February 17, 2006 • Volume 4 • Number 2
 Federal Executive Forum
Identity Management (IDM)
January 26, 2006
“Unfunded IDM mandates” and “reciprocal background checks” were just two of topics on the minds of government and industry leaders at the January 26 Federal Executive Forum heard on Federal News Radio. OMB’s Karen Evans told the audience that IDM is not an unfunded mandate saying “that is not true because the implementation and the approach we are taking to HSPD-12 deals with the lifecycle of the investments.”
Evans added that an Executive Order has been signed by the President to deal with clearance processes and the reciprocity issue going back and forth between agencies.
The January 26 Federal Executive Forum panel moderated by Jim Flyzik, Flyzik Group featured:
· Karen Evans - Administrator for Electronic Government and Information Technology - OMB
· Scott O. Hastings - Chief Information Officer for the US-VISIT Program Management Office, Department of Homeland Security (DHS)
· David M. Wennergren, Department of the Navy Chief Information Officer
· Marty Wagner - Commissioner, GSA
· Patrick, R . Schambach - Sr. Vice President/General Manager e-Government and Infrastructure Solutions - Nortel Government Solutions
· Alan R. Kraft - Vice President of Federal Systems, Novell, Inc.
· Chris Aherne, Managing Director, Federal Government , BMC Software, Inc.
Below is a transcript of the Forum broadcast on WFED 1050AM Washington, DC and on FederalNewsRadio.com.
Jim Flyzik, Flyzik Group, Moderator: The purpose of the forum is to open the dialogue between  with key government and industry leaders on important technology and management issues facing the country today with the specific goal of moving programs forward. Today’s topic is IDM; about its ability to positively ID people, things and electronic bits of information. Internally to a company it may be ID for physical and logical access to building and computers and externally about trusted partners, secure supply chains RFID tags and alike.
We will look at key IDM issues with detailed look at HSPD-12 which lays out foundation for IDM solutions in agencies.
Panelists Opening Remarks
Karen Evans, OMB: I’m very happy to be here to talk about what the President has done with the  issuance of Homeland Security Presidential Directive 12, which we fondly refer to as HSPD-12.
That sets the framework and the guidance of what the agencies are doing and the timeline as well of what they need to do for us to have a standard business approach for IDM and well as the technical solutions that we will be implementing within the agencies.
Marty Wagner, GSA: If you are going to do IDM you need to look at a consistent system across the  government as a whole; we are not going to be doing one at a time solutions agency by agency or office by office.
So our job has been working with other agencies to make sure we set up standard contract vehicles in place; have policies and procedures in place so that people can do IDM in a way that works for more than 10 people or a thousand people at a time.
Scott Hastings, DHS: As a member of DHS we have a fundamental responsibility around HSPD-12  directive; but there are a lot flavors that VISIT has been able to attack in terms of larger IDM issues; its relationship to privacy issues, its ability to ensure that not only do we keep people out based on positive identity, but we facilitate the travel and movement of people because we know where they are.
So it’s a different flavor of the whole issue as an operational aspect at DHS and US VISIT program.
Dave Wennergren, Navy: As CIO of Navy, IDM is crucial issue. It is absolutely the foundation to  this vision of a network centric operation; the idea that people can be around the world and be connected across time and space and get the right information to the right person doesn’t happen unless you have a strong IDM in place.
It is crucial not only to information security but is also crucial to e-government. So I have been fortunate enough to lead the DOD IDM senior coordinating group, which is the forum and the champion body for implementing smart cards, PKI and biometric solutions across DoD and it’s been a great ride.
We have common access cards, 3 ½ people million strong using that single PKI smart card solution, every active duty person, every reservist, every government civilian employee, every contractor that needs either logical or physical access to DoD facilities using a single smart card PKI solution and its changing the way we work and play.
If you followed me around today you’d see me use the card to get physical access, get on the network, to do cryptographic logon, get access to secure web sites; to be able to use digital signatures to sign a travel claim or do a financial transaction. It’s a great world isn’t it?
Pat Schambach, Nortel: As you know industry responds best when there is clarity around topic or  around a requirement government has, and when there is clear leadership of who is in charge of the requirement and how it’s going to move forward. This is a large issue.
