Smart Uses for Smart Cards

Tim McKnight and Russell Koste of Northrop Grumman take an award-winning approach to high assurance credentialing


So how did Northrop Grumman manage to issue more than 100,000 smart cards in an award-winning, 18-month program? According to Tim McKnight, Northrop Grumman's Vice President and Chief Information Security Officer, and Russell Koste, Director of Identity and Access Management for Northrop Grumman Information Systems, the following four factors were key elements of their approach:

- Leveraging the smart card project experience of government agencies.
- Using a pilot project for hands-on experience and to assess future resources that may be needed.
- Fully committing to the rollout effort, and updating the execution plan to apply sufficient resources in the most effective manner.
- Educating employees, addressing technology and privacy concerns in advance.

To accomplish these factors, first, Northrop Grumman was able to build on its experience with Department of Defense (DoD) and Government Services Administration (GSA) smart card programs, where it played an integral role.

With that knowledge, and having 120,000 employees to issue smart credentials to, Northrop Grumman leadership decided to take an approach that they recommend to any organization considering a smart credential - start with a small scope for credential issuance and then proceed to the larger program with much more knowledge, experience and resources at hand.

"We started in 2006 looking first to privileged users (those with administrative privileges) as an example of high-value targets to protect," McKnight says. "This took place over a 12-month period of time. We were then able to take what would otherwise have been a 3- to 4-year program and implement it in 18 months."

McKnight also explains that one major change from other projects they had seen was to combine the enrollment and registration with the card activation into a single step. This enabled the company to achieve its time frame and schedule. Northrop still maintained two-person control over the issuance process - that is, a separation of the roles so that the enrollment officer is not also the issuer.

To accelerate the larger rollout, Northrop performed a 3- to 4-month surge, issuing 10,000 cards per month using more than 100 operators. "We determined that we needed mobile capability to get to remote and small sites," says Koste, "so, we put together a mobile issuance platform."

When asked about employee response to the program, McKnight said, "We did a lot of education about privacy and the strategic imperatives of this security program. As a result less than two dozen employees raised concerns during the issuance process."

Koste says that single sign-on, remote access, secure e-mail and access to DoD Web applications were important processes enabled by the use of the card's authentication functions for information systems.

"Our privileged users' pilot had 300 internal applications to support," he says. "The enterprise has thousands of applications, such as our ERP instances, time entry systems and even federated access to our externally hosted travel system. The systems that Northrop has in place now allow for governance related to applications, where that did not exist in the past."

The success of the Northrop Grumman project shows that the combination of existing standards and guidance, current-day technology, and lessons learned from the increasing number of smart credential programs provide organizations with the materials they need to achieve success with their own Identity, Credential and Access Management programs. Click here to see a U.S. ID timeline.

Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS). His full bio is on Page 18.
Sal D'Agostino, CSCIP, is CEO of IDmachines LLC, a provider of design, integration, strategy and education services for the identity, credential, access, machine learning/analytics and technology transfer markets. Mr. D'Agostino is Secretary of the Smart Card Alliance Identity Council; Secretary of the Physical Access Control council; Vice-Chair of the SIA PIV Working Group; member of the ASIS Information Security Council and a member of the Kantara Initiative. He blogs at
http://idmachines.blogspot.com.