The demand for greater use of smartphone and tablet technology across the federal workforce continues to grow and so it’s important that federal agencies plan their digital identity evolution from smart cards to a mobile-friendly solution.
Since 2004 the US government has led digital identity security, initially through the presidential directive HSPD-12.
HSPD-12 focused on legislating federal government to implement smart card security for all federal employees and contractors. Originally the goal was to address the security of physical access and identity verification.
Evolving from smart cards to mobile identity
The successful implementation of HSPD-12 led to millions of federal employees and contractors being enrolled into the smart card program. It was clear that the next phase would involve providing employees with logical access into federal software, systems and data.
Smart cards offered some functionality here and could be used in conjunction with ancillary smart card reader technology for computers and laptops.
However, as demand for mobile, tablet and laptop device usage grew amongst federal workers, the limitations of smart cards and their inability to deliver a seamless means of authentication across new technologies was emphasized.
It was clear that legislation needed to evolve to incorporate mobile technology and so special publication 800-157 (SP800-157) was drafted to define the technology and processes needed for mobile derived credentials.
Mobile derived credentials
Mobile derived credentials take a trusted credential, originally issued to a federal worker or contractor in the shape of a smart card and uses that credential as a trust anchor to create secondary authenticators on other devices, such as a smartphone, tablet or laptop.
Thanks to the flexibility of public key infrastructure (PKI), the architecture in which smart card credentials are based, agencies are able to open up deployment to other form factors such as smartphones, tablets, virtual smart card enabled laptops and USB keys.
The essential cog to make derived credentials work is a credential management system (CMS).
A CMS does not only enable a credential to be derived for an individual from their smart card to another approved device but also provide the software necessary for federal agencies to update the status of employee identities and maintain the integrity of derived credentials throughout their lifetime.
CMS also provide a rule-based system (automated or managed by system administrators) to revoke and enable the correct levels of access to resources and services for credentialed employees and contractors.
Existing CMS solutions, such as MyID®, already have extensive capabilities in this area and are capable of managing a broad range of devices with complex ownership models and variable lifecycles. The CMS functionality below is essential for any federal agency to manage a multi-device credentialing system:
- Role-based permissions for all actors
- Strong authentication for CMS administration
- Secure audit to verify compliance
- Groups / scoping models to determine which people and devices can be managed
- Multiple credential profiles to accommodate changing form factors and content
- Credential profile versioning to support cyber agility and policy migration
- Concurrent interoperation with multiple certification authorities
- Good self-service capabilities to minimize administrative overheads
Find out more
This is the first in a series of blog posts in which our Chief Technical Officer, Chris Edwards takes extracts from his latest white paper: Unified Credential Management in Federal Government white paper
Don’t miss the next instalments from the white paper on this blog.
- Understanding FIDO and PKI credentials for federal government
- Securing the IoT for federal government
Click on the following link to download the full Unified Credential Management in Federal Government white paper.