PKI AND IDENTITY MANAGEMENT PROJECT LIST

• Provided support to the National Gallery of Art (NGA) in performing a gap analysis between PIV-I requirements and the current credentialling processes followed at the Gallery.
• As part of the gap analysis, Electrosoft performed documentation reviews, conducted interviews and observed a credential issuance demonstration to determine the areas of compliance and deficiencies.
• The result of this effort was a gap analysis report that detailed the controls that needed to be met, the assessment procedures used to determine compliance for each control and the results of each assessment technique.

• Provided support to CBP and have developed the architecture for an Enterprise PKI Validation Service that will support the validation of e-Passports signed by foreign governments and other PKI applications.
• The validation architecture developed included the use of Server-Based Validation Protocol (SCVP) servers and LDAP servers operating in a high availability, high throughput, 24x7 high security environment.
• Activities also included the preparation of a detailed costing for the startup and operational costs for the Validation Service, and the development of a plan for the implementation and deployment of the CBP Enterprise PKI Validation Service.

• Provided support to the National Institute of Sciences and Technology (NIST) in developing the Public Key Cryptography Standard (PKCS) 11 that has the capability to communicate with a PIV Card, as well as the NIST PIV card simulator in a manner consistent with NIST SP 800-73.
• The scope of the PKCS11 library was limited to accomplish the following tasks (i) Linux Smart Card Logon, (ii) Email signing and encryption (S/MIME), and (iii) SSL with client authentication.

• Provided support to NIST by developing a testing guidance document that specifies the derived test requirements, test assertions, and the detailed test / conformance scenarios for testing the PKI components of a personalized PIV Card.
• Activites included the development of the following classes of PKI conformance test guidance: (i) Validating the certificates on the PIV Card as conformant to their respective certificate profiles, (ii) Validating signatures on all PIV data elements, and (iii) Validating the integrity of the asymmetric key pairs and integrity of PKI-related mandatory and optional PIV data elements present on the PIV Card.
• Activities also included the design and development of a test tool that would be used to automate the testing process. This test tool was based on the test assertions developed and integrated into NIST’s SP 800-85B test tool.

• Provided support to the General Services Administration in developing their FIPS 201 Evaluation Program.
• Activities included development of the Concept of Operations (ConOps) and a Lab Specification Manual for the Evaluation Lab.
• Activities also included development of Approval Procedures and Test Procedures for product and service categories, the requirements for which were identified from FIPS 201 and its supporting documentation.

• Provided support to Johnson and Johnson in performing policy mapping and interoperability testing for their PKI.
• Activities included conducting an analysis/mapping of the J&J Certificate Policy (CP) and the SAFE CP focusing only on certificate policies in the J&J CP that compared with the basic and medium assurance certificate policies in the SAFE CP to ascertain that the J&J CP was conformant to the requirements of SAFE.
• Activities also included conducting interoperability testing on the PKI artifacts (Root CA, Issuer CA, OCSP Responder, Entity-Entity signature certificates etc as well CRLs, PKCS#10 requests and OCSP responses) provided by J&J to determine if they were being generated as per the J&J CP and whether they met all interoperability requirements of SAFE.

• Provided support to the National Institute of Sciences and Technology (NIST) in developing a Microsoft Cryptographic Service Provider (CSP) that conforms to the requirements of the Microsoft Cryptographic Architecture Framework, and has the capability to communicate with a PIV Card, as well as the NIST PIV card simulator in a manner consistent with NIST SP 800-73.
• The scope of the CSP was limited to the Windows XP environment and to accomplish Windows Smart Card Logon using the NIST PIV Reference Middleware Implementation.
• Activities also included the development of a GUI-based software program that supported the generation of the required PIV cryptographic keys, and the loading of other PIV data elements such as PIV certificates (both mandatory and optional), CHUID, and biometric information into the PIV Card Simulator.

• This study was commissioned by the General Services Administration with the goal of determining the various types of impacts caused by the relocation of the FPKIA.
• The scope of this relocation impact analysis included a high level comparative cost analysis of the current operation in juxtaposition with other possible relocation options.
• The scope also included analyses of other non-financial areas impacted by relocation, including security impact, privacy impact, liability impact as well as the impact of public perception of the relocation.

• Provided support to SAFE-Biopharma by developing formalized Test Plans (test cases and test procedures) that can be used by SAFE-accredited laboratories to check compliance with SAFE standards.
• Activites included the development test plans for the following categories: (i) SAFE-enabled Applications, (ii) Hardware Tokens, (iii) Hardware Security Modules, and (iv) OCSP Responders.