IDM still requires more clarification in my mind. It’s not a new issue. When I got invited to this show I thought about my past involvement with IDM going all the way back to our days at the Secret Service when we had elaborate systems for checking visitors to a presidential event or the White House.
At AFT I was involved in the national instant checks and background investigations of gun purchasers. At TSA I had responsibility for the CAPS system which prescreened airline passengers.
So, the concept has been around for a long time but stovepiped within organizations. At Nortel we have half dozen engagements around biomentirc capture for automated booking, around screening screeners at TSA, around controlled substances at DEA.
What I’d like to see is industry do is to apply a more enterprisewide solution and I think HSPD-12 is a good start. And I hope we can talk today about a larger ROI to this investment.
Chris Aherne, BMC: There are a couple themes for industry as we look to work with our government  customers on HSPD-12 and IDM in general.
The first one is that there are a lot of best practices frameworks out there around IDM that have been in industry for a long time and people both publicly and privately have been successful implementing IDM. The good thing about frameworks is they tell you what you should do and I think where industry comes in on this issue is we need to work with government customers on how do you actually get to these standards.
Beyond that, the other issue is that it touches a lot of different parts of an organization; there are a lot of stakeholders involved and typically I think that looking at something like HSPD-12 is a good idea and people should do it for that reason, but there are more parochial concerns of what’s this is going to do for me, what’s the ROI; how am I going to pay for it and how is it going to improve my business. I think that’s an important thing industry can work with government on, as far as moving the implementations along and making an making IDM systems sustainable across government.
Alan Kraft, Novell: Novell is one of the recognized industry leaders in the world in IDM and we have  a lot of large scale systems throughout governments around the world and so this is great opportunity for us to partner with government partners in trying to provide solutions today.
We recognize that the government has a lot of heterogeneous environments and so we have to be able to partner with them in enabling those heterogeneous environments, be it open systems or proprietary system.
We have actually partnered with DoD and worked bringing a COTS product out that actually adheres to network certificate logins and those sorts of things. We approach IDM a little bit different than a lot of people. We believe it should be role based and fit into the ROI picture.
Jim Flyzik, Flyzik Group: I’m going to open up things to the floor and ask about the key challenges that need to be overcome in order to actually make HSPD-12 a success story in government agencies?
Marty Wagner, GSA: I guess I’d begin with first challenge working at my level which is the solution to IDM tends to depend on sharing some larger system, plugging into a larger system. You don’t just sit in your within your organization and design a solution.
You plug into a larger solution and making that work is much a social issue as it is a technology issue, I think this is our biggest challenge. We have actually made a fair amount of progress, we are using electronic signatures from private sector organizations, sharing across government, but the big issue for us is social.
I think frankly on the vendor side, it’s not whatever the latest whiz bang product you’ve got, but how do you have a product that is interoperable with other products which is why we are setting up testing suites with NIST to be able to do that.
Karen Evans, OMB: There are two things that I think we really need to think about. One, now that the policy is out there, we have a mechanism in place that is going forward to deal with publishing and getting industry involved with standards, the implementation of standards and defining those standards.
It’s really how you are going to use them. And you really have to get into what are the business policies, what are the practices and how do you really want to do certain things when you are bringing together physical access as well as system access; who should have access to what.
(Second) We’re going to get to the harder issues now, because this is not really about technology, this is really about how should I share the information, who is really who, who should have the access to that, and is that feeds off of what Marty is saying, it’s really going to be a change in the way we do business and more importantly is we have to make sure that we ensure the privacy of this information, the protection and security of the information as we start bringing it together and people start sharing and we have all of this information about the individuals.
Pat Schambach, Nortel: I think at the very basic level there is an ownership challenge right now. As I get around, I talk to a lot of people in government circles and CIOs in particular and I hear a lot of confusion about the ownership issue.
Some of them tell me you really need to be talking to HR, some tell me you really need to be talking to the physical security people and while I think the directive from OMB applies to the leadership of every organization, I think they are struggling about who really owns the issue inside that organization and who is going to deal with it going forward.
