A matter of trust

For contractor employees, gainingaccess to Defense Departmentfacilities has become more difficultsince the 2001 terrorist attacks.Most contractors must wait at theentry point for badges and escorts. Butwhen a large number of them arrive atthe same time, gaining entry can be timeconsumingand labor-intensive, saidKent Schneider, president of AFCEAInternational and a retired military officerwho has often been through theprocess.That's the reason Schneider and othersare promoting a new DOD-approvedidentification card for employees ofdefense contractors not eligible for theexisting Common Access Card. The newcard is certified by the nonprofitFederation for Identity and Cross-Credentialing Systems (FIXS), of whichSchneider is a board member."The Common Access Card is for governmentpeople and full-time contractors,"he said. "The question is what aboutthe hundreds of thousands of people whoare defense contractors. [FIXS] is a wayto extend identification into the contractorcommunity."The Army Materiel Command is testinga program that allows contractors touse the FIXS-certified credential to gainaccess to defense facilities andcomputers.The Synchronized Predeployment andOperational Tracker (SPOT) program is apilot project at Fort Belvoir, Va., in coordinationwith FIXS and a vendor certifiedby that group. The credential is beingused for physical access and computeruse."The ultimate goal is to give us visibilityto the contractorsin the battlefield,"said Col. ArchieDavis, a spokesmanat the command."This goes a longway to solving thatproblem."In this project, DOD is participating in afederated identity management systemwith a private entity to verify identitiesfor nongovernment personnel. Federatedidentity systems allow identity informationto be transferred across domains.Participants trust one another to properlyverify identities and maintain variousstandards. In the Army pilot project, thetrust is based on a 2006 memorandum ofunderstanding between DOD and FIXS.Army officials hope to create a scalableWeb-based system to improve efficiencyand save money in managing access forlarge numbers of individual contractors,who are difficult totrack because theyfrequently changejobs and roles. TheFIXS card is modeledafter the federalidentity cardsissued underHomeland Security PresidentialDirective 12.If it is successful, the pilot programcould lead to other credentialing projectsat DOD and other federal, state and localgovernment agencies, said Raj Nanavati,a partner at the International BiometricGroup consulting firm in New York.The Army plans to expand the SPOTprogram to Afghanistan, Iraq and othermilitary locations, Davis said. Initially, itwill provide FIXS-certified credentials toabout 3,000 contractors.Although the project appears to be successful, some questionsremain. For example, the governmentperforms the backgroundchecks for high-levelcredentials and the FIXS-certifiedvendor performs thecommercial backgroundcheck for a Level 3 credential,a lower level of access. It is notclear whether DOD willaccept that clearance process,said Michael Mestrovich,president of FIXS."We are plowing newground," he said. "For Level 3 credentials,the question is, 'can I trust yourbackground check.' I believe the governmentagencies are beginning to look atthese federated solutions and whetherthey can accept them."Bob Blakley, vice president of theidentity and privacy strategies at theBurton Group, agreed that was a significantunknown. "That is an importantissue ? whether the Army will accept aLevel 3 credential" awarded by a privateoperation, he said.Also, there are questions aboutwhether the DOD/FIXS federated trustmodel can eventually be combined withother federal credentialing initiatives,such as those sponsored by the GeneralServices Administration, theE-Authentication program and theFederal Bridge Certification Authority(FBCA).Several contractors, includingLockheed Martin and NorthropGrumman, are members of FIXS and aprivate entity called Certipath LLC,which provides trusted identity assurancebetween organizations and has atrust agreement with FBCA."Eventually, there will need to be convergence,"Mestrovich said. "We hadhoped that the government would befurther along in accepting the federatedtrust model."The FIXs identity credentialing network,founded in 2004, developed anidentity trust model similar to the oneused for automated teller machines.It is the only network certified tooperate with the Defense Cross-Credentialing Identification Systeminfrastructure.In the SPOT program, contractorsmay obtain FIXS-certified credentialsfrom vendors that have been certified bythe federation as having met requirementsto operate one or moreapplications in federatedidentity management. Thatincludes capabilities such asbiometric enrollment, cardproduction, and data storageand security.As a result of an agreementmade in 2006 with theDefense Manpower DataCenter, FIXs is the conduit tothe Pentagon's credentialingnetworks. When a contractorpresents a FIXS-certified credentialto a card reader at a gate, theinformation is processed through thefederation's computer network.In February, FIXS certified its firstvendor, WidePoint, of Fairfax, Va.,which is participating in the SPOT projectthrough its subsidiary OperationalResearch Consultants. Two other vendorshave applied for certification.The FIXS network is processing severalhundred SPOT credentials permonth."We hope to ramp up to thousands byJanuary," Mestrovich said.The FIXS-certified credential verifiesa contractor's identity and attributes,when read through the FIXS network inan interface with DOD. But it is still upto a defense facility gatekeeper to determinewhether an individual should beallowed unescorted access or computeraccess, Schneider added."You have to separate verifying theidentity and providing access," he said."We are still testing it."Although FIXS is the first group tocreate a federated identity network withDOD, Schneider said other groups arelikely to be formed. "FIXS is just beginningto get traction."At some point, most contractors willwant to get involved with some kind ofidentity service, he added, "whether it isFIXS or others."