IDmachines recently has run across a number of situations in which people want to leverage the PIN on a FIPS 201 (HSPD-12) credential. The idea is to use a PIN on system as a second factor in combination with contactless components of the credential. Multi-factor authentication is a great idea for any access control application. Something you have plus something you know is simply more secure than something you have.
But let’s be clear, it’s something YOU have and something YOU know, not something WE (as in anyone with access to a database or application) know. The PIN on a FIPS 201 credential is something you set and then is locked away. You should never tell anyone and certainly you should never store it in a database for use in another application. In particular under no circumstance use the PIN that is associated with and provides access to your private keys as a PIN on system for a physical access control application. End of story no further discussion please.
It’s not the worst thing in the world to have a second PIN for the physical access control system particularly given the increase in security it brings to contactless applications in the FIPS 201 world. Further, this is where you can be creative, there are certainly ways to USE the PIN but not STORE it on the physical access control system (PACS). This is where you need to dig into your cryptographic tool box and do something neat (surprise… IDmachines and its clients would be glad to help). Just don’t compromise your FIPS 201 credential and do something silly such as store the PIN on the system. It doesn’t matter if it’s only accessible by administrators or security officers. It’s your PIN it protects a PRIVATE key, policy states never give it to anyone. This is not a case where it’s OK to bend the rules.
Monday, July 13, 2009
Sunday, July 5, 2009
FIPS 201 and India National ID, interoperability anyone? Unique Identification Authority of India names “Secretary of Identity”.
A race is on, not unlike the race to the moon and we will see if the United States can catch up with the rest of the planet when it comes to identity credentials. This blog and IDmachines continue to tout the progress that has resulted from Homeland Security Presidential Directive 12 (HSPD-12), its expansion to the private sector as evidenced by the activities of the 4 Bridges Forum and the continued expansion and evolution of Federal Information Processing Standard 201 (FIPS 201). However, in terms of strong digital IDs, the EU is at 100 million (as opposed to 10 million in the US) and India just upped the ante.
The recent announcement states that India will roll out a national identity credential for 1.1 billion citizens and to get it going by 2010. The India Congress Party actions bode well for the Indian and hopefully global identity industry. It’s not surprising that one of the world’s most dynamic economies and the world’s largest democracy has decided to make identity infrastructure a priority. While not surprising it is impressive that the Indian government leveraged the mandate of the recent election (are you listening President Obama…). India will create a cabinet level position for the Unique Identification Authority of India and has already named their “Secretary of Identity” touting entrepreneur, Nandan M. Nilekani, a founder and former chief executive of Infosys Technologies. Mr. Nilekani will leave his post as a co-chairman of the board to take on the ID card project.
Here in the US we rightfully want to address finance reform, economic stimulus, expanded health care, climate change and other initiatives. It’s great that the Obama administration has decided to show leadership on these important topics. This blog repeats that creating a national identity infrastructure should be the first step in addressing most of these issues (even emission trading is facilitated by a multi-purpose credential). It seems that the rationale for the investment is well understood in India and articles in the NY Times, Financial Times, Independent, India Times, DNA India, all make points of the benefits of investing in identity.
These sources site (among other things) that the program will create 100,000 new jobs, stream line government to citizen disbursement, reduce fraud in benefits to the citizens (e.g. think savings in Medicaid, Supplemental Nutrition Assistance Program, Unemployment Benefits, etc.), and enable secure citizen to government transactions among other things. All represent goals in play in this session of the US Congress. In the US we have yet to realize that identity runs across these programs. Neither Congress or the Obama administration fully realize the leverage an identity investment gives to all of these legislative, policy and economic goals. There are bits and pieces of identity in different bills and no coherent overarching approach. No offense to the ornithologists or vegetarians but we are missing the opportunity to kill more than one bird with one stone.
One interesting article even proposed skipping a generation of identity credentials and basing the national ID on a SIM card. This is a fascinating idea particularly given the capabilities of today’s mobile devices. This is clearly the future and while it’s not a likely outcome in the India case (don’t think that mobile devices have sufficiently penetrated to the 1.1 billion individuals who will be covered) but the fact that it’s being discussed shows how an investment in identity has the potential to leapfrog the technology base of countries. Maybe it will be an option and if so it will create a whole new concept of mobility.
You have to give props to the Indian government for their initiative and good luck to Mr. Nilekani. Not surprisingly IDmachines and many other companies in the identity world will be taking a close look to see how they might get involved.
