Department of Navy Chief Information Officer - News: Identity Management Operations to Improve Cybersecurity

Audit Readiness of IT Systems (0)	DIACAP (12)	Information Sharing (48)	Open Source (3)
Awards (35)	DON Enterprise Architecture (49)	IT Asset Management (20)	Performance Measurement (2)
Business Case Analysis (11)	Enterprise Licensing Agreements (12)	IT Efficiencies (119)	Personal Electronic Device (18)
CIO Authorities (57)	Enterprise Services (35)	IT Expenditure Approval Authority (12)	Printing and Imaging (Copiers/MFDs) (17)
Civil Liberties (21)	Enterprise Software Initiative (32)	IT Governance (48)	Privacy (261)
Clinger-Cohen Act Compliance (25)	FISMA (11)	IT Infrastructure (17)	Public Key Infrastructure (19)
Cloud Computing (21)	Forms/Reports (14)	IT Investment Management (77)	Records Management (38)
Common Access Card (9)	Freedom of Information Act (26)	IT Portfolio Management (1)	Section 508 (10)
Cybersecurity (243)	Functional Area Manager (9)	Knowledge Management (34)	Social Media (33)
Cyberspace/IT Workforce (35)	GIG Standards (20)	Naval Enterprise Networks (38)	Spectrum (57)
DADMS/DITPR-DON (42)	Green IT (10)	Naval Networking Environment (12)	Statutory & Regulatory Compliance (11)
Data at Rest (10)	Identity Management (113)	NGEN (18)	Telecommunications (63)
Data Center Consolidation (37)	IM/IT Strategy (44)	NMCI (27)	Wireless (66)
Data Strategy (12)	Information Assurance (63)

Identity Management Operations to Improve Cybersecurity

By Sonya Smith - Published, February 26, 2010

The December 2008 report written by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, "Securing Cyberspace for the 44th Presidency," began with one central finding: "The United States must treat cybersecurity as one of the most important security challenges it faces."

The report went on to state, "Creating the ability to know reliably what person or device is sending a particular data stream in cyberspace must be part of an effective cybersecurity strategy." The report urged the government to accelerate the adoption of identity authentication.

The administration's Cyberspace Policy Review, released in April 2009, stated very clearly that: "We cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people."

The National Security Telecommunications Advisory Committee's "Report to the President on Identity Management Strategy" of May 2009 states: "… this lack of trusted identification enables harmful and/or malicious activity and diminishes national security/emergency preparedness capabilities, endangering national and homeland security as well as individual privacy and security."

The Department of Defense understands the magnitude of the threat we face in cyberspace. The threat is advanced, persistent and constantly changing. In addition, the increasing popularity of collaborative web applications, such as blogs, social networks, podcasts and wikis, and mobile devices, has brought a new set of challenges to cybersecurity.

There is a clear appreciation of the relationship between cybersecurity and identity management; we must be able to authenticate entities, as either human or nonhuman, with DoD resources and then be able to manage access privileges.

A major vulnerability on DoD networks is the use of usernames and passwords. Therefore, the DoD has increased assurance of user authentication by replacing the requirement for usernames and passwords with the DoD Common Access Card (CAC) and associated public key infrastructure (PKI) to cryptographically logon to DoD unclassified networks. This effort is now being extended to the classified network as well.

The DoD has seen the benefits of this effort. Retired Air Force Lt. Gen. Charles Croom, when director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations, said in January 2007 that successful intrusions to DoD unclassified networks had declined 46 percent due to CAC use. The DoD is now also requiring PKI-based user authentication to access the majority of its private web sites.

Those same PKI certificates are being used to encrypt personally identifiable information (PII) and sensitive information to ensure its confidentiality while in transit. Digital signatures, also using PKI, provide nonrepudiation services, enabling a higher level of assurance that the e-mail users receive is authentic. Digital signatures also help thwart e-mail spoofing attempts. In the Department of the Navy (DON), these protections are being extended to mobile personal electronic devices such as BlackBerrys.

Identity management initiatives utilizing the CAC with PKI certificates have changed the way the Defense Department does business. But, as with all things, there is always room for improvement. The use of Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standards-201 (FIPS-201) are mandatory across the Federal Government and provide a common language and standard to improve identity assurance.

The CAC is the DoD's vehicle to HSPD-12 compliance, and improvements are being made to the CAC to comply with FIPS-201. These include making the card/token itself more resistant to tampering and counterfeiting, meeting interoperability requirements, improving the vetting process before card issuance to ensure the applicant's eligibility and uniqueness within the database, and the addition of biometrics to the CAC.

