USDA HSPD-12
USDA and the GSA HSPD-12 Shared Solution
USDA has been at the forefront of driving a shared solution for HSPD-12
across the Federal Government…
Co-chairing the HSPD-12 Executive Steering Committee
Contributed to the development of the General Services
Administration (GSA) Statement of Work for HSPD-12
Serving on the vendor evaluation committee
To that end, USDA is prepared to adopt the GSA HSPD-12 Shared Solution as
it’s USDA Enterprise-side solution.
HSPD-12 PIV card - LincPass cards
LincPass Process
Logical Access
Physical Access
Getting a Card
Using a Card
HR Sponsors BI Is Completed
Person Activates Card Is Issued Person Enrolls
Identity and Access Management
Non-Repudiable
eGov Services
HSPD-12
CHUID PKI CertificateseAuth
Password AD Domains eAuth Main frameLACS
VPN Application RBAC Win 2K3 AzMan Entitlement MgmtRole Based Access Control
E PACS 802.1X
Security Profile Mgmt
Network Admission Control
Quarantine Device Auth User Auth
InCommon Federation
Authentication AuthorizationDisk Encryption
Authentication
Identity
Credentials
Accounts
Access
Control
Application
Integration
Authorization
Employees CustomersIdentity Stores
Contractors UsernamePACS
Role Attribute Mgmt
Org Position Location Persistent Connectivity Mobile Computing IPSec/SSL VPN Collaboration
A
u
d
it
in
g
Non-Repudiable
eGov Services
HSPD-12
CHUID PKI CertificateseAuth
Password AD Domains eAuth Main frameLACS
VPN Application RBAC Win 2K3 AzMan Entitlement MgmtRole Based Access Control
E PACS 802.1X
Security Profile Mgmt
Network Admission Control
Quarantine Device Auth User Auth
InCommon Federation
Authentication AuthorizationDisk Encryption
Authentication
Identity
Credentials
Accounts
Access
Control
Application
Integration
Authorization
Employees CustomersIdentity Stores
Contractors UsernamePACS
Role Attribute Mgmt
Org Position Location Persistent Connectivity Mobile Computing IPSec/SSL VPN Collaboration
A
u
d
it
in
g
HSPD-12
CHUID PKI CertificateseAuth
Password AD Domains eAuth Main frameLACS
VPN RBAC Attributes Rules Engine Identity MgmtEnterprise Entitlement Management System (EEMS)
E PACS
Remote/Wired/Wireless
Network Access Control and Endpoint Security
Device PKI PIV User Auth
Federation
Authentication AuthorizationEnhanced Services
Identity
Credentials
Accounts
Access
Control
Application
Integration
Authorization
Employees CustomersIdentity Stores
Contractors UsernamePACS
Health State Validation File Integrity HB IPS/FW Identity
A
u
d
it
in
g
Entitlement Mgmt Workflow Engine Remediation DLP Encryption Dig/Sig Non-RepudiationHSPD-12 Business Process
General HSPD-12 Concept
Adjudication
Credential
Usage
Sponsorship
Enrollment
Issuance
Activation
Capture
applicant
information
& authorize
PIV card
Identity
proof &
capture
biometrics
Complete
BI and
record
results
Produce
card and
issue to
applicant
Authenti-cate
applicant
and activate
card
Manage
card
lifecycle
IDMS
GUI
IDMS
DB
IDMS
GUI
IDMS
DB
Certificate Authority CMS ` Finalization Workstation Card Reader CA Enrollment Finalization CPS CMS & IDMSPROCESS
COMPONENTS
LACS, PACS, and HR
Contractors Employees App Server CHMS DB App Server Reporting OPM /FBI Registration WKS Document Scanner Card Reader Camera Finger Print Scanner Interaction Card Printing Card Distribution CMS CPS Interaction PKI CRL Certificate authority Key Mgt . Registration AD CHMS Agency 1 LACS AD MIIS RDB MS Data Store Agency 2 LACS WorkStation WorkStation Agency LACS PACS Enterprise Servers Agency PACS OCSP Responder Personnel Management System Interaction Interaction Interaction Interaction Interaction Interaction Agency Controller PACS Master DB PACS Mobile Unit Facility CMS DBShare
d Ser
vice
USD
A Re
spon
sibilit
ies
Overall Architecture
EIMS
HSPD-12 Service Provider Logical Access Control SystemsSponsorship & Adjudication Data Feed
Done
QuerySIP Data Feed Done EmpowHR Non Employee Identity System (NEIS) EIDS V3.1 EIDS Connector Done Payroll Personnel PP Done EmpowHR Done NEIS Done AD Connector & Card Info Feed In Progress – 7 agencies done Laptop User LincPass Domain Login