Finally, is anyone making the argument that India should be looking at FIPS 201 as a basis for their credential specification. More than most global ID specifications it meets the needs for multi-use by combining contact and contactless interfaces, logical and physical access control, strong authentication, digital signatures and encryption, and continues to evolve (e.g. match on card, contactless mutual registration, secure channel, elliptical curve, etc.). Is it possible that we could be entering the world of “Identity Diplomacy” where the US Ambassador in New Delhi has interoperable identity credentials as part of his brief? This would certainly be a boon to economic cooperation, and another way to leverage the global investment by industry in FIPS 201.
The recent announcement states that India will roll out a national identity credential for 1.1 billion citizens and to get it going by 2010. The India Congress Party actions bode well for the Indian and hopefully global identity industry. It’s not surprising that one of the world’s most dynamic economies and the world’s largest democracy has decided to make identity infrastructure a priority. While not surprising it is impressive that the Indian government leveraged the mandate of the recent election (are you listening President Obama…). India will create a cabinet level position for the Unique Identification Authority of India and has already named their “Secretary of Identity” touting entrepreneur, Nandan M. Nilekani, a founder and former chief executive of Infosys Technologies. Mr. Nilekani will leave his post as a co-chairman of the board to take on the ID card project.
Here in the US we rightfully want to address finance reform, economic stimulus, expanded health care, climate change and other initiatives. It’s great that the Obama administration has decided to show leadership on these important topics. This blog repeats that creating a national identity infrastructure should be the first step in addressing most of these issues (even emission trading is facilitated by a multi-purpose credential). It seems that the rationale for the investment is well understood in India and articles in the NY Times, Financial Times, Independent, India Times, DNA India, all make points of the benefits of investing in identity.
These sources site (among other things) that the program will create 100,000 new jobs, stream line government to citizen disbursement, reduce fraud in benefits to the citizens (e.g. think savings in Medicaid, Supplemental Nutrition Assistance Program, Unemployment Benefits, etc.), and enable secure citizen to government transactions among other things. All represent goals in play in this session of the US Congress. In the US we have yet to realize that identity runs across these programs. Neither Congress or the Obama administration fully realize the leverage an identity investment gives to all of these legislative, policy and economic goals. There are bits and pieces of identity in different bills and no coherent overarching approach. No offense to the ornithologists or vegetarians but we are missing the opportunity to kill more than one bird with one stone.
One interesting article even proposed skipping a generation of identity credentials and basing the national ID on a SIM card. This is a fascinating idea particularly given the capabilities of today’s mobile devices. This is clearly the future and while it’s not a likely outcome in the India case (don’t think that mobile devices have sufficiently penetrated to the 1.1 billion individuals who will be covered) but the fact that it’s being discussed shows how an investment in identity has the potential to leapfrog the technology base of countries. Maybe it will be an option and if so it will create a whole new concept of mobility.
You have to give props to the Indian government for their initiative and good luck to Mr. Nilekani. Not surprisingly IDmachines and many other companies in the identity world will be taking a close look to see how they might get involved.
Finally, is anyone making the argument that India should be looking at FIPS 201 as a basis for their credential specification. More than most global ID specifications it meets the needs for multi-use by combining contact and contactless interfaces, logical and physical access control, strong authentication, digital signatures and encryption, and continues to evolve (e.g. match on card, contactless mutual registration, secure channel, elliptical curve, etc.). Is it possible that we could be entering the world of “Identity Diplomacy” where the US Ambassador in New Delhi has interoperable identity credentials as part of his brief? This would certainly be a boon to economic cooperation, and another way to leverage the global investment by industry in FIPS 201.
Saturday, June 13, 2009
Interoperable FIPS 201 Value Proposition: New York Times Highlights Needs for Strong Medical IDs
This is likely the easiest post I will ever do but you have to love it when the New York Times has your back. Article today, New Ailment: Medical ID Theft points out the danger of Medical Identity Theft. While I mentioned this in my last post this article brings it very specifically to light.
To make the point again. Any Health IT spending must include an investment in strong identity. Interoperability of health data without strong identity credentials is putting the cart in front of the horse. See previous post for more details.
To make the point again. Any Health IT spending must include an investment in strong identity. Interoperability of health data without strong identity credentials is putting the cart in front of the horse. See previous post for more details.
