Issue link: https://securitytechnologyexecutive.epubxp.com/i/571504
September/October 2015 • SECURITY TECHNOLOGY EXECUTIVE 25 www.SecurityInfoWatch.com practices have resulted in a new staff compe- tency requirement. Today, GSA and a growing number of agencies require that system engineering staff, integrators and other stakeholders involved with PACS design and implementation prove they have demonstrat- ed competencies as required in order to properly design, install, configure and maintain FICAM PACS equipment. GSA recognize and requires the Certified System Engineer ICAM PACS (CSEIP) training and certification as a bid-prequalifying item for staff that will be involved with FICAM PACS projects on contracts including Schedule 70 and 84 labor categories. The CSEIP certification course is offered by the Smart Card Alliance, a vendor-agnostic industry organization. A list of CSEIP accredited individuals is on the GSA list of qualified HSPD-12 qualified service providers at http://www.idmanagement. gov/qualified-hspd-12-service-providers What Is Next? Today, interoperability reaches far beyond the U.S. borders. Adherence to standards and common policies are the main core for making possible the interoperability and universal trust framework that now have global reach. Federal agencies have issued approximately 5.6 million high assurance PIV credentials. In addition a large number of PIV-I credentials have been issued by U.S. contrac- tors located both within the U.S., as well as by U.S. allies overseas. Furthermore, the proven interoperability of standards-compliant PACS created the ground- work for non-Federal, commercial enterprise PACS (E-PACS) architectures. Various standards-compli- ant manufacturers already have a mix of interop- erable systems in design phases. These system solutions will become increasingly common as the risk of an end-user organization being locked in with "all eggs in one basket" of one system supplier is removed. Locally manufactured systems may be part of an international, even global, E-PACS. This may become both a significant cost reduction factor, as well as a way to make an international enterprise more politically appealing to business locations outside of the contiguous U.S. A non-federal, high assurance credential has been defined specifically to support the larger, commercial market. The Commercial Identity Veri- fication (CIV) credential follows the PIV-I techni- cal specifications. This means that a commercial entity, such as a Fortune 5000 company, is able to leverage the technology benefits of the second generation PACS (and logical access control sys- tems (LACS)) that are now created, tested, proven and increasingly used by the U.S. Federal govern- ment market. The significant difference with the CIV creden- tial is that all costly FBCA policy certifications and accreditations required of PIV and PIV-I issu- ers are not applicable. A CIV issuer may them- selves determine what on-boarding policies and procedures are acceptable for their own employ- ees. No policy enforcement and cross certifica- tion that identities and identity management equipment is conforming to Federal policies are required, or expected for commercial, or private organizations. A CIV issuer may use a standard Microsoft CA, or other commercially available CA, to ensure that their own employees', suppliers' and busi- ness partners' credentials are authentic and able to be used both as log on credentials to access company networks (See Figure 4) as well as cre- dentials for physical access. The same benefits of consistency, credential authentication, and central revocation that Federal agencies enjoy are available to commercial organizations -- at a frac- tion of the cost. Summary The Federal agencies spearheaded development of a secure "High-Assurance" identity credential. Harmonizing the identity vetting and lifecycle procedures across all Federal agencies and cre- ating a consistent, uniform adjudication policy for issuing an identity credential resulted in increased efficiencies and minimized redundant operations across the federal enterprise. The near impossibility of creating a forged or altered cre- dential enhanced the security profile of all Fed- eral resources. Other obvious security benefits, such as from one location very quickly revoke all access privileges of card holders who leave their parent organization. This minimizes the threat of disgruntled former employees to maliciously access both physical as well as network resources and corporate intellectual property. Leading PACS manufacturers have now devel- oped and are marketing a second generation sys- tems that are subject to strict compliance test- ing at specially accredited testing laboratories to demonstrate conformance with all relevant tech- nical standards applicable for the Federal market. The larger, non-federal markets are beginning to realize (and take advantage of ) the security benefits of a PIV-I type, high assurance creden- tial. Some of the large, nationwide financial insti- tutions and members of the health care industry are early adopters in the commercial market of those who embrace the CIV that is not subject to the costly Federal policy certification. Interoperability has indeed reached a new phase! ■ About the Author: Lars R. Suneborn, CSCIP/G, CSEIP, is the Director, Training Program for the Smart Card Alliance