PIV Life Cycle Management: PIV Life Cycle Management: Maintaining - - PowerPoint PPT Presentation

piv life cycle management piv life cycle management
SMART_READER_LITE
LIVE PREVIEW

PIV Life Cycle Management: PIV Life Cycle Management: Maintaining - - PowerPoint PPT Presentation

Sep 25, 2023 234 likes •347 views

PIV Life Cycle Management: PIV Life Cycle Management: Maintaining Assurance and Maintaining Assurance and Enhancing Utility Enhancing Utility Tim Polk October 6, 2005 1 Security is More Than Technology Security is More Than Technology

slide-1
SLIDE 1

1

PIV Life Cycle Management: PIV Life Cycle Management: Maintaining Assurance and Maintaining Assurance and Enhancing Utility Enhancing Utility

Tim Polk October 6, 2005

slide-2
SLIDE 2

2

Security is More Than Technology Security is More Than Technology

  • Policies and procedures play a key role in a

secure PIV token – just like any other security system

  • Things change – the system has to keep

pace

  • People retire, change jobs, get fired
  • The environment changes – can the token

change with it?

slide-3
SLIDE 3

3

Policies and Procedures Policies and Procedures

  • Policies and procedures must include
  • Token and certificate issuance
  • Token and certificate revocation
  • Notification and changes to token holder

attributes

  • Re-authentication and Re-issuance
slide-4
SLIDE 4

4

Implementing Policies and Implementing Policies and Procedures Procedures

  • Personnel
  • Personnel in trusted roles must be trustworthy
  • Training
  • Auditing
  • Verifying Policies and Procedures
  • Compliance audits
  • Common PKI tool for Policy compliance
  • Approved by FPKI Policy Authority
  • Certification and Accreditation
  • Agency DAA signs off on system
slide-5
SLIDE 5

5

Emergency Notification Emergency Notification

  • Emergency notification procedures must be

established for each agency

  • Triggers:
  • Employee or contractor separation
  • Assurance decreased
  • Token lost or compromised
slide-6
SLIDE 6

6

When are emergencies noticed? When are emergencies noticed?

  • Separation
  • Usually known to government or the employer,

but who tells the token issuer and certificate issuer?

  • Loss or compromise
  • Do token holders know their responsibilities?
slide-7
SLIDE 7

7

Emergency Response Emergency Response

  • Token Revocation
  • Token Status Registry Updates
  • Certificate Management Issues
slide-8
SLIDE 8

8

Directory Management Directory Management

  • Directory architecture reflects local versus

global data

  • If all data is global
  • Then a single publicly accessible directory is

sufficient

  • If some data is local, two solutions:
  • Internal and border directories
  • Authenticated access to controlled attributes
slide-9
SLIDE 9

9

OCSP Responder OCSP Responder

  • Essentially, two configurations:
  • CRL driven
  • CA database driven
  • For CRL driven responders, updating the

LDAP directory is a complete solution

  • Where the CA database drives the OCSP

responder, secure connections between CA and OCSP responder are required

slide-10
SLIDE 10

10

So, FIPS 201 Will Establish… So, FIPS 201 Will Establish…

  • Policy and procedural requirements to

ensure token management and personnel management are tightly coupled

  • Policy and mechanism requirements to

ensure token status information is accurate and available

  • C&A and training requirements to ensure

procedures are implemented correctly

slide-11
SLIDE 11

11

Adapting to Environment Adapting to Environment

  • The PIV token needs to be adaptable to

reflect changes in environment

  • Every agency is different
  • Every agency evolves
  • FIPS 201 will specify a minimum set of

functionality

  • Additional functions may be added to meet

agency requirements