The PIV Credential Provides Government a Consistent Authentication Mechanism for a Critical Reporting Mandate
Problem
The Federal Information Security Management Act of 2002 (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Annual Agency reporting is required by the Office of Management and Budget (OMB). For the past six years, Agencies have been using paper or manual mechanisms such as unprotected spreadsheets and unencrypted emails creating an enormously unwieldy and burdensome task.
- Annually, over 150 Federal Agencies, large and small are required to submit their progress.
- More than 600 employees and contractors across Agencies actively engage in compiling and managing the data.
- On average, each Agency has submitted 100 spreadsheets or paper copies of security audits.
- At least three [3] full-time equivalents at OMB spend one month compiling and analyzing submissions.
Solution
In October 2009, OMB unveiled a new system, CyberScope, a streamlined platform developed for collection and consolidation of Agency FISMA reporting data. In addition to the considerable reduction in labor and time to analyze the data, CyberScope requires login using the standard PIV credential (or card) and the holders PIN. This is the first time the PIV credential has been required for use of a government wide system.
- There are 75+ Agencies using USAccess for PIV credential issuance.
- USAccess have issued over 530,000 PIV credentials.
Once the PIV credential is received, the employee must activate it at one of the 300+ credentialing centers nationwide. To gain access to any application, users must have an active PIV credential along with a card reader and access software loaded on their computer. OMB grants access to the Agency staff that must complete the FISMA reports in CyberScope.
The PIV Credential Requirement Leads to a Cohesive Identity Management Strategy
Problem
Prior to the issuance of Homeland Security President Directive 12 (HSPD-12), most government agencies deployed online applications and physical access systems in a disjointed approach. Although government employees and contractors require access to office buildings and other facilities as well as multiple systems including email and online applications, there was little consideration about the associated costs and inefficiencies these stovepipes created. Some employees were issued multiple identity cards for physical access depending on the buildings they visited. Not only were users burdened, there was a need to manage identity data in multiple systems creating an error prone environment and placing significant strains on IT help desks, and other support organizations such as office administration and human resources.
Solution
HSPD-12 directs the implementation of a new standardized federal credential designed to enhance security, reduce identity fraud, and protect the personal privacy of those issued government identification. This convinced some agencies to embrace this opportunity to rethink their enterprise strategy for identity management. For example, the U. S. Department of Agriculture (USDA) designed and developed an enterprise wide identity management strategy. Part of that strategy focused on identity management for government employees and contractors centering on the issuance and usage of the PIV Credential. This single user credential is utilized to grant privileges to access agency systems and buildings. Additionally, by employing a unified strategy, it facilitates the automation of routine business processes using this centralized architecture. Over time, a user will no longer need lists of user IDs and passwords, but can use the PIV Credential as a single sign on mechanism to access systems and facilities. Furthermore, this approach has led to significant reductions on Help Desk and IT operating costs delivering internal efficiencies.