The CAC improvements to comply with the FIPS-201 standard are helping to raise the confidence level within the CAC infrastructure. Issuance is the critical point of identity management and because of the FIPS-201, DoD now requires:

an individual's eligibility for a CAC;
verification of DoD affiliation from an authoritative data source instead of a paper form;
completion of the FIPS-201 required background check; and
verification of a claimed identity per FIPS-201.

The enterprise authentication solutions for cybersecurity are currently PKI-based. The DoD has deployed a significant number of "next-generation CACs," or CACs that are being used as part of the HSPD-12 transition.

As part of the transition, some biometrics information is being stored on the next-generation CACs. At a minimum, the fingerprints information on the CAC could be utilized as a stronger form of multifactor authentication.

The focus of identity management must build on successes to date and move forward to a more all-encompassing approach to include meeting the requirements of interoperating with other HSPD-12 compliant federal credentials and securely sharing information with other mission partners.

The new CAC contains advanced technology that will enhance the security of federally controlled facilities and computer systems and ensure a safer work environment for all federal employees and contractors.

For more information about the Defense Department's next-generation Common Access Card, go to the CAC web site at www.cac.mil.

Sonya Smith is the director of the DON CIO Cybersecurity and Critical Infrastructure Team.

TAGS: CAC, Cybersecurity, IDManagement, PKI

Related Policy

Processing of Electronic Storage Media for Disposal

PKI Interoperability with FVEY Partner Nations on the NIPRNet

DON Secure Hash Algorithm Migration

DON Public Key Enablement Waiver Request Process for Unclassified Networks, Private Web Servers, Portals and Web Applications

DoD Acceptance and Use of Personal Identity Verification-Interoperable (PIV-I) Credentials

View More

DON Electronic Signature Policy

Public Key Enablement of DON Unclassified Private Web Servers and Applications

DON Privacy Impact Assessment Guidance

DoD Privacy Impact Assessment Guidance

DON Policy Updates for Use of NIPRNET Public Key Infrastructure Software Certificates

Approval of External Public Key Infrastructures

Public Key Infrastructure Software Certificate Minimization Effort for DON Unclassified Environments

DON Encryption of Sensitive Unclassified Data at Rest Guidance

Safeguarding Personally Identifiable Information from Unauthorized Disclosure

Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media

Safeguarding Personally Identifiable Information

Common Access Card Eligibility for Foreign National Personnel

Compliance and Review of Logical Access Control in DoD Processes

Policy for Digital Signature Functionality and Acceptance

Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency IT Investments

DoD-Wide Digital Signature Interoperability

Protection of Sensitive Department of Defense Data at Rest on Portable Computing Devices

DoD Implementation Guide for Transitional PIV II SP 800-73 v1

Federal Information Processing Standard 201-1: Personal Identity Verification of Federal Employees and Contractors

National Industrial Security Program Operating Manual

DON Privacy Program

DON Information Assurance Manual

Withholding of Information that Personally Identifies DoD Personnel

DON Privacy Impact Assessment Format Guidance

DON Public Key Infrastructure Implementation Guidance

Policy for a Common Identification Standard for Federal Employees and Contractors

Smart Card Senior Coordinating Group

Related News

Privacy Tips

PII Breach Articles from CHIPS Magazine

DoD to Cease Issuance of Software PKI Certificates to FVEY Partner Nations

NMCI's Ever-Improving Security Profile

DON Digital Signature and Encryption Policy for Emails Containing PII

View More

DON to Migrate to Use of Stronger Cryptographic Algorithms

PKE Waiver Process Is Updated

DoD Memo on PIV-I Credentials Released

DON Electronic Signature Policy Released

DON Current and Future PKI and PKE Activities

Compliance Spot Checks Key to Successful Privacy Program

Theft of Storage Media Containing PII

Copier/Printer May Present Information Security Risks

Protect Your Personal Information: It's Valuable

Defending Cell Phones and PDAs Against Attack

Reducing the Use of SSNs is Key to Securing PII

Insider Threat

Reduce PII Loss by Proper Disposal/Sanitization of Unclass Equipment

What You Should Know About Identity Theft

Related CHIPS Magazine

3 Components in the Hunt for Cyber Threats

How to Create a Secure Password

Factsheet: National Background Investigations Bureau

Download CHIPS Magazine Mobile App!

Three Priorities Straight from HQ Marine Corps C4

View More

DISA Announces Video Series for the National Background Investigation System

Senior Officials: DoD Supports Strong Encryption for Defense, Commercial Security

Transparency Has Place in Intelligence World, DoD Official Says

DoD CIO Issues Information Technology Environment Way Forward

DON Cyberspace (Cyber) IT and Cybersecurity Workforce — Who Are We?

