Sorry it has taken me so long to get back to you on your question.
Anthony, you are correct in your assertion that FFIEC has mandated a
migration towards dual-factor authentication
(http://www.ffiec.gov/pdf/authentication_guidance.pdf). As Mark
pointed out, this is not a blanket statement, but "Goes back to the
risk assessment".
Anthony asked "What I'm most interested in is how this would impact us
on the user authentication front. Specifically, we have heard a
claim that there will be new requirements coming from the Fed with
respect to strengthened authentication requirements. I know that that
FFIEC has mandated multi-factor authentication but we heard someone
else touting that the HSPD-12 required strong authentication for
information systems. I couldn't find that in any of the supporting
materials."
(See the official memo to create HSPD-12 here:
http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html)
It looks to me like you are trying to draw a relationship between the
FFIEC "Authentication in an Internet Banking Environment" (Which
replaces the 2001 FFIEC guidance), and the HSPD-12 "Policy for a
Common Identification Standard for Federal Employees and Contractors".
If it looks like these two should be related, but aren't specifically,
I agree with you. Both support stronger authentication methods through
dual-factor authentication, but they are for different users.
The FFIEC states "This guidance applies to both retail and commercial
customers and does not endorse any particular technology." The
HSPD-12, on the other hand, applies to "employees and contractors who
require long-term access to Federally controlled facilities and/or
information systems." (
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf - thank you
Robert for the update)
As you can see, these are different user groups, and the guidances do
not specifically relate to each other.
<Soapbox>
HOWEVER, as with many other areas of security, we see a convergence of
good security practices being pushed from multiple drivers. I think
this is the most important observation, that while various standards
may not be interoperable, the end result of good security practices
will always be good security practices, and as you follow one set of
standards (ie. BS7799), you will naturally become compliant with other
standards (ie. PCI).
This is really a beautiful Information Security Management convergence.
</Soapbox>
Anthony, the answer to the final part of your question "I couldn't
find that in any of the supporting materials", is NIST.
NIST is charged with developing guidance for many of the federal
standards, including this one. Here is their OFFICIAL page with
HSPD-12 guidance, which has become the FIPS 201. Their site provides a
GREAT background, overview, and understanding of the current state of
the compliance guidance development. As you can see, the program is
alive and well.
http://csrc.nist.gov/piv-program/
There is a lot of detail on this site, more than you probably want me
to get into in this email. But a few highlights:
** TODAY (April 10, 2006) is the deadline for vendors to submit their
FIPS 201 Part 2 for inclusion in a federal demonstration program, if
you are so inclined. (
http://csrc.nist.gov/piv-program/CRADA/index.html)
** NIST has broken the FIPS 201 standard into two parts, to make
deployment and compliance easier:
http://piv.nist.gov/pivqa/faq.php?qid=176
**(From the NIST website) "FIPS 201 incorporates three technical
publications...
NIST Special Publication 800-73, "Interfaces for Personal Identity
Verification" specifies the interface and data elements of the PIV
card (As Michael mentioned, NIST 800-85A was just released April 5 to
provide test guidance.)
NIST Special Publication 800-76, Biometric Data Specification for
Personal Identity Verification" specifies the technical acquisition
and formatting requirements for biometric data of the PIV system; and
NIST Special Publication 800-78, "Cryptographic Algorithms and Key
Sizes for Personal Identity Verification" specifies the acceptable
cryptographic algorithms and key sizes to be implemented and used for
the PIV system.
Earl
On 30 Mar 2006 18:50:50 -0000, anthony.cicalla (at) bankserv (dot) com [email concealed]
<anthony.cicalla (at) bankserv (dot) com [email concealed]> wrote:
> I am attempting to find out about how hspd-12 would affect ffiec client authentication methods. Below is his question and I am just looking for some outside input. I found hspd-12 but it looks to me as if it's just a mandate to get a uniform security identification card for all agencies.
>
> What I'm most interested in is how this would impact us on the user authentication front. Specifically, we have heard a claim that there will be new requirements coming from the Fed with respect to strengthened authentication requirements. I know that that FFIEC has mandated multi-factor authentication but we heard someone else touting that the HSPD-12 required strong authentication for information systems.
> I couldn't find that in any of the supporting materials.
>
> Thanks in advance for all input on this.