Scott Hastings, DHS: Well it’s a sad day when all technologists on the panel only want to talk about the business processes that accrue to this. There are challenges around the technological implementation. The rationalization of the eligibility standards is crucial and the common understanding of what results in the issuance of a credential. We’ve got to trust every environment that we are sharing with. And in the Federal government it’s a challenge, but in VISIT we are looking even internationally.
It has become an international issue in terms of how legitimate travelers and how they cross borders. So rationalizing and understanding the business process is key to be able to develop against your own risk assessment parameters when you are confronted with an identity that is created by another business process you don’t own.
Chris Aherne, BMC: At BMC, when we look at any technology project or any business project for that matter, there is a melding of people, process and technologies. People and process are the challenges around implementing IDM in the Federal government. I think there some challenges beyond that especially on the IT side with respect to scalability we’ re talking about large complex enterprises.
And then also with respect to heterogeneous systems out there, I think one of my government customers once said to me when we were looking at a project that we have one of everything and that’s what you have to think about when going into an enterprise project. Again, when turning and looking at industry, I think on the scalability side federation is an important concept that people are going to get their minds around and need to think about.
And then on the heterogeneity side you have to look at solutions that really play in different a lot of different environments and can standardize administration monitoring, compliance reporting and that sort of thing across all the different types of technologies out there in a typical government enterprise.
Dave Wennergren, Navy: This is a lot about successful change management. It starts with senior leadership commitment that’s visible and active. The old story about that the things we measure are the things we focus on. There’s a great book out called “Execution” and there’s great quote in the book about ”leaders get behaviors that they exhibit and tolerate”. The way we got started in DoD was a senior leadership commitment that said we are going to do this and measure our progress so come get on board.
The next thing is you have to think about is it is a multifunction thing; it’s about cybersecurity, it’s about physical security, it’s about business functions. And so you have to have this alignment across the organization that it’s not work that’s going to be done in one single part of the organization and one single discipline. One of the next things that we learned is this idea you have to take this opportunity to move away from local solutions that only satisfy local needs.
This is an opportunity to do enterprisewide solutions; this is an opportunity to leverage commercial best practices; this is an opportunity to do things that are standards based. The reason why I think our DoD smart card PKI solution has been so successful is because we did Java cards, we did global platform for security that’s in Visa cards around the world, we did x509 version 3 PKI certificates that work with commercial products out of the box without a lot of tampering.
Those are the ways that you have to get started. And then you have to keep yourself committed to it by recognizing that it’s OK to take other peoples great ideas and that would be, as they say, the sincerest form of flattery. So the fact that others have gone down this road before us so it is OK to find best practices and best solutions around the government, around industry, around the world and leverage those solutions so you get your solution deployed more quickly.
Alan Kraft, Novell: The challenges we are bumping into are similar to what the other panelists have described, particularly within the agencies on how do we manage identities, between physical and logical access. So that’s a real challenge within the agencies. We’ve been working with them in that area.
The other area that is very, very key are the heterogeneous environments. The government does have one of everything so point solutions aren’t really going to work for most of the agencies. Whatever they are going to bring in has to be a plug-in into the existing architecture and to make that existing architecture work better. One of the other issues is how they are going implement HSPD12 with their current business rules and so those are challenges.
I think the big one is this issue of federated identities; how does one agency trust the identities and the things coming from another agency, people coming from another agency into theirs. That’s a real key and one of the things we are working with and have solutions for and actually have up and running right now.
Jim Flyzik, Flyzik Group: We were talking about the challenges, questions about stovepipes and heterogeneous solutions and how we are going to move towards commonality and common solutions.
Pat Schambach, Nortel: One thing that none of the panelists have brought up that I’m hearing from a lot of government officials is the funding issue. Many view this as another unfunded mandate, where’s the money going to come from to implement an HSPD12 solution?
Karen Evans, OMB: Which is exactly why OMB is on this panel, so we can talk about the funding issue and actually an approach we are going forward with; several agencies have come back to us and said this is an unfunded mandate; and that is not true because the implementation and the approach we are taking to HSPD12 deals with the lifecycle of the investments.
