HSPD 12, FIPS 201 AND PERSONAL IDENTITY VERIFICATION

Highlights of Electrosoft's involvement with HSPD-12 and PIV include the following :

• Electrosoft was a part of the core team at NIST that developed FIPS 201. Areas of significant contributions include:
• Identity proofing, registration and issuance
• Graduated assurance levels
• PIV system architectural model and lifecycle definition
• PIV logical credentials, including CHUID and PKI certificates
• Management of the PIV Card and its credentials
• PIV Card usage for identity authentication and access control

• Electrosoft assisted in the development of NIST SP 800-73:
• Assisted in developing sections of Appendix A on PIV Data Model
• Supported the development of Appendix C on PIV Authentication Use Cases

• Electrosoft is developing a major revision to SP 800-79 - Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations. Primary activities include:
• Extracting requirements from FIPS 201-1 and its supporting publications (SP 800-73, SP 800-76, SP 800-78, SP 800-87, SP 800-96, SP 800-104)
• Deriving controls (similar to the SP 800-53) from these requirements and developing assessment procedures for each control
• Integrating the resulting assessment procedures and identifying mandatory as well as optional test procedures

• Electrosoft is supporting GSA in the FIPS 201 Evaluation Program. Highlights of our support include:
• Providing program management and technical oversight into all aspects of the GSA FIPS 201 Evaluation Program
• Developing and maintaining all documents (approval procedures, test procedures, forms etc.) used within Program
• Evaluating vendor products and services against the requirements for their respective categories
• Maintaining the Approved Products List (APL) with vendor approved products and services

• Electrosoft supported NIST in developing the PIV data model compliance test program (SP 800-85B) for use through the NIST Personal Identity Verification Program (NPIVP):
• Developed PKI test cases and data for NPIVP and an automated test tool to conduct the tests

• Electrosoft is implementing a PIV Card Demonstration Laboratory at NIST. Secure applications that will be demonstrated to operate with a PIV Card include:
• Windows Smart Card Logon
• Client Authenticated TLS/SSL secure web session
• Secure Email, IPSEC Virtual Private Network connections

• Electrosoft has developed a Microsoft Cryptographic Service Provider (CSP) module for a PIV Card for NIST. Highlights of the CSP include:
• Ability to work with any Microsoft Application that invokes CryptoAPI
• Ability to interface with the NIST PIV Middleware Reference Implementation
• Ability to work with the NIST PIV Card Simulator

• Electrosoft has developed a Public Key Cryptography Standard (PKCS) #11 module for a PIV Card for NIST. Highlights of the PKCS#11 include:
• Ability to perform smart card logon to a Linux Workstation
• Ability to support S/MIME transactions (signing and encrypting emails)
• Ability to support client authenticated TLS/SSL sessions

• Electrosoft supported the Department of Commerce, Office of Security in implementing a department-wide PIV compliance program. Primary activities include:
• Developed FIPS 201 compliant PIV Issuance procedures
• Developed PIV-I Implementation Guidance for DOC and its PCI Facilities
• Developed PIV Assessment Questionnaire
• Developed Privacy Impact Assessment Questionnaire
• Used the ESWAT-PIV Assessment Tool to facilitate 800-79 accreditation of DOC PCI facilities

• Electrosoft is currently supporting the National Aeronautics and Space Administration (NASA), by performing a third-party independent assessment of their PIV Card Issuing Facilities. Primary activities include:
• Develop a comprehensive set of controls and assessment procedures to determine compliance to the Standard
• Interview PCI Facility Officials to determine capability and knowledgeability
• Review relevant documentation (operations plan, policies, procedures, privacy statement, SORN etc) needed for accreditation
• Test sample issued PIV Cards to determine compliance with the graphical and electronic requirements
• Use the ESWAT-PIV Assessment Tool to facilitate 800-79 accreditation of NASA PCI facilities

• Electrosoft is currently supporting the Broadcasting Board of Governors (BBG), in their effort to certify and accredit their HSPD-12 solution. Primary activities include:
• Develop all documentation necessary for accreditation (Operations Plan, Implementation Plan, Training Plan, Appointment Memos etc.)
• Perform an assessment of their PIV Card Issuing Facility to determine compliance with the Standard
• Use the ESWAT-PIV Assessment Tool to facilitate 800-79 accreditation of BBG PCI facility

• Electrosoft supported the National Gallery of Art (NGA), in performing a gap analysis between their current credentialling processes and those prescribed by PIV-I. Primary activities include:
• Documentation reviews, conducting interviews and observation of credential issuance demonstration to determine areas of compliance and deficiencies
• Developed a gap analysis report that detailed the controls that needed to be met, the assessment procedures used to determine compliance for each control and the results of each assessment technique
• Used the ESWAT-PIV Assessment Tool to facilitate this gap analysis