Kenneth W. Bible, Deputy Director, C4 / Deputy CIO, Headquarters, U.S. Marine Corps

Privacy Awareness Tips

Q&A with Capt. John D. Zimmerman Deputy CIO Naval Sea Systems Command

Safeguarding Your Common Access Cards and Military Identification Cards

Strengthening Privacy Awareness and Protection

Your mobile phone account could be hijacked by an identity thief

NIST Released the final version of "Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access"

DON CIO Awards Recognize Information Management and Information Technology Excellence

NIST Releases New Cryptographic Standards and Guidelines Process

Q&A with Capt. Michael N. Abreu

Q&A with Cmdr. Damen Hofheinz, OPNAV N2N6BC lead for the JIE/JRSS

Visit or Dial-in to West Coast DON IT Conference

DON IT Conference West Coast 2016 Registration Available Until February 5

NIST Released NIST Interagency Report 8055, Derived Personal Identity Verification Credentials Proof of Concept Research

Changing the DoD Cyberspace Culture

DoD SHA-256 Upgrade

DON IT Conference, East Coast 2016 and USN-USMC Electromagnetic Spectrum Summit Begin April 20

Information Security in the Mobile Environment

Taking Advantage of Learning and Networking Opportunities

Recovering from Identity Theft is Easier with a Plan

Register Now For DON IT Conference, West Coast 2016

Strengthening Cybersecurity Awareness

Defense, Intel Leaders: Cybersecurity Priorities are Defense, Deterrence

Pilot Projects to Improve Cybersecurity, Reduce Online Theft

National Counterintelligence and Security Center Partners with Office of Personnel Management to Assist Personnel Affected by Data Breaches

New ALNAV Regarding OPM Data Breach Notifications and Services Related to Data Breach Two

NCCoE Seeks Vendors to Develop Model Systems for Controlling Access to IT Assets

OPM Establishes New, Online Cybersecurity Incident Resource Center

OPM Acts to Protect Federal Workers, Others From Cyber Threats

OPM Announces Steps to Protect Federal Workers and Others From Cyber Threats

Christopher J. Page, Command Information Officer, Office of Naval Intelligence

OPM, DoD Announce Identity Theft Protection and Credit Monitoring Contract

OPM Data Breach Reminders

OPM Announces Actions to Strengthen Cybersecurity and Protect Critical IT Systems

NIST’s NextGen PIV Card Strengthens Security and Authentication

OPM data breach – what should you do?

ActivIdentity ESL Supports DON IT Security Infrastructure While Saving Millions

FCC/C10F Releases Strategic Plan

Personnel Now Permitted to Use Navy-Issued Mobile Devices for Personal Use

DISA Rolls Out Defense Department Online Collaboration Tool

Pushing the Boundaries of Cybersecurity for the Marine Corps Forces Cyber Command

Related Resources

Privacy Briefs

Personally Identifiable Information Posters

2014 PII Brief

Inventory of DON Systems With Completed Privacy Impact Assessments

Privacy Frequently Asked Questions

View More

Unique Investment Identifiers for FY2013

Privacy Training and Compliance Resources

Privacy Recommended Reading List

2012 Identity Theft Brief

2012 Privacy Impact Assessment (PIA) Brief

Privacy Impact Assessment Signature Routing Guidance

OMB Information Collection Number

Privacy Impact Assessment Resources

Privacy Impact Assessment Template "Gouge"

Privacy Impact Assessment Template Risk Mitigation Question Responses

Take the DON Privacy Quiz!

PII Breach Reporting Resources

Privacy Information and Resources

Potential Consequences for Failing to Safeguard PII

DON CIO Information

About the DON CIO

Contact Us

DON IM/IT Vision, Mission and Goals

Key Documents

Leadership Team

Organization Chart

Awards

Online Services & Community

RSS Feeds

DON CIO FOIA

DON CIO Mobile Website

Website Accessibility

Report a PII Breach

CHIPS Magazine

Veterans Crisis Line

DON CIO Privacy

External Links Disclaimer

Email Alert Signup

SECNAV DON CIO • 1000 Navy Pentagon
Washington, DC 20350-1000

This is an official U.S. Navy website (DoD Resource Locator 45376) sponsored by the Department of the Navy Chief Information Officer (DON CIO). The purpose of this website is to facilitate effective information flow about information management/information technology and cybersecurity issues and initiatives occuring within the Department of the Navy.

Please read our Privacy Policy notice.
Please read our Section 508/Accessibility Statement.

www.navy.mil | www.marines.mil | www.esi.mil | http://foia.navy.mil
www.navy.com | www.marines.com | www.usa.gov | No FEAR Act

Trending

Identity Management Operations to Improve Cybersecurity

By Sonya Smith - Published, February 26, 2010

TAGS: CAC, Cybersecurity, IDManagement, PKI

DON CIO Information

Online Services & Community