All Agencies in Progress
ePACS
ePACS Connector (3/13/09)
Three Phases with NCE and GSA shared solution
June 9 – Sept 30, 2008 – Summer Mobile enrollments
October 1 – April 30, 2009 – Winter Mobile enrollments
May 1 – Sept 30, 2009 – Sustainment and Operations
• General Services Administration • Office of Personnel Management
• United States Department of Agriculture • United States Department of Energy • United States Department of Interior • US Department of Justice
• United States Department of Treasury
enrollment. Phase 1 and 2
SIOUX FALLS DOI MINNEAPOLIS USDA/APHIS FARGO USDA/ARS FALCON HEIGHTS GSA PARK FALLS USDA/FS STEVENS POINT USDA/RD GRAND FORKS USDA/ARS DULUTH USDA/FS MANKATO USDA/FSA ROCHESTER USDA/FSA GRAND RAPIDS USDA/FS BAXTER USDA/FSA MORRIS USDA/ARS MARSHALL USDA/NRCS 1 2 3 5 4 1 2 2 3 M ADISON HURON GSA ABERDEEN USDA 1 5Example of Enrollment Locations
SIOUX FALLS DOI MINNEAPOLIS USDA/APHIS FARGO USDA/ARS FALCON HEIGHTS GSA PARK FALLS USDA/FS STEVENS POINT USDA/RD GRAND FORKS USDA/ARS DULUTH USDA/FS MANKATO USDA/FSA ROCHESTER USDA/FSA GRAND RAPIDS USDA/FS BAXTER USDA/FSA MORRIS USDA/ARS MARSHALL USDA/NRCS 1 2 3 5 4 1 2 2 3 M ADISON HURON GSA ABERDEEN USDA 1 5
Phase 3 Permanent Locations Example
*
Klamath Falls*
LaGrande*
Pendleton*
Roseburg*
Tangent*
YakimaPhase 3 Light Activation
Participants Identified:
Permanent Enrollment \ Activation centers
Shared
Agency Only
Light Activation Stations
Shared
Agency Only
Fingerprint ReaderRead/Write Smart Card Reader
Special Software
USDA Report Card
•
Over 160 Mobile Enrollment stations during Summer
•
225 Mobile Enrollment Stations during Winter
•
Enrolled 74,000+ Employees across the Entire Country
•
Enabled Two-Factor Authentication for almost 55,000 Laptops
•
Implemented a National PACS Infrastructure & Began Connecting
USDA Next Steps
PIV cards:
Continue issuing cards to Federal and contract staff
Complete remaining investigations
Two-Factor Authentication:
eAuthentication Two-Factor Integration
VPN Two-Factor Integration
Digital Signature Integration for Office, Outlook and Adobe
Encryption Integration for Outlook
ePACS:
Identify remaining MCF’s
Implement solution at all MCF’S
Other:
Continue to share information with NCE participants
Distribution Layer Switch Wired Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check
Endpoint Security Agent
Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check
Endpoint Security Agent
Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check Health Check
Endpoint Security Agent
Network & Endpoint Security
Network Access Controller Host-Based Firewall 802.1x Supplicant Host -B ased I P S SS L V P N Health CheckEndpoint Security Agent
Host-Based Firewall 802.1x Supplicant Host -B ased I P S SS L V P N Health Check
Endpoint Security Agent
Host-Based Firewall 802.1x Supplicant Host -B ased I P S SS L V P N Health Check Host-Based Firewall 802.1x Supplicant Host -B ased I P S SS L V P N Health Check Health Check
Endpoint Security Agent
United States Government
OCT2012 USDA Bloggs, Joseph G Expires 2012OCT22 Affiliation Contractor Agency/Department Department of Agriculture United States Government
OCT2012 USDA Bloggs, Joseph G Expires 2012OCT22 Affiliation Contractor Agency/Department Department of Agriculture Wireless Access Point Wireless Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check
Endpoint Security Agent
Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check
Endpoint Security Agent
Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check Host-Based Firewall 802.1x Supplicant Host-B ased IPS SS L VPN Health Check Health Check
Endpoint Security Agent
USDA Enterprise Directory VPN IDS Health Check: Pass Health Check: Fail
NAC Agent
BigFix
Anti-X
Patch Management
Disk Encryption
FDCC
File Integrity Checking
Host-Based FW
Host-Based IPS
Data Loss Prevention
User Roles
ISOC Auditing and Reporting Remote
Access