Download PDF - Department of Navy Chief Information Officer - U.S. ...

More documents

Recommendations

Info

Identity Management Operationsto Improve CybersecurityBy Sonya SmithThe Defense Department is makinga number of improvements to theCommon Access Card to enhanceidentity authentication and physicaland network securityThe December 2008 report written bythe Center for Strategic and InternationalStudies (CSIS) Commission on Cybersecurityfor the 44th Presidency,“Securing Cyberspacefor the 44th Presidency,” beganwith one central finding: “The UnitedStates must treat cybersecurity as one ofthe most important security challenges itfaces.”The report went on to state, “Creatingthe ability to know reliably what person ordevice is sending a particular data streamin cyberspace must be part of an effectivecybersecurity strategy.” The report urgedthe government to accelerate the adoptionof identity authentication.The administration’s Cyberspace PolicyReview, released in April 2009, stated veryclearly that: “We cannot improve cybersecuritywithout improving authentication,and identity management is not justabout authenticating people.”The National Security TelecommunicationsAdvisory Committee’s “Report tothe President on Identity ManagementStrategy” of May 2009 states:“… this lackof trusted identification enables harmfuland/or malicious activity and diminishesnational security/emergency preparednesscapabilities, endangering nationaland homeland security as well as individualprivacy and security.”The Department of Defense understandsthe magnitude of the threat weface in cyberspace.The threat is advanced,persistent and constantly changing. In addition,the increasing popularity of collaborativeWeb applications, such as blogs,social networks, podcasts and wikis, andmobile devices, has brought a new set ofchallenges to cybersecurity.There is a clear appreciation of the relationshipbetween cybersecurity andidentity management; we must be able toauthenticate entities, as either human ornonhuman, with DoD resources and thenbe able to manage access privileges.A major vulnerability on DoD networksis the use of usernames and passwords.Therefore, the DoD has increased assur-ance of user authentication by replacingthe requirement for usernames andpasswords with the DoD Common AccessCard (CAC) and associated public key infrastructure(PKI) to cryptographicallylogon to DoD unclassified networks. Thiseffort is now being extended to the classifiednetwork as well.The DoD has seen the benefits of thiseffort. Retired Air Force Lt. Gen. CharlesCroom, when director of the DefenseInformation Systems Agency and commanderof the Joint Task Force - GlobalNetwork Operations, said in January 2007that successful intrusions to DoD unclassifiednetworks had declined 46 percentdue to CAC use. The DoD is now also requiringPKI-based user authenticationto access the majority of its private Websites.Those same PKI certificates are beingused to encrypt personally identifiableinformation (PII) and sensitive informationto ensure its confidentiality whilein transit. Digital signatures, also usingPKI, provide nonrepudiation services, enablinga higher level of assurance that thee-mail users receive is authentic. Digitalsignatures also help thwart e-mail spoofingattempts. In the Department of theNavy (DON), these protections are beingextended to mobile personal electronicdevices such as BlackBerrys.Identity management initiatives utilizingthe CAC with PKI certificates havechanged the way the Defense Departmentdoes business. But, as with all things,there is always room for improvement.The use of Homeland Security PresidentialDirective-12 (HSPD-12) and FederalInformation Processing Standards-201(FIPS-201) are mandatory across the federalgovernment and provide a commonlanguage and standard to improve identityassurance.The CAC is the DoD’s vehicle to HSPD-12 compliance, and improvements arebeing made to the CAC to comply withFIPS-201. These include making the card/token itself more resistant to tamperingand counterfeiting, meeting interoperabilityrequirements,improving the vettingprocess before card issuance to ensurethe applicant’s eligibility and uniquenesswithin the database, and the addition ofbiometrics to the CAC.The CAC improvements to comply with38 CHIPS www.chips.navy.mil Dedicated to Sharing Information - Technology - Experience
the FIPS-201 standard are helping to raisethe confidence level within the CAC infrastructure.Issuance is the critical point ofidentity management and because of theFIPS-201, DoD now requires:• • • • an individual’s eligibility for a CAC;verification of DoD affiliation froman authoritative data source insteadof a paper form;completion of the FIPS-201 requiredbackground check; andverification of a claimed identity perFIPS-201.The enterprise authentication solutionsfor cybersecurity are currently PKI-based.The DoD has deployed a significant numberof “next-generation CACs,” or CACsthat are being used as part of the HSPD-12 transition.As part of the transition, some biometricsinformation is being stored on thenext-generation CACs. At a minimum, thefingerprints information on the CAC couldbe utilized as a stronger form of multifactorauthentication.The focus of identity managementmust build on successes to date andmove forward to a more all-encompassingapproach to include meeting the requirementsof interoperating with