Federal Approach to Federal Approach to Electronic CredentialsElectronic Credentials

For services to citizens, businesses, other governments, and employees

Mary J. Mitchell Office of Electronic Government

mary.mitchell@gsa.govweb: egov.gov

Federal PKI efforts: www.cio.gov/fpkisc

E-Government Management Initiative

Vision: deliver an order of magnitude improvement in the federal government’s value to the citizen.

Integral Part of President’s Management Agenda

Definition: use of digital technologies to transform government operations in order to improve effectiveness, efficiency, and service delivery.

The Principles: Citizen-centered, Market-based, Results-oriented Simplify & Unify

E-Gov’t Services Landscape

Internal Internal Effectiveness Effectiveness and Efficiencyand Efficiency

Government to Government to GovernmentGovernment

Government to Government to BusinessBusiness

Government Government to Citizento Citizen

When Web Interactions Need Strong Security

• To protect privacy, government must know whom it is dealing with

• Operations exceed reasonable risk• User Authentication

– Knowing who your correspondent is

• Transaction Integrity– Ensuring the message sent is the message received

• Non-Repudiation– Correspondent cannot deny conducting transaction

• Confidentiality– Only authorized persons can read the message

Identity Credentials• Driver’s License• Employee Identification Card• Passport• Birth Certificate• Physical Presence• Social Security Number• Signature• Electronic Credentials

(including PKI Certificates)

Obstacles to Issuing Citizens Digital Certificates

• Some populations (e.g., students, low-income) lack sufficient means for identity proofing like a credit history, permanent address, etc.

• Certain individuals object to divulging personal information (lack of trust in who and if adequately safeguarded)

• Cost and administrative complexity of the certificate issuance

E-Gov’t Strategy: Solutions to Barriers Incorporates PKI

Barrier Solution

Agency Participation

Sustained high level leadership and commitment Establish Interagency governance structure (PMC, Steering

Groups/Councils, Multi-agency partnership) Give priority for cross agency work Engagement of Interagency user/stakeholder groups, including

Communities of practice

Federal Architecture OMB leading business & data architecture rationalization OMB sponsored architecture development for cross agency projects Use Firstgov.gov as primary on-line delivery portal for G2C, G2B

Public Trust

Establish Secure transactions and Identity Authenticationthrough e-Authentication project - all eGov Initiatives will use

Incorporate privacy protections into each business plan Engage in public promotion

Resources

Move resources to programs with greatest return and citizen impact Set measures up-front and use to monitor implementation Provide online training to create new expertise among

employees/contractors

Stakeholder resistance

Create comprehensive strategy for dealing with appropriationcommittees

Argue for initiatives collectively

eAuthentication DirectionSimplify and Unify

• Efforts focused on PMC approved E-Gov e-Authentication Initiative and tie to Firstgov

• Assist other E-Gov’t initiatives in defining their identity authentication needs

• Develop applications for cross-governmental use

• Coordinate aggregated buy of authentication products and services

• Promote interoperability with other entities through FBCA

Fact

ors

Fact

ors

Privilege ManagementPrivilege Management

SignatureRequired

IdentityVerification

Required

IdentityVerification

Not Required

Low RiskHigh Risk

Genera

l

Informati

onChan

ge

Reques

tBen

efits

Applicati

on

Personal

Informati

on

Proprietar

y

Informati

on

Gateway

Citizen BusinessAgent

Academia

Health Care

StateGovernment

FBCA

IdentityVerificationRequired

Identity

Verification

Not Required

CredentialValidationProcess

eAuthentication Gateway

Cross CertifiedCAs

Directory System Agent

• Cross certificates• CRL

FIP 140-1 L3 Crypto

FIP 140-1 L3 Crypto

• Cross certificates• CRL

• Cross certificates• ARL

Trust Domain 1 Trust Domain 2

DirectoryInfrastructure 2

DirectoryInfrastructure 1

Federal Bridge Certification Authority

Selected Agency PKI Efforts

• The Evolving Federal Public Key Infrastructure document: www.cio.gov/fpkisc

• Department of Labor’s Career Management Account

• National Institute of Standards’ Advanced Technology Grants System

• Social Security Administration’s Wage Reporting and Medical Evidence

• Drug Enforcement Agency’s Electronic Prescriptions for Controlled Substances

Nat’l Institute ofStandards and Technology (NIST)

• ACES used for the electronic submission and review of proposals for the Advanced Technology Program (ATP)

• Uses digitally signed documents to send proprietary information over the Internet, digitally signs and encrypts forms, captures data and populates ATP database

• Uses a web server for downloads/ submission of forms and documents, then pulls them behind NIST and ATP firewall

• Pilot with 12 proposal submissions completed in Sept 2001

• Goes “live” for ATP’s FY2002 competition

Social Security Administration (SSA)

• Piloting ACES Digital Signature Certificates for on-line annual wage reporting

• Following pilot, SSA had a 90 percent approval by the 100 businesses participating

• Automating W-2 submissions critical to agency where nearly 6.5 million employers submit over 240 million W-2 forms for their employees

• Continuing to expand pilot capabilities and implementing digitally signed forms

SSA’s Electronic Medical Evidence Pilots .

California• Third party providers

submit encrypted Medical Evidence of Record and encrypted and signed Consultative Exams

• Using Secure e-Mail• Expanding to include Web

based Secure Messaging and Secure FTP

SSA/VA• Mississippi requests

Medical Evidencefrom VAMCs in Jackson and Biloxi. VAMCs send encrypted response to DDS via secure e-mail.

• Phase I decreased turnaround time from 25 days to 3

DEA’s Controlled Substances

• Secure electronic transmission of controlled substance prescriptions

• Reduces prescription forgeries and medical mistakes

• Pharmacists, Medical practitioners, Long term care facilities

• Pilot program in concert with Veterans Administration (VA) Outpatient Pharmacies

• Baltimore Technologies UniCert CA

Office of Diversion ControlMay 2001

In the future, what role does PKI play?

• PKI is not the answer for all needs but it can add the required authentication for trustworthy e-gov services

• Using PKI technology for strong authentication needs addresses mandates such as HIPPA and eSign

• Federal bridge CA facilitates unifying islands of automation

• e-Authentication initiative will organize authentication needs for critical government business lines

Closing Words• The Vision: Enable e-Government through

– A cross-governmental, ubiquitous, interoperable Public Key Infrastructure.

– The development and use of applications which employ that PKI in support of Agency business processes.

• Government-wide initiatives include:– Federal PKI Policy Authority– Federal Bridge Certification Authority– Access Certificates for Electronic Services– Leveraging other authentication investments where

appropriate