>
Anthony, you are correct in your assertion that FFIEC has mandated a
migration towards dual-factor authentication
(http://www.ffiec.gov/pdf/authentication_guidance.pdf). As Mark
pointed out, this is not a blanket statement, but "Goes back to the
risk assessment".
Anthony asked "What I'm most interested in is how this would impact us
on the user authentication front. Specifically, we have heard a
claim that there will be new requirements coming from the Fed with
respect to strengthened authentication requirements. I know that that
FFIEC has mandated multi-factor authentication but we heard someone
else touting that the HSPD-12 required strong authentication for
information systems. I couldn't find that in any of the supporting
materials."
(See the official memo to create HSPD-12 here:
http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html)
It looks to me like you are trying to draw a relationship between the
FFIEC "Authentication in an Internet Banking Environment" (Which
replaces the 2001 FFIEC guidance), and the HSPD-12 "Policy for a
Common Identification Standard for Federal Employees and Contractors".
If it looks like these two should be related, but aren't specifically,
I agree with you. Both support stronger authentication methods through
dual-factor authentication, but they are for different users.
The FFIEC states "This guidance applies to both retail and commercial
customers and does not endorse any particular technology." The
HSPD-12, on the other hand, applies to "employees and contractors who
require long-term access to Federally controlled facilities and/or
information systems." (
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf - thank you
Robert for the update)
As you can see, these are different user groups, and the guidances do
not specifically relate to each other.
<Soapbox>
HOWEVER, as with many other areas of security, we see a convergence of
good security practices being pushed from multiple drivers. I think
this is the most important observation, that while various standards
may not be interoperable, the end result of good security practices
will always be good security practices, and as you follow one set of
standards (ie. BS7799), you will naturally become compliant with other
standards (ie. PCI).
This is really a beautiful Information Security Management convergence.
</Soapbox>
Anthony, the answer to the final part of your question "I couldn't
find that in any of the supporting materials", is NIST.
NIST is charged with developing guidance for many of the federal
standards, including this one. Here is their OFFICIAL page with
HSPD-12 guidance, which has become the FIPS 201. Their site provides a
GREAT background, overview, and understanding of the current state of
the compliance guidance development. As you can see, the program is
alive and well.
http://csrc.nist.gov/piv-program/
There is a lot of detail on this site, more than you probably want me
to get into in this email. But a few highlights:
** TODAY (April 10, 2006) is the deadline for vendors to submit their
FIPS 201 Part 2 for inclusion in a federal demonstration program, if
you are so inclined. (
http://csrc.nist.gov/piv-program/CRADA/index.html)
** NIST has broken the FIPS 201 standard into two parts, to make
deployment and compliance easier:
http://piv.nist.gov/pivqa/faq.php?qid=176
**(From the NIST website) "FIPS 201 incorporates three technical
publications...
NIST Special Publication 800-73, "Interfaces for Personal Identity
Verification" specifies the interface and data elements of the PIV
card (As Michael mentioned, NIST 800-85A was just released April 5 to
provide test guidance.)
NIST Special Publication 800-76, Biometric Data Specification for
Personal Identity Verification" specifies the technical acquisition
and formatting requirements for biometric data of the PIV system; and
NIST Special Publication 800-78, "Cryptographic Algorithms and Key
Sizes for Personal Identity Verification" specifies the acceptable
cryptographic algorithms and key sizes to be implemented and used for
the PIV system.
Earl
On 30 Mar 2006 18:50:50 -0000, anthony.cicalla (at) bankserv (dot) com [email concealed]
<anthony.cicalla (at) bankserv (dot) com [email concealed]> wrote:
> I am attempting to find out about how hspd-12 would affect ffiec client authentication methods. Below is his question and I am just looking for some outside input. I found hspd-12 but it looks to me as if it's just a mandate to get a uniform security identification card for all agencies.
>
> What I'm most interested in is how this would impact us on the user authentication front. Specifically, we have heard a claim that there will be new requirements coming from the Fed with respect to strengthened authentication requirements. I know that that FFIEC has mandated multi-factor authentication but we heard someone else touting that the HSPD-12 required strong authentication for information systems.
> I couldn't find that in any of the supporting materials.
>
> Thanks in advance for all input on this.
>
--
Earl Crane, MISM, CISM, CISSP, MCSE
[ reply ]