A matter of trust

ID card for contractors undergoes testing at the Defense Department

What is it? Synchronized Predeployment and
Operational Tracker Program, a pilot program
for federated identity management.

Sponsors: Army Materiel Command,
Federation for Identity and Cross-
Credentialing Systems (FIXS).

Location: Fort Belvoir, Va.

Goal: To test smart identification cards for
defense contractors who do not use the
Defense Department's Common Access Card.
Contractors use SPOT cards to access facilities
and computer networks.

How it works: FIXS certifies vendors to issue
identity cards if they have met requirements
set by the Defense Manpower Data Center.
The requirements cover biometric enrollment,
card production, and data storage and security.
When a contractor presents a FIXS-certified
credential to a card reader at a gate, the
information is processed through the federation's
computer network. In February, FIXS
certified its first vendor, WidePoint, of Fairfax,
Va. Two other vendors have applied.

Who are you?

Can you prove I can trust you?

Are your credentials valid?

Who issued your credentials?

How do I know your credentials
have not been revoked?

Have your credentials been

Who took your photograph?

Who recorded your fingerprints?

Where is your information stored?

Did your employer vouch for you?

Is your employer trustworthy?

Has your employer's security been

Source: Federation for Identity
and Cross-credentialing Systems

For contractor employees, gaining
access to Defense Department
facilities has become more difficult
since the 2001 terrorist attacks.

Most contractors must wait at the
entry point for badges and escorts. But
when a large number of them arrive at
the same time, gaining entry can be timeconsuming
and labor-intensive, said
Kent Schneider, president of AFCEA
International and a retired military officer
who has often been through the

That's the reason Schneider and others
are promoting a new DOD-approved
identification card for employees of
defense contractors not eligible for the
existing Common Access Card. The new
card is certified by the nonprofit
Federation for Identity and Cross-
Credentialing Systems (FIXS), of which
Schneider is a board member.

"The Common Access Card is for government
people and full-time contractors,"
he said. "The question is what about
the hundreds of thousands of people who
are defense contractors. [FIXS] is a way
to extend identification into the contractor

The Army Materiel Command is testing
a program that allows contractors to
use the FIXS-certified credential to gain
access to defense facilities and

The Synchronized Predeployment and
Operational Tracker (SPOT) program is a
pilot project at Fort Belvoir, Va., in coordination
with FIXS and a vendor certified
by that group. The credential is being
used for physical access and computer

"The ultimate goal is to give us visibility
to the contractors
in the battlefield,"
said Col. Archie
Davis, a spokesman
at the command.
"This goes a long
way to solving that


In this project, DOD is participating in a
federated identity management system
with a private entity to verify identities
for nongovernment personnel. Federated
identity systems allow identity information
to be transferred across domains.

Participants trust one another to properly
verify identities and maintain various
standards. In the Army pilot project