otherHSPD-12 compliant federal credentialsand securely sharing information withother mission partners.The new CAC contains advanced technologythat will enhance the security offederally controlled facilities and computersystems and ensure a safer work environmentfor all federal employees andcontractors.Out with the old. In with the smart. For more information about the DefenseDepartment’s next-generation CommonAccess Card, go to the CAC Web site atwww.cac.mil or the DON CIO Web site atwww.doncio.navy.mil.Sonya Smith is the deputy director of the DONCIO cybersecurity and critical infrastructureteam.The DoD is proud to be among the first government agencies to issue theHSPD-12 compliant federal credential — the next-generation CAC.The gold standard of advanced identification.This initiative is part of an ongoing effort to provide government personnel with themost secure and reliable forms of identification possible. The next-generation CAC representssignificant strides in contactless technology and heralds a critical step in the evolutionof personnel and national security.The next-generation CAC is more sophisticated:• Increased data storage and memory capacity• Integrated circuit chips, magnetic stripe, bar codes and contactless capability• DoD’s solution to the new federal credentialThe next-generation CAC is safer than ever:• Used for identification purposes when entering federal buildings and controlled spaces• Improved vetting and background check requirements• Meets or exceeds requirements of all applicable privacy laws• Electronic authentication to gain physical and logical access improves security• The next-generation CAC can be used with complete confidence to:• Log on securely to DoD networks, systems and Web sites• Access public key infrastructure (PKI)-compliant systems• Encrypt and electronically “sign” e-mails and documentsWhether you are getting a CAC for the first time or renewing your current CAC, the same process isrequired for the next-generation CAC. Please note that you do not need to replace your CAC until yourcurrent card expires.Renew your CAC in three easy steps.1. Meet all Defense Enrollment Eligibility Reporting System (DEERS) requirements.To receive a next-generation CAC, all eligible personnel must be entered into DEERS. To establisha DEERS record, all personnel must undergo proper identity vetting.A next-generation CAC can only be issued once:• A Federal Bureau of Investigation (FBI) fingerprints check has been completed and approved• A National Agency Check with Inquiries (NACI)* background security check is in the process ofbeing completed*Note: Since the NACI process can take up to 18 months, an individual may be issued a CAC beforethe process is completed. However, if the NACI process is completed and a person does not get“cleared,” his or her CAC will then be revoked.2. Meet all Real-Time Automated Personnel Identification System (RAPIDS) requirements.Required RAPIDS documentation and information for active duty military personnel, Selected Reserve,DoD civilian employees, eligible contractor personnel, eligible federal personnel, and otherDoD-sponsored eligible populations:• Two Forms of ID. Both IDs must be among those listed on the I-9 Form (available from www.cac.mil). One must bear a photo (e.g., passport, driver’s license). A current/unexpired CAC is considered a valid form of ID.• A six (6) to eight (8) digit number to use as a personal identification number (PIN). All personnelwill be asked to create a PIN that can be easily remembered. Please do not use easily traced numbers such as part of your Social Security number (SSN), birthday, anniversary date, telephone number or address.3. Visit any of the 1,500+ RAPIDS centers worldwide to obtain your next-generation CAC.Remember, you will only receive a CAC, if your DEERS account is vetted AND you have all requireddocumentation and information. To locate a RAPIDS center near you, please visit the RAPIDS sitelocator at www.dmdc.osd.mil/rsl/owa/home.Note: If you encounter a problem obtaining your next-generation card at the RAPIDS center, and theproblem is related to vetting, please follow up with your personnel security representative to updateyour DEERS profile.CHIPS January - March 2010 39
Page 8: Climate MonitoringThe Department of
Page 11 and 12: Figure 1 shows the top-down organiz
Page 13 and 14: DD Form 1494 - Application for Equi
Page 15: As such, E1 poses the greatest dang
Page 19 and 20: Figure 3.Fleet Cyber Command/U.S. 1
Page 21 and 22: standardize enterprise management a
Page 23 and 24: Sometimes combatant commanders get
Page 25 and 26: It can be embarrassing toattempt to
Page 27 and 28: The 4-inch by 4-inch magnetometerto
Page 29 and 30: Air Traffic Controller 2nd Class Th
Page 31 and 32: the next spiral evolutionary step f
Page 33 and 34: Collaboration Tools for the Federal
Page 35 and 36: Your Office Copier/Printer May Pres
Page 37: NMCI Gets Into A HotspotBy Mike Her
Page 41 and 42: cy system’s functionality to NSIP
Page 43 and 44: starts spreading through my network
Page 45 and 46: Enterprise Software AgreementsThe E
Page 47 and 48: NetIQNetIQ - Provides Net IQ system
Page 49 and 50: Web Link: http://www.it-umbrella.na
Page 51 and 52: Page intentionally left blankCHIPS

Download PDF - Department of Navy Chief Information Officer - U.S. ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?