To achieve the first step, agencies will want to implement what’s called the “core person model.” This model incorporates data that is unique to a person’s identity, such as his or her name as well as data related to the person’s digital identity, such as a unique credential and department affiliation. By establishing the core-person model government-wide, FICAM can standardize the information agencies will use as the enterprise digital identity and also streamline procedures for employees who may hold credentials at one or more agencies.
To achieve the second step, agencies should ensure the PIV or FIPS 201 CACs are paired with the personnel whom originally requested and received the credential. To fully ensure the security of their credentials, agencies must still authenticate transactions. Comparing a presented credential with a list of approved credentials is NOT authentication and provides little to no security. Authentication is the process of establishing confidence in the credential that was presented. Authentication must be strong, and it must occur across the enterprise.
Finally, to achieve the third step, agencies will need to institute enterprise authorization of the digital identity that is effectively represented by the PIV credential. Often, this proves to be the most difficult task for technology vendors. Recognizing that a smart card is more than a username and password is the first step — username and password solutions will require add-ons and continuous upgrades.
It’s not as difficult as it sounds
Luckily for integrators and their government clients, the first major obstacle of a FICAM program — issuing credentials — has been hurdled, with more than 4.5 million PIV cards already out there. Still, agencies should strive to achieve a point where the issuance of the credential sets the ball in motion for its actual use. It is entirely possible for PIV cardholders to receive their PIV credential, walk out of the office and immediately be able to access resources, such as entrance to required buildings, sign on to computer workstations, email encryption and even mobile device to access permitted applications.
Some agencies undoubtedly recognize the benefits of FICAM but cringe at the perceived complexity of implementation. This is where you, as a qualified systems integrator, come into the picture. Luckily, this challenge has been recognized and for dedicated vendors, it is well overstated.
The advice regarding integration of smart cards is crucial for agencies that understand implementation but struggle to see how to get from the “as-is” state to the target state. Sit down with your government security executive customers to think and talk it over, and to peruse the roadmap.