Monday, June 8, 2009
Use Cases for FIPS 201, Multi-use Interoperable Health Credentials
IDmachines supports an investment to bring health credentials into a PIV-I world. Interoperability among health care providers, payers and patients provides a great use case for high assurance interoperable credentials. It’s a widely required application for an identity credential.
Any investment in healthcare IT has to realize this. Healthcare needs strong identity assurance yet most systems in the US don’t make the investment in an identity infrastructure. The United States Government needs to invest in infrastructure to support item 10 (in the Cyberspace Policy Review) identity management/privacy and civil liberties.
Some organizations have begun this, Mt. Sinai being a leader (see below). Many countries have also done this; the US has not. Unless the US invests in strong identity, we won’t get the cost saving or improve healthcare and the US will continue to be a laggard. Please don’t give me another bar code or magnetic stripe ID card, web account(s), user names and passwords. Even scarier don’t accept federated IDs that don’t have any way of knowing who is establishing the accounts. Don’t make me get more certificates either. Can someone commit to identity infrastructure as part of the Health IT stimulus? That’s the gist of this post.
IDmachines supports the efforts of the Smart Card Alliance and the Secure ID Coalition when they combined to deliver message that strong identity matters for any health IT effort at National Press Club briefing in Washington DC May 19th.
Credentialing matters when millions of individuals are involved in a program, surely this is the case as state and national health insurance programs grow. Strong privacy and security, interoperability and multi-use would be good things to have in a credential. I don’t see any in the health market place. I access my health accounts (also Microsoft and Google “Vaults”) with un/pw or a bar code/number at a desk. Why can’t I use my government issued digital ID to log into these sites?
These are strong assurance credentials, background investigation and breeder document checks. The process is well defined and in my case the issuance procedures worked. I want to be able to use it. Organizations can have greater assurance of my identity when I use it. I have an ability to log on, digitally sign communications, and encrypt sensitive information. Please spare me from my endless usernames and passwords and changing them on a frequent basis, what a pain. Give me my PIN and biometric and chip and certificate(s) private keys that I use for everything. Sounds uber-tech, well it’s the way in dozens of countries.
Estonia, despite (or mayber as a result of) getting cyber attacked is making a renewed investment. As I said, dozens of large scale programs including England, Italy, Belgium, Austrian health cards, German health cards, Brisbane driver license, Angola, Nigeria, Ivory Coast, it’s a long list. A lot of places are making the identity investment that will then be leveraged.
In the United States without a funded program, in the current economic conditions it’s not about whether it’s the “right” thing to do. The real question is why invest when you can just print a flash pass or bar code. I refer to why Mount Sinai would do it. I have heard Paul Contino before but he repeated the rationale at the National Press Club. It always makes sense. To repeat again…
“Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions", Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. Paul cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.
In fact it’s completely irresponsible to invest in health information technology without doing it. The financial arguments are well established. Organizations that implement new health IT applications can use PKI and PIV credentials. Soon the entire US Government will use it and a lot of people interact with it.
More information is available in Smart Card Alliance publications. ”Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems” explains the current problems with identity management in healthcare and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs. The newly published ”Smart Card Technology in Healthcare” frequently asked questions document outlines how the technology is used to manage patient identity and protect a healthcare consumer’s personal information.
Any investment in healthcare IT has to realize this. Healthcare needs strong identity assurance yet most systems in the US don’t make the investment in an identity infrastructure. The United States Government needs to invest in infrastructure to support item 10 (in the Cyberspace Policy Review) identity management/privacy and civil liberties.
Some organizations have begun this, Mt. Sinai being a leader (see below). Many countries have also done this; the US has not. Unless the US invests in strong identity, we won’t get the cost saving or improve healthcare and the US will continue to be a laggard. Please don’t give me another bar code or magnetic stripe ID card, web account(s), user names and passwords. Even scarier don’t accept federated IDs that don’t have any way of knowing who is establishing the accounts. Don’t make me get more certificates either. Can someone commit to identity infrastructure as part of the Health IT stimulus? That’s the gist of this post.
IDmachines supports the efforts of the Smart Card Alliance and the Secure ID Coalition when they combined to deliver message that strong identity matters for any health IT effort at National Press Club briefing in Washington DC May 19th.
