2/23/2006 – Concept of Operations / Business Rules • Beta Testing: Brick and Mortar Site • Penetration: – MD National Guard – Coast Guard – 8 of 23 Counties and Baltimore City (After Alpha Testing) • NCR / Baltimore • Future: – Strategic implementation plan for State across all ESFs The George Washington University Private Sector Credentialing • Public sector may not be able to sustain needs of private entities such as GW with population of 20,000+ members and over 125 facilities. • Allows for continuous provision of critical services and access to sensitive facilities or research centers. • Promotes self sufficiency and less reliance on first responders and public sector thus allowing resources to be utilized elsewhere. • Provides creditability to private sector responders/incident teams by using universally recognized credentials. • Eases access for thousands of employees commuting from MD, VA, WV, and PA who are separated by layers of local, state, and federal law enforcement agencies each with control points or perimeters. Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up DM DC Information and Technology for Better Decision Making Information and Technology for Better Decision Making Joint Program Handheld/Mobile Device Status for Government Smart Card Interagency Advisory Board (IAB) Presented by Frank Jones DoD Access Card Office February 15, 2006 February 2006 February 2006 33 33 DM DC Information and Technology for Better Decision Making Plan of Action 8/03/2005 Gather Requirements from User Community 8/03/2005 9/30/2005 Consider DBIDS Lessons Learned 10/26/2005 Finalize Consolidated Requirements 10/26/2005 Market Survey of Products Capable of Customization and Modularity 12/16/2005 Release Request for Information (RFI) 1/18/2006 RFI Vendor Responses Received 3/21/2006 RFI Summary Report February 2006 Contract for Handheld Expertise Support 34 34 DM DC Information and Technology for Better Decision Making Questions? Frank Jones (703) 696-0179 Francis.Jones@osd.pentagon.mil February 2006 35 35 Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up FIPS 201 Evaluation Program Office of Governmentwide Policy Office of Technology Strategy Judith Spencer 15 February 2006 Presentation Agenda • Card/Reader Interoperability Task • Lab Development Task • Call for Industry Support Card/Reader Interoperability Task • Update – 66% complete – FIPS 201 Category List revised • 19 remaining categories • Categories Mapped to Requirements Traceability Matrix • Reader categories by use case – Test fixture prototype developed – Card/reader requirements nearing completion • Next major milestone – Card/reader interoperability requirement validation Lab Development Task • Update – – – – 20% complete CONOPS completed Configuration Management Plan completed Approval Procedure Template completed • Next major milestone – Web enabled information source review Looking for Assistance from Industry • Evaluation Program Technical Working Group (EPTWG) – More technical input from reader & card manufacturers desired – Starting Subgroup for reader & card technical representatives • • • • Weekly, in person, whiteboard meetings March thru end of April Review/comment/revise reader & card test procedures Engineers preferred Questions ? April Giles Contact information: Email: april.giles@gsa.gov Website: http://www.smart.gov/fips201apl Phone: 1.202.501.1123 RFI Results • 71 Unique Responses • ~13 Indicated Turnkey Service Capability • General consistency in the cost data – Some questions concerning what is included • Conclusion – Industry is prepared to provide the services required by FIPS-201 for Enrollment and Card Management. Next Steps • Develop High Level Architectural Concept • Start tightening up the technical specifications and requirements definitions (including business requirements) for a managed solution • Recognize differences between the ‘ramp up’ and the ‘normalized’ activities • Awaiting results from two agency data calls – due Feb 24, 2006. • Update Performance Metrics based on RFI feedback Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up Physical Access Synergy 46 Physical Access Control System (PACS) PAIIWG Synergy in Federal Requirements & Industry Standards SIA SCA PACS Objective • No conflict or ambiguity in FIPS-201 or related documentation as they apply to PACS • Ensure that Industry Standards are developed by SIA that are in synergy to Federal Requirements PACS PAIIWG M. Butler IAB Chair A. Cieri Coordinator SCA SIA M. Sulak C. Medich R. Zivney T. Baldridge D. Pfeiffer S. D’Agostino S. Howard R. Vanderhoof K. Kozlowski M. Regelski L.J. Neve R. Merkert L. Kull E. Widlitz D. Vanderweele T. Damalos J. Zok K. Stewart R. Martin B. Gilson Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up HSPD-12/FIPS 201 TRAINING MODULES UPDATE Introduction Continuing development of a series of webbased training modules and assessment tools to assist management, administrators and users in complying with FIPS 201 The series will assist in the consistent implementation of HSPD-12/FIPS 201 across the Federal Government Timelines and Modules Delivery on 10/03/2005 included: – Module 1: PIV Overview – Module 2: PIV Roles and Responsibilities Delivery in Spring 2006 includes: – Module 3: Privacy Awareness – Module 4: Administrator (technical explanation) – Module 5: Appropriate Uses Hosting of Modules Working with USALearning to host all five modules There may be two versions of each module: 1. Base module-meeting a baseline set of specifications from OPM so every department may access the training 2. Secondary module-will utilize a multi-media approach, including streaming Modules Format Modules include three windows: – – – Video streaming, including interviews with government officials PowerPoint slides Transcript with hyperlinks to important topics for more details Module 1 and 2 Module 1-Overview is available on USA Learning (http://www.usalearning.gov/coursecatalo g/index.cfm?fuseaction=oltovervie) Module 2 is available from your agency HSPD-12 representative (www.vodium.com/goto/blm/hspd12.asp) Modules 3-5 In the process of finalizing Power Point slides and narration Video shoot week of March 6th – Scheduling Subject Matter Experts to interview on camera – Preparing for video shoots throughout Washington, DC Module 3-Privacy Awareness Objectives for module: – Explanation of individual’s privacy and means taken to secure information – Explanation of information collected and how it is protected Module 3-Privacy Awareness, cont. The training