• Provided support to the Department of Commerce (DoC) to comply with the requirements of HSPD-12 and FIPS 201.
• Activities include the development of role-based processes for identity proofing, registration and issuance of Personal Identity Verification (PIV) Credentials for all of DoC's PIV credential issuing (PCI) facilities.
• Activities also included the development of guidelines (e.g. Implementation Guidance, Privacy Impact Assessment Guidance), and a compliance assessment checklist to assist DoC's PCI Facilities comply with FIPS 201 and SP 800-79 requirements.

• Provided support to the National Institute of Sciences and Technology (NIST) in setting up the Personal Identity Verification (PIV) Laboratory and demonstrating various PIV usage scenarios using COTS vendor products that adhere to the PIV Card specifications.
• Activities include configuring and demonstrating the use of a PIV Card to log onto a Windows Environment as well as preparing a whitepaper discussing the various certificate and configuration requirements for enabling smart card logon in Windows using a PIV Card.
• Activities also included demonstrating: 1) TLS/SSL client authenticated access to secure web applications, 2) Secure email (encryption and digital signature) using S/MIME applications using a PIV Card.

• Provided support to the SAFE BioPharma Association in developing their SAFE Product Certification Program (SPCP).
• Activities included defining the establishment of a certification program and its requirements, the SAFE certification laboratory accreditation process and specifications, and the certification requirements for Vendor products.
• Activities also included the development of all requirements, policies, guidance, and SAFE Member functions with respect to this certification program.

• Provided support for the development of the policy, practice, and agreement framework documentation for a top 10 biopharmaceutical company.
• Activities included the development of a Certificate Policy (CP) which defined the policy requirements for their Certification Authority (CA) and public key infrastructure (PKI) implementation derived from stakeholder inputs, the bio-pharmaceutical industry’s SAFE (Secure Access For Everyone) CP requirements, and Electrosoft’s best practice experience from other PKI engagements.
• Activities also included the development of a Certification Practice Statement (CPS) which defined how the requirements in the CP were met. The content of the CPS was based on existing data center operation procedures, stakeholder inputs, and Electrosoft best practice experience.

• Provided support to the National Institute of Sciences and Technology (NIST) for developing the Personal Identity Verification (PIV) FIPS 201.
• Activities included contributions in the areas of card registration and issuance, assurance levels, life cycle operations, digital certificate issuance and management, card verification infrastructure interfaces, and authentication mechanisms.
• Other specific areas that Electrosoft also provided support include applicability of existing ISO smart card standards, card topography and the use of biometrics.

• Provided technical leadership and subject matter expertise on the Online Certificate Status Protocol (OCSP) task part of the KMI Advanced Technology Systems Interoperability Prototyping and Piloting (KATSIPP) program.
• Activities included the development of a DoD-level architecture and CONOPS, formal OCSP Requirements and test Scenarios as well as collaboration with other DoD Teams to help them resolve technical issues and questions.
• Activities also included the design and setup of a comprehensive OCSP Test Lab with OCSP client and responders, Certification Authorities, Directory Servers, and other PKI applications.

• Provided support to the National Institute of Sciences and Technology (NIST) for updating the Password Guidance FIPS 112.
• Activities included researching password systems and techniques, development of an abstract component framework, categorization of password usage, types of attacks, configuration parameters, evaluating the security strengths and weaknesses of different password systems as well as the development of operational guidance for optimum utilization of password systems.

• Provided support to the National Institute of Sciences and Technology (NIST) for research into Roaming PKI (Cryptographic Mobility) Solutions and the development of a NIST document to provide selection criteria and guidance on the application of mobility solutions.
• Activities included identification of essential attributes of a “mobility” solution, desirable options, unique security issues, and usage scenarios as well as the analysis of published mobility protocols and commercial offerings / products to determine their strengths and weaknesses.

• Provided security and PKI technical expertise to the Department of Health and Human Services.
• Activities included the development of PKI requirements and use cases, product recommendations, CONOPS, a detailed architecture for the HHS PKI and Certificate Acceptance Infrastructure (CAI) as well as a technical implementation plan for the HHS PKI and a multi-year roadmap (including budget) for their PKI implementation.

• Provided technical support to the Federal Aviation Administration (FAA) for the development of policies and architecture for enterprise-wide implementation of access enabling technology including Smart Cards, Public Key Infrastructure and Biometrics.
• Activities included the development of a recommendation for FAA’s adherence to the Federal PKI Common Policy Framework, a FAA PKI Strategy paper describing the recommended path for adoption of PKI within the FAA, a FAA PKI Certificate Policy and FAA certificate profiles as well the review of FAA’s National Airspace System (NAS) Protection Profile Template and Guidance documents and a comparative analysis of the leading PKI products/solutions for use within the FAA.