Credentialing matters when millions of individuals are involved in a program, surely this is the case as state and national health insurance programs grow. Strong privacy and security, interoperability and multi-use would be good things to have in a credential. I don’t see any in the health market place. I access my health accounts (also Microsoft and Google “Vaults”) with un/pw or a bar code/number at a desk. Why can’t I use my government issued digital ID to log into these sites?
These are strong assurance credentials, background investigation and breeder document checks. The process is well defined and in my case the issuance procedures worked. I want to be able to use it. Organizations can have greater assurance of my identity when I use it. I have an ability to log on, digitally sign communications, and encrypt sensitive information. Please spare me from my endless usernames and passwords and changing them on a frequent basis, what a pain. Give me my PIN and biometric and chip and certificate(s) private keys that I use for everything. Sounds uber-tech, well it’s the way in dozens of countries.
Estonia, despite (or mayber as a result of) getting cyber attacked is making a renewed investment. As I said, dozens of large scale programs including England, Italy, Belgium, Austrian health cards, German health cards, Brisbane driver license, Angola, Nigeria, Ivory Coast, it’s a long list. A lot of places are making the identity investment that will then be leveraged.
In the United States without a funded program, in the current economic conditions it’s not about whether it’s the “right” thing to do. The real question is why invest when you can just print a flash pass or bar code. I refer to why Mount Sinai would do it. I have heard Paul Contino before but he repeated the rationale at the National Press Club. It always makes sense. To repeat again…
“Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions", Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. Paul cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.
In fact it’s completely irresponsible to invest in health information technology without doing it. The financial arguments are well established. Organizations that implement new health IT applications can use PKI and PIV credentials. Soon the entire US Government will use it and a lot of people interact with it.
More information is available in Smart Card Alliance publications. ”Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems” explains the current problems with identity management in healthcare and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs. The newly published ”Smart Card Technology in Healthcare” frequently asked questions document outlines how the technology is used to manage patient identity and protect a healthcare consumer’s personal information.
Wednesday, May 20, 2009
A FIPS 201 Bridge Across the Seas and the Expanding World of PIV-I
One more example of how FIPS 201 and Personal Identity Verification Interoperability (PIV-I) and cross certification to the Federal Bridge Certificate Authority continue to gain momentum as an enterprise credentialing standard is the Transglobal Secure Collaboration Program (TSCP). This brings into play foreign national governments (UK and Netherlands Ministries of Defence in addition to the US DoD and GSA) and foreign multinational corporations. TSCP chains to the Federal Bridge Certificate Authority through Exostar and Certipath. Primarily aerospace in focus it includes the who's who of companies in the field.
If you look at these organizations its clear how it sets up FIPS 201 and PIV-I to make headway in the European Community. It sets up significant enterprises for FIPS 201 credentials in their next refresh cycle. It further confirms the vitality of PKI and its basis for identity federations interested in strong authentication.
This is not news, the change in DoD policy to accept "comparable credentials" actually came out 22 July 2008. However it is another brick in the wall in making the case that FIPS 201 is not just about US Government employees and contractors. So for matters of completeness its an important addendum to the last post.
If you look at these organizations its clear how it sets up FIPS 201 and PIV-I to make headway in the European Community. It sets up significant enterprises for FIPS 201 credentials in their next refresh cycle. It further confirms the vitality of PKI and its basis for identity federations interested in strong authentication.
This is not news, the change in DoD policy to accept "comparable credentials" actually came out 22 July 2008. However it is another brick in the wall in making the case that FIPS 201 is not just about US Government employees and contractors. So for matters of completeness its an important addendum to the last post.
Wednesday, May 13, 2009
Meets FIPS 201 Bridges Out, or How HSPD 12 Creates and PKI Becomes a Standard for More than the US Government Identity and Credentialing Programs
IDmachines has focused from day 1 on the opportunity created by Homeland Security Presidential Directive 12 (HSPD-12) and the requirements in the access control market place that would emerge as a result of Federal Information Processing Standard 201 (FIPS 201). It hasn’t always been the most popular position, given the extent of legacy solutions, the rate of innovation in the physical access control marketplace, and the extent to which the United States Government could be the change agent for both the physical access control industry, to say nothing of the logical access and identity management industries.
Some of the contrary positions have always been surprising, particularly once it became clear that FIPS 201 was not a flash in the pan. At a minimum it represented 15 million government employees and contractors. OK, so it’s enough to interest IDmachines but for a physical access control industry where many of the installations were less than 20 doors the sea change for the most part continued to be ignored or addressed with the least possible effort or innovation on the part of the industry “leaders”. In fact many government installations have and will be addressed by small scale solutions. In my opinion this is a case of fool me twice.