When you look at the ownership issue, you look into an agency, you have an HR group that is implementing IT systems, you have a physical group that is implementing IT systems and then you also have the CIO who is implementing an IT system that all revolves around IDM, biometric access, accessing controls, all those types of things. You have money that is in the agencies for the same exact type of application.
But what we’re asking the agencies to do now is work on this as an enterprise within their own organization and then look at the federal government as a whole. The other part of this is we put together very stringent timeline because since 9/11 you need to go back and look to see what has really changed in an agency.
And there is another key point that was brought up about industry helping agencies implement current business practices. That is actually what we trying to not do with HSPD12. We don’t want implement current business practices, what we really want them to do is for this community to look at themselves and say “what does the secretary want to do, what is the risk based approach what are the levels of authentication and security I need to have both physically and logically from my systems.” We don’t want to implement current business practices; we want to implement new and improved secure business practices while we are ensuring the privacy involved of those accessing and marrying the information and finally the other part of the technology part solution about the heterogeneous piece.
We don’t want necessarily continue on one of everything. I mean if you are trying to perpetuate what you actually have now it’s not going to work, because its not going to comply with the standards that are being issued under this directive under HSPD-12 that NIST is putting out.
Jim Flyzik, Flyzik Group: This concept of open systems….get some commonality to lay underneath this stuff so that it doesn’t matter what’s on top of it now, we can all interact with each other and work with each other and over time migrate to a more common solution.
Marty Wagner, GSA: The government is big. We’re big and heterogeneous. The outer world is even bigger and in this approach we’re not trying to do it all, grow your own, do it within the government.
For example on electronic signature, we have arrangements through Fidelity Investments to use their credentials to access government applications and we need to recognize that we don’t just solve this problem by working out an internal solution, we build on other credentials that are out there so we don’t force citizens to get a special credential to work with the government., We’re working towards that.
That’s one commercial dimension. Large organizations, the whole economy is going towards standardizing more and more of the business processes and what Karen was describing what were doing within the Federal government that is what large organizations have found they need to do in order to achieve their missions.
In the future, organizations with heterogeneous systems are going to have more trouble surviving that those with homogeneous systems and we in the Federal government have that same issue as well.
Dave Wennergren, Navy: The security of our information, information systems, critical infrastructure and people is an imperative. It’s something we have to invest in and if you invest smartly in IDM you’ll reap a bunch of benefits. You’ll achieve a web services kind of world where you can have authoritative data sources that move away from multiple local solutions and client server solutions and you’ll dramatically improve your information security.
And there’s cash out there too, because right we are operating local badging solutions, every base and camp, post and station does it different badge with a different color badge. People are issuing lots of cards, they’re buying lots of card stock.
If you move to an enterprise solution you can do away with all of the local activity that is duplicative and not leveraging the buying power of being a large organization and you help be the enabler of this movement from many the local solutions to that key set of IT portfolio investments that you want to make for the larger enterprise.
Pat Schambach, Nortel: I’m encouraged by thinking of some of our government panelists here and particularly Dave’s comments about taking this a lot farther. My concern has been that the focus on HSPD-12 will end there. We get identity credentials of some kind to employees and contractors and that’s where it stops. I think the big ROI is going beyond -- other services, other features, other audiences that can be served.
I think about the wallet I carry, we could take bets if we put them out on the table on how thick the wallet would be with cash, but in my case its IDM is what’s filling my wallet; all kinds of forms of identity for different purposes for different things.
I want the government to not just perpetuate that scenario, but look at how things could be consolidated and streamlined and go beyond an HSPD-12 solution for an agency.
Marty Wagner, GSA: The key point on doing a central solution, which is of course what we are trying to build, is ability to execute. And we really have to deal with those local folks who do those very expensive systems, that we deliver a central system that also delivers them the value for services.
In fact we can do a better job of executing when we concentrate our resources on the central solutions but the Service Level Agreements (SLAs) are the factors that are going to make or break the success of this initiative, so that’s absolutely critical we do a good job as we roll out these broad solutions.
