PRINCETON JUNCTION, N.J., June 13, 2019 (GLOBE NEWSWIRE) – Executives from government agencies, security experts and technology providers met at the Secure technology partnership Securing the 2019 Federal Identity Conference in Washington, DC last week to discuss the latest developments and innovations in federal identity credentials and access security.
Speakers at this year's event looked to the future, focusing on the need to develop security standards and solutions to keep up with emerging threats, advances in identity management and improvements in current practices for control of logical and physical access.
Keeping up with modern security threats through evolving technologies, standards
Ross Foard, Department of Homeland Security (DHS), initiated the event with a central theme: as the use of new identity technologies such as mobile devices and the cloud grows in government environments, organizations must adapt their security practices to combat potential risks.
One speaker put identification and authentication in perspective through a single-use case: drones. Robert Segers, Federal Aviation Administration (FAA), shared how drones and other unmanned aerial systems (UAS) pose new threats such as kinetic attacks, critical infrastructure interruptions, surveillance and contraband.
In the case of UAS, Segers said that the first step to mitigate these risks is to clearly identify the drones and their operators. Segers suggested leveraging the public key infrastructure (PKI) to ensure the authenticity and integrity of UAS using a two-step signature approach to link a manufacturing drone ID to an operator ID.
Some speakers talked about the use of mobile authentication factors, such as FIDO, when PIV cards are not practical, a concept that David Temoshok, National Institute of Standards and Technology (NIST), called "bring your own authenticator" (BYOA). Temoshok shared that NIST is evaluating additional ways to secure federal identities that align with the recent publication of OMB M-19-17. This directive gives agencies a new flexibility beyond PKI and PIV for the authentication of services and systems that are not compatible with PKI or PIV cards. Temoshok said that this examination of authenticators will help simplify authentication and make it more usable.
Cindy Czayer and Stewart Clatterbaugh, of the United States Citizenship and Immigration Service (USCIS), highlighted the use of PIV credentials in government access control. Czayer and Clatterbaugh reported that USCIS is now 100% PIV compatible for logins. The speakers shared that their organization has found great value in the implementation of PIV and is now looking for new opportunities to use the credentials.
Address challenges to manage identities in government
The speakers throughout the conference shared their perspectives on identity management and the exploration of potential challenges and solutions around some of today's most important identity questions: what is the best way to keep identities secure and private? How can agencies improve interoperability for smoother identity management in all agencies? With different approaches to managing digital identity, how can the government guarantee user control?
Ian Grossman, American Association of Motor Vehicle Administrators, provided an update on the status of mobile driver's licenses (mDL) to allow a shared international identification standard beyond the operation of motor vehicles. Grossman stressed that the driver's license is already a reliable and strongly tested identity, which makes it a natural option for wider use.
Many speakers echoed the need for an interoperable identity system. In industries such as healthcare, non-interoperable systems can be a major cause of identity problems that impact the delivery of care. Blake Hall, ID.me, stated that 50% of patient records in hospital transfers did not match. One out of every five CIOs linked at least one case of damage to the patient in the last year with the mismatch of the patient's record, which points to the need for medical care of federated identities. Hall mentioned the challenge of balancing usability and security as a key issue, and mentioned the authentication of mDL and FIDO as possible solutions.
Looking to the future of PACS
With so much innovation happening in identity management, the speakers also shared their visions to continue with these advances for standards and technologies that impact the physical access control systems (PACS).
In a panel, several speakers addressed updated recommendations for the implementation of government PACS based on recent reviews of NIST SP 800-116, which provides technical guidance for the successful implementation of PACS enabled for PIV in government facilities. The panelists also discussed the anticipated changes to simplify the acquisition of safety technology and services for federal agencies under the modernization efforts led by the Federal Acquisition Services of the General Services Administration (GSA).
One panellist, William Windsor of DHS, posed the question to the audience: can the technology reach a point where government employees have options in addition to a PIV or a derived PIV credential to access facilities and information? He urged the industry to assess the risks of the facilities, the key stakeholders and the necessary levels of security as a starting point to start conversations within their own organizations to improve their PACS systems based on the latest OMB and NIST guidelines .
Throughout the event, several speakers made reference to Secure Technology Alliance, "Industry recommendations to implement PIV credentials with physical access control systems", A complementary guide to NIST Special Publication (SP) 800-116 R1, to clarify the essential requirements within the NIST publication and provide recommendations for PACS implementers that implement PIVS enabled for PIV.
Hildegard Ferraiolo, NIST, analyzed the work being done to update FIPS 201. Remarkable change requests include an addition of other form factors beyond smart cards, PIV credentials not derived from PKI and mobile devices for PACS . Ferraiolo also deepened the role that the federation is expected to play in changing inter-institutional interoperability requirements of HSPD-12.
With a similar approach, Will Morrison, FAA and the Inter-institutional Security Committee (ISC) provided up-to-date information on the ISC guide for the implementation of PACS in the company. The organization recommends strategies for the CISO, CIO and CSO communities to identify and comply with PACS requirements to be compatible with PIV while maintaining interoperability throughout the federal government.
For more information about the Secure Technology Alliance and the government's identity resources, visit the Government identity / Credentialing resources about him Secure technology partnership website.
About the Safe Technology Alliance
The Secure Technology Alliance is the main association of the digital security industry. The Alliance brings together leading providers and adopters of end-to-end security solutions designed to protect privacy and digital assets in the payment markets, mobile devices, identity and access, health, transportation and the emerging Internet of Things ( IoT).
The mission of the Alliance is to stimulate the understanding, adoption and widespread application of connected digital solutions based on secure chips and other technologies and systems needed to protect data, allow secure authentication and facilitate commerce.
The Alliance is driven by its member companies focused on the United States. They collaborate by sharing experience and industry best practices through industry and technology advice, focused events, educational resources, industry outreach, advocacy, training and certification programs. Through participation in the breadth of Alliance activities, members strengthen personal and organizational networks and eliminate ideas to develop the business strategies needed to market safe products and services in this dynamic environment.
For more information, please visit www.securetechalliance.org.
Montner Tech PR