federal approach to electronic credentials
DESCRIPTION
Federal Approach to Electronic Credentials. For services to citizens, businesses, other governments, and employees. Mary J. Mitchell Office of Electronic Government [email protected] web: egov.gov Federal PKI efforts: www.cio.gov/fpkisc. E-Government Management Initiative. - PowerPoint PPT PresentationTRANSCRIPT
Federal Approach to Federal Approach to Electronic CredentialsElectronic Credentials
For services to citizens, businesses, other governments, and employees
Mary J. Mitchell Office of Electronic Government
[email protected]: egov.gov
Federal PKI efforts: www.cio.gov/fpkisc
E-Government Management Initiative
Vision: deliver an order of magnitude improvement in the federal government’s value to the citizen.
Integral Part of President’s Management Agenda
Definition: use of digital technologies to transform government operations in order to improve effectiveness, efficiency, and service delivery.
The Principles: Citizen-centered, Market-based, Results-oriented Simplify & Unify
E-Gov’t Services Landscape
Internal Internal Effectiveness Effectiveness and Efficiencyand Efficiency
Government to Government to GovernmentGovernment
Government to Government to BusinessBusiness
Government Government to Citizento Citizen
When Web Interactions Need Strong Security
• To protect privacy, government must know whom it is dealing with
• Operations exceed reasonable risk• User Authentication
– Knowing who your correspondent is
• Transaction Integrity– Ensuring the message sent is the message received
• Non-Repudiation– Correspondent cannot deny conducting transaction
• Confidentiality– Only authorized persons can read the message
Identity Credentials• Driver’s License• Employee Identification Card• Passport• Birth Certificate• Physical Presence• Social Security Number• Signature• Electronic Credentials
(including PKI Certificates)
Obstacles to Issuing Citizens Digital Certificates
• Some populations (e.g., students, low-income) lack sufficient means for identity proofing like a credit history, permanent address, etc.
• Certain individuals object to divulging personal information (lack of trust in who and if adequately safeguarded)
• Cost and administrative complexity of the certificate issuance
E-Gov’t Strategy: Solutions to Barriers Incorporates PKI
Barrier Solution
Agency Participation
Sustained high level leadership and commitment Establish Interagency governance structure (PMC, Steering
Groups/Councils, Multi-agency partnership) Give priority for cross agency work Engagement of Interagency user/stakeholder groups, including
Communities of practice
Federal Architecture OMB leading business & data architecture rationalization OMB sponsored architecture development for cross agency projects Use Firstgov.gov as primary on-line delivery portal for G2C, G2B
Public Trust
Establish Secure transactions and Identity Authenticationthrough e-Authentication project - all eGov Initiatives will use
Incorporate privacy protections into each business plan Engage in public promotion
Resources
Move resources to programs with greatest return and citizen impact Set measures up-front and use to monitor implementation Provide online training to create new expertise among
employees/contractors
Stakeholder resistance
Create comprehensive strategy for dealing with appropriationcommittees
Argue for initiatives collectively
eAuthentication DirectionSimplify and Unify
• Efforts focused on PMC approved E-Gov e-Authentication Initiative and tie to Firstgov
• Assist other E-Gov’t initiatives in defining their identity authentication needs
• Develop applications for cross-governmental use
• Coordinate aggregated buy of authentication products and services
• Promote interoperability with other entities through FBCA
Fact
ors
Fact
ors
Privilege ManagementPrivilege Management
SignatureRequired
IdentityVerification
Required
IdentityVerification
Not Required
Low RiskHigh Risk
Genera
l
Informati
onChan
ge
Reques
tBen
efits
Applicati
on
Personal
Informati
on
Proprietar
y
Informati
on
Gateway
Citizen BusinessAgent
Academia
Health Care
StateGovernment
FBCA
IdentityVerificationRequired
Identity
Verification
Not Required
CredentialValidationProcess
eAuthentication Gateway
Cross CertifiedCAs
Directory System Agent
• Cross certificates• CRL
FIP 140-1 L3 Crypto
FIP 140-1 L3 Crypto
• Cross certificates• CRL
• Cross certificates• ARL
Trust Domain 1 Trust Domain 2
DirectoryInfrastructure 2
DirectoryInfrastructure 1
Federal Bridge Certification Authority
Selected Agency PKI Efforts
• The Evolving Federal Public Key Infrastructure document: www.cio.gov/fpkisc
• Department of Labor’s Career Management Account
• National Institute of Standards’ Advanced Technology Grants System
• Social Security Administration’s Wage Reporting and Medical Evidence
• Drug Enforcement Agency’s Electronic Prescriptions for Controlled Substances
Nat’l Institute ofStandards and Technology (NIST)
• ACES used for the electronic submission and review of proposals for the Advanced Technology Program (ATP)
• Uses digitally signed documents to send proprietary information over the Internet, digitally signs and encrypts forms, captures data and populates ATP database
• Uses a web server for downloads/ submission of forms and documents, then pulls them behind NIST and ATP firewall
• Pilot with 12 proposal submissions completed in Sept 2001
• Goes “live” for ATP’s FY2002 competition
Social Security Administration (SSA)
• Piloting ACES Digital Signature Certificates for on-line annual wage reporting
• Following pilot, SSA had a 90 percent approval by the 100 businesses participating
• Automating W-2 submissions critical to agency where nearly 6.5 million employers submit over 240 million W-2 forms for their employees
• Continuing to expand pilot capabilities and implementing digitally signed forms
SSA’s Electronic Medical Evidence Pilots .
California• Third party providers
submit encrypted Medical Evidence of Record and encrypted and signed Consultative Exams
• Using Secure e-Mail• Expanding to include Web
based Secure Messaging and Secure FTP
SSA/VA• Mississippi requests
Medical Evidencefrom VAMCs in Jackson and Biloxi. VAMCs send encrypted response to DDS via secure e-mail.
• Phase I decreased turnaround time from 25 days to 3
DEA’s Controlled Substances
• Secure electronic transmission of controlled substance prescriptions
• Reduces prescription forgeries and medical mistakes
• Pharmacists, Medical practitioners, Long term care facilities
• Pilot program in concert with Veterans Administration (VA) Outpatient Pharmacies
• Baltimore Technologies UniCert CA
Office of Diversion ControlMay 2001
In the future, what role does PKI play?
• PKI is not the answer for all needs but it can add the required authentication for trustworthy e-gov services
• Using PKI technology for strong authentication needs addresses mandates such as HIPPA and eSign
• Federal bridge CA facilitates unifying islands of automation
• e-Authentication initiative will organize authentication needs for critical government business lines
Closing Words• The Vision: Enable e-Government through
– A cross-governmental, ubiquitous, interoperable Public Key Infrastructure.
– The development and use of applications which employ that PKI in support of Agency business processes.
• Government-wide initiatives include:– Federal PKI Policy Authority– Federal Bridge Certification Authority– Access Certificates for Electronic Services– Leveraging other authentication investments where
appropriate