Not everyone has ignored the obvious and over the last couple of years IDmachines has worked closely with a number of progressive companies to position them for what continues to be an enormous opportunity. Setting the correct product roadmap and establishing the proper go to market strategies don’t evolve overnight, nor do the relationships to take advantage of it. It was a process that started when I was involved in deploying the credential validation infrastructure and architecting and developing physical access control solutions to take advantage of this fundamental evolution of identity and security.
In the mean time there have been other related developments that continue to support IDmachines' founding premise. The First Responder Authentication Credential (FRAC) and Transportation Worker Identification Credential (TWIC) introduce populations in the millions (in fact tens of millions). So now we are approaching 50 million new credentials to be issued that are based on the use of strong identities tightly bound to digital certificates. Yet in many cases it has only been the introduction of requirements for approved products (these exist for both these sectors) that has gotten the industry to move forward. Not surprising but in most cases the industry “leaders” have had to have a ring put through their nose and subsequently get dragged into the arena when given the numbers a stampede would have been more in order.
OK, so the saga continues. If 50 million new credentials doesn’t get an industry's attention let’s double the number. It doesn’t require Danish philosophy (it was Kierkegaard that gets credit for the concept of a “leap of faith”) or trusting a blogging Italian-American. It’s completely in the public domain.
In the last couple of weeks two very significant developments have become public in the access control market place. To those of us who have been following the evolution of FIPS 201 they come as no surprise. To those on the fence it should tip them toward the side of the believers. And for the skeptics it will likely be the case that once a dinosaur always a dinosaur (even the physical access control market moves fast enough for some opinions and vendors to become extinct). So what happened?
First was the announcement of the Four Bridges Forum. For those who have not yet gotten out the Public Key Infrastructure (PKI) learning curve (strongly suggested), the bridges referred to here are trust bridges that use the Federal Bridge Certificate Authority as an anchor for trusting identity. This blog has previous posts about the fact that the Federal Bridge sets both policy and technology standards for identity and credentialing in the early part of the 21st century. The four bridges refers to the four industry sectors that have now chosen to align themselves and make available to others in their industry the ability to achieve interoperability and trust among its members and across industry and government. The first is the United States Government, the second is the bio-pharmaceutical industry and the SAFE BioPharma bridge, third is aerospace industry and the CertiPath bridge and the fourth is the higher education industry and the EDUCAUSE bridge. This blog has alluded to the fact that certainly others will follow (in particular multiple components of our critical infrastructure).
Simply put this eliminates the argument that FIPS 201 will never be adopted outside of the US Government. Simply this means that interoperability can be achieved. Simply this adds use cases (intra-industry collaboration and US Government interactions). Simply this adds economies of scale (as if 15 million government users weren’t enough to drive solution providers). Simply this gets the standard to the tipping point of becoming ubiquitous.
The second item that is closely intertwined with the first is the Federal CIO Council putting out the policy for Personal Identity Verification (PIV, which is the name of the focus of FIPS 201) Interoperability (I) or PIV-I. This addresses an important issue. If FIPS 201 applied to Government and contractors how can you expand this beyond this silo. There were aspects of the standard that were very US Government specific. As an example, part of the identity vetting process required a National Agency Check with Inquiries (NAC-I). Well you can’t do a NAC-I for a private sector employee. So the question became how you align one background check with another and how does this map to the level of assurance. These policy and technical interoperability issues needed to be addressed in order for the industry bridges to reach across to the Federal government. The challenge was never technical it was more on the order of herding cats. And in this blog’s opinion it was done it short order and the right way.
So when you hear the question, “Does it meet FIPS 201?” it is not something that addresses a niche market. And depending on your perspective it just might be the most important question you can ask your product managers, system integrators, vendors or purchasing managers. And then depending on how the question is answered you can then get to my favorite retort.. “Now really..?”
Some of the contrary positions have always been surprising, particularly once it became clear that FIPS 201 was not a flash in the pan. At a minimum it represented 15 million government employees and contractors. OK, so it’s enough to interest IDmachines but for a physical access control industry where many of the installations were less than 20 doors the sea change for the most part continued to be ignored or addressed with the least possible effort or innovation on the part of the industry “leaders”. In fact many government installations have and will be addressed by small scale solutions. In my opinion this is a case of fool me twice.