Scott Hastings, DHS: The unintended consequences are to be thought of now. The potential new use when you have established a firm identity and the notion that we need to be careful now as we associate the data that goes with that identity. We have a tremendous opportunity to address some of the issues that Marty hinted at.
There are disparate data elements on me Scott Hastings out there in multiple databases. I think in terms of cleaning that situation up and attaching trusted data trusted, trusted information now to an affirmed identity is a key business value.
Secretary Chertoff has also directed us to take a look at what are other benefits that could accrue to the establishment of that credential. How can we look across other government issuance processes to take advantage of a card accessing an infrastructure rather than information being embedded on the card itself. Tremendous opportunities are there and working in immigration we are always focused on secure documentation.
I think there is an opportunity here to look at the card as a security feature, the issues around the card itself and the data associated with that. With the infrastructure possibilities that have been demonstrated by financial world, the insurance world, so many points of presence: why not store the authoritative data somewhere other than the document and kind of change the security posture in terms of what we are relying on as the user of that identification. So there is a tremendous business opportunity if we can get the basic functionality down, which is not inconsequential.
Jim Flyzik, Flyzik Group: Right I remember the debate on the separation of identity and authentication from privilege which allows you to address some of the privacy issues right up front to make sure they are properly addressed, with so called opting in options so forth where people have the freedom to choose how cards and the type of information on their cards.
Karen Evans, OMB: I’d like to follow up on a couple of points that have been made. The President does have 25 initiatives that are out there that demonstrate the ability to implement policies across federal government as a whole.
One in particular that’s applicable to this is e-authentification. We’ve given the guidance out to the agencies but the agencies under this initiative -- and we are measuring the milestones and there is an implementation plan and we work closely with GSA to do this -- (agencies) really need to look at the applications that they have today, how they are using them and what level of security you need to have to address the issues that Scott brought up about the information that’s there, such as about who should have access.
And they have to implement this policy across those applications going forward and you can’t do a separate solution. You need one that takes into consideration all of the other activities that are going along, like the standards that are coming out of HSPD12, (such as) how we are buying and implementing things.
We are working closely with Fidelity through the e-authentification initiative and working closely with the Social Security Administration, so that if you get a credential from a financial planning institution like that it will work across the board; so that as you get your information and you bring it in and are managing information about yourself, (such as) I’m going to going to retire and here are the type of statistics I need to have, that you won’t have to have multiple cards, multiple pins or multiple passwords. So that one piece works across the board so you manage your information.
Jim Flyzik, Flyzik Group: Ideas for a vision for the future, where this is all going, is this just federal but lead to state and local and private citizens. Comments from panel:
Alan Kraft, Novell: We’re already seeing great amount of interest in state and local governments to the federal direction with HSPD12. It really gets back to identity and how they are going to manage identity. A lot is going to be role based.
We believe that is the future, role based identity that fits in well with architectures of the future such as Internet protocol version 6 and we’re starting to see in those state and locals that this is a very important thing for them: how can they trust? And if you look at it from the other standpoint, we’re also hearing from especially from Homeland Security. Can they trust the identities of the first responders? So this going both ways and very important and we are starting to see how this is all going to integrate in the future.
Dave Wennergren, Navy: It’s a web based world. The Internet changed so much. So, in the past security often focused around networks and the perimeters protecting networks. And now its much more ethereal. It’s not about separate networks for separate types of businesses, it’s about being able to connect people with information.
So it’s this world of object oriented security. In the future we have a strong identity and I can prove I am Wennegran beyond a shadow of a doubt. I have certain attributes and roles that I play and that allows me to consume data and which has been properly tagged and available to me, so that I can get to the information I need from where ever I am.
It is also a world of standards. It’s like the real estate slogan: standards, standards, standards. We had a vision that we ought to be able to buy cards from any company, buy readers from any company and we should be able to do that anywhere anytime.
If you go into with this type of vision can do two things: you can align your organization to a common goal and then you can also work with your industry partners and the rest of government to get yourself to a place where you really have achieved standards and can buy commercial products and not have to tinker around with them. You will only see more and more of a reliance upon this idea about me being able to assert my identity and by being able to assert my identity, I can do things faster and easier.
Chris Aherne, BMC: I won’t look quite as far out. I think we’ve heard especially from Dave about success stories in government as far as implementation of IDM. We look forward to the opportunity of working with our government customers to bring them all up to that level.
I like Pat’s idea of having one card instead of 10 or 12 and ultimately that is a good thing. The good news here is while there are challenges, wherever there are challenges there are rewards. Ultimately when we talk about funding some of these things can pay for themselves with respect to return on investment; things like reduced help desk calls if you have self service to name just one.
So, not looking quite as far out, I think there are plenty of things we can work with government customers now in terms of bringing people to the standard of HSPD-12 and implementing IDM.
Marty Wagner, GSA: This is too important to be left just to the technologists. This is about delivering on program results, it’s a key enabler, you need the technology and you need to listen to the technologists, but the technologists need to be driven by the business realities of the company or the government.
Scott Hastings, DHS: Always driven by business. I think again, this is going to be a sea change for everyone, certainly beyond the federal government. We can’t predict -- and this is a fascinating thing when we stand on the threshold of things like this. We can’ predict what behaviors will result, what new business values will be determined once we have established a sound IDM process.
If you can imagine, I throw out a little bit of caution; up to this point, where we didn’t establish identity with the substance of biometrics behind it, it wasn’t definitive. It was always an human intervention and examination, a healthy disrespect for the documents you were presented with before you granted benefits to the holder of those documents.
Sometimes I worry about the unilateral wholesale acceptance when we have established a biometrically related sound identity. We’re going have to continue to have that second thought about and what I’m being presented with. Again the result of the credential and the identity is as only as sound as the process that generated it. We never want to forget that we need to take a look at that. There are unintended consequences of things about we need to think about this right now about how this new capability will be used in more broad operational venues.
Pat Schambach, Nortel: It is exciting to think about the implications of where all this could lead. One of which is a pet peeve of mine that I hope this leads to is cross utilization of background investigations.
If you think about IDM if it’s done well the excuse we’ve all heard in government of why Agency X won’t accept agency Y’s background investigation to me is ludicrous; a tremendous amount of overlap and duplication, a tremendous constrictions from the service provider community. I can have employees work today at Agency X that I need to shift to Agency Y to fill a gap and Agency Y won’t accept clearances were just done by Agency X. Again it’s an implication that this could lead to, and I hope it does.
Karen Evans, OMB: Let me be the first to address Pat’s issue. He’ll be happy to hear that actually the agencies have sent to us implementation plans to do exactly what you are talking about. There has been an Executive Order that the President did sign now dealing with clearance processes to deal with the reciprocity issue going back and forth. So, we are looking at all these and we brought this up earlier.
It’s not looking at this as this is HSPD-12 by itself and that we need a technology solution to do this, but we are looking at what is everything associated with this and the clearance process again is at the heart of this issue and the Administration has acknowledged that going forward so all of these things are going along concurrently, because these are the foundational type of activities that need to be done to get to we would call having the right information to the right people.
It’s about information, it’s about the government has the largest amount of information. We collect information, we send information out and we have to ensure that the people who have access to that information are the ones that should and that we are also so ensuring the security and privacy of that information.
So IDM is a tool, a foundational type of activity going along that path so that we can really look at what do we need to do. What do we need to do to have better security; what do we need to do to protect our borders; what does it mean when we going to have a netcentric war operations type of activities. But you have to get these pieces done first, so you can go for it and talk about the possibilities of where you want to be without losing sight security and privacy.
Jim Flyzik, Flyzik Group:
When I think of these last comments made about this idea of reciprocity background investigations, I can picture a future world as we move forward with IDM and common background investigations and common secure databases and have the security features to be able to generate common access, credentialing across government.
Just think of the world of productivity improvements and enhancements and reduced administrative costs and paperwork processes that would be inherent in that and the kind of world we can have. I tend to think too that the federal government becomes a leader in this area and as it begins to be implemented I think well see our government agencies stepping up and becoming seen as world class implementers in this space as we move on these tough issues out to state and local governments and the private sector, with the privacy issues inherent in it. |