will answer the following questions: – What technology innovations on the PIV Card itself help protect both my identity and my privacy? – What information about me is on the PIV Card? – What information is collected – and why – in order to get a PIV Card? Module 3-Privacy Awareness, cont. – How will my information be safeguarded, and what controls are in place? – Who can I talk to if I have questions or concerns? Module 4 – Administrator Objectives for module: – Users will understand the components within the technical infrastructure and all of the dependencies at the 1000 foot level ( not the 1 foot level) – Explains what is needed to issue a PIV Credential Module 4 – Administrator, cont. The training will answer the following questions: What are all of the components of a credential? What personal data is needed and how will the data be saved or deleted? Module 4 – Administrator, cont. How does issuance of the credential work? How is data stored on a card? How is the credential configured with PKI and biometrics to enable it to be used for physical and logical access? Module 5 –Uses of the Credential Objectives for module: – Explains migration from flash pass and passwords to electronic verification – Explains the physical and logical use of the credential across domains (across entire federal enterprise) – Explains Public Key Enabling Module 5 –Uses, cont. The training will answer the following questions: – What are the primary credential uses? How will physical and logical access work? What is OMB Memorandum 04-04 and 05-05? – What are other uses for the credential? Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up Backend Authentication Work Group (BAS WG) 15 February 2006 Status • Membership has met several times over the last month as government only • Expanding membership to include other interested parties (Industry or government): Meeting Type: Conference Call Date: Tuesday, 28 February Time: 2-4pm EST • All interested parties should provide contact information to jonathan.baldwin.ctr@osd.pentagon.mil Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up HSPD #12 Document Revision Status National Institute of Standards and Technology February 15, 2006 Current Activities • FIPS 201-1 accommodation of OMB Memorandum M-05-24 • Special Publication 800-73 adjustments to accommodate Special Publication 800-76 • Reformatting of Special Publication 800-85 to separate card command conformance testing from data model conformance testing • Federal Register Notice request for recommendations for revision of FIPS 201-1 and associated guidelines FIPS 201-1 Accommodation of OMB Memorandum M-05-24 • Provides for interim issuance of credentials based on National Criminal History Check and requires electronic indication of interim issuance on the PIV card. • FIPS 201-1 signed by the NIST Director and forwarded to DoC for signature. • Awaiting signature of the Secretary of Commerce. Special Publication 800-73 Adjustments to Accommodate Special Publication 800-76 • Biometric storage format changes • Incorporation of previously posted errata • Elimination of requirement to provide user PIN before permitting access to public PKI certificate information • Proposed changes posted for public comment (comments before March 2006) Reformatting of Special Publication 800-85 • Separates card command conformance testing from data model conformance testing • SP 800-85A to be posted February 16 at http://csrc.nist.gov/piv-program • SP 800-76 data model conformance requirements being included in SP 800-85B Revision of FIPS 201-1 and Associated Guidelines • Federal Register Notice requesting change recommendations being staffed • Anticipate posting shortly • Plan workshops to discuss recommended changes – Need for change – Impact on standards stability – Priority and schedule determination Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up HSPD #12 Cryptographic Migration Plan Tim Polk National Institute of Standards and Technology February 15, 2006 Relevant Specifications • FIPS 201 does not explicitly specify key sizes or cryptographic algorithms • FIPS 201 incorporates NIST Special Publication 800-78 and the FPKI Common Policy by reference – Both specifications stated requirements for algorithms and key sizes – Requirements for public key algorithms were stated inconsistently Rationale for Cryptographic Specifications, Part One • Moore’s Law is not negotiable! – 80 bit cryptography is mostly dead • 1024 bit RSA and 160 bit ECC can not be relied upon for cryptographic services to achieve HSPD #12’s goals after 2010 • For authentication keys, 80 bit strength is fine through 2010 • For signatures and confidentiality, need to transition before 2010 Rationale for Cryptographic Specifications, Part Two • Protect Legacy Implementations – 80 bit strong RSA (1024 bit keys) is widely use, so it is permitted by the Common Policy and NIST SP 800-78 • Avoid Unnecessary Transitions – 80 bit strong ECC (160 bit keys) is not widely used, so force ECC implementers to curves with 224+ bits Common Policy • Common Policy predates FIPS 201, and has a broader scope – Version 1 recognized only RSA • 1024 bit RSA, SHA-1 acceptable • Established migration timelines for 2048 bit RSA and SHA256 based on certificate issuance date – ECC added in 3/05 to support FIPS 201 • 163 bit through 283 bit keys • SHA-1 and SHA-224 may be used with 163 and 224 bit keys • Migration timelines consistent with RSA NIST SP 800-78 • Supports FIPS 201 and only 201 – Developed after FIPS 201, published 4/05 • Established migration timelines based on certificate expiration date – More forgiving, since agencies can issue short lifetime certs after dates in Common Policy – More consistent with Moore’s Law since it focuses directly on usage period for the key Summary • HSPD #12 Cryptographic Migration timeline is as pragmatic as possible, but our options are constrained by Moore’s Law • The Common Policy and SP 800-78 state migration timelines differently – Consistency is being pursued by NIST Questions? Agenda • First Responder Partnership in National Capital Region (NCR) – Tom Lockwood (DHS) and Regional Partners • Handheld RFI Update - Frank Jones (DoD) • FIPS-201 Evaluation Program Progress – Judy Spencer (GSA) • Physical Access Synergy – Tony Cieri • Status Training Modules – Andrew Goldsmith (DOI) • Backend Authentication Scheme Working Group (BASWG) – TBD • Document Revision Progress – Curt Barker (NIST) • Cryptographic Migration Plan – Tim Polk (NIST) • Press Wrap-up Press Wrap-up 86