Not everyone has ignored the obvious and over the last couple of years IDmachines has worked closely with a number of progressive companies to position them for what continues to be an enormous opportunity. Setting the correct product roadmap and establishing the proper go to market strategies don’t evolve overnight, nor do the relationships to take advantage of it. It was a process that started when I was involved in deploying the credential validation infrastructure and architecting and developing physical access control solutions to take advantage of this fundamental evolution of identity and security.
In the mean time there have been other related developments that continue to support IDmachines' founding premise. The First Responder Authentication Credential (FRAC) and Transportation Worker Identification Credential (TWIC) introduce populations in the millions (in fact tens of millions). So now we are approaching 50 million new credentials to be issued that are based on the use of strong identities tightly bound to digital certificates. Yet in many cases it has only been the introduction of requirements for approved products (these exist for both these sectors) that has gotten the industry to move forward. Not surprising but in most cases the industry “leaders” have had to have a ring put through their nose and subsequently get dragged into the arena when given the numbers a stampede would have been more in order.
OK, so the saga continues. If 50 million new credentials doesn’t get an industry's attention let’s double the number. It doesn’t require Danish philosophy (it was Kierkegaard that gets credit for the concept of a “leap of faith”) or trusting a blogging Italian-American. It’s completely in the public domain.
In the last couple of weeks two very significant developments have become public in the access control market place. To those of us who have been following the evolution of FIPS 201 they come as no surprise. To those on the fence it should tip them toward the side of the believers. And for the skeptics it will likely be the case that once a dinosaur always a dinosaur (even the physical access control market moves fast enough for some opinions and vendors to become extinct). So what happened?
First was the announcement of the Four Bridges Forum. For those who have not yet gotten out the Public Key Infrastructure (PKI) learning curve (strongly suggested), the bridges referred to here are trust bridges that use the Federal Bridge Certificate Authority as an anchor for trusting identity. This blog has previous posts about the fact that the Federal Bridge sets both policy and technology standards for identity and credentialing in the early part of the 21st century. The four bridges refers to the four industry sectors that have now chosen to align themselves and make available to others in their industry the ability to achieve interoperability and trust among its members and across industry and government. The first is the United States Government, the second is the bio-pharmaceutical industry and the SAFE BioPharma bridge, third is aerospace industry and the CertiPath bridge and the fourth is the higher education industry and the EDUCAUSE bridge. This blog has alluded to the fact that certainly others will follow (in particular multiple components of our critical infrastructure).
Simply put this eliminates the argument that FIPS 201 will never be adopted outside of the US Government. Simply this means that interoperability can be achieved. Simply this adds use cases (intra-industry collaboration and US Government interactions). Simply this adds economies of scale (as if 15 million government users weren’t enough to drive solution providers). Simply this gets the standard to the tipping point of becoming ubiquitous.
The second item that is closely intertwined with the first is the Federal CIO Council putting out the policy for Personal Identity Verification (PIV, which is the name of the focus of FIPS 201) Interoperability (I) or PIV-I. This addresses an important issue. If FIPS 201 applied to Government and contractors how can you expand this beyond this silo. There were aspects of the standard that were very US Government specific. As an example, part of the identity vetting process required a National Agency Check with Inquiries (NAC-I). Well you can’t do a NAC-I for a private sector employee. So the question became how you align one background check with another and how does this map to the level of assurance. These policy and technical interoperability issues needed to be addressed in order for the industry bridges to reach across to the Federal government. The challenge was never technical it was more on the order of herding cats. And in this blog’s opinion it was done it short order and the right way.
So when you hear the question, “Does it meet FIPS 201?” it is not something that addresses a niche market. And depending on your perspective it just might be the most important question you can ask your product managers, system integrators, vendors or purchasing managers. And then depending on how the question is answered you can then get to my favorite retort.. “Now really..?”
Tuesday, April 28, 2009
Waves and Signs
Another digression into the art world. Neighbor and friend Wendy Jacob held a conference, workshop and dance party (yes dance party) literally on low frequency vibration called "Waves and Signs". Wendy conceived and constructed a surface that had ~ 100 Hz rolling through it as a means to foster an investigation of what we "feel". Much of the conference and yes the dance party took place the the floor/platform. In fact I can't really do justice describing what took place except that I find it very inspirational. Yeah Wendy!
Subscribe to:
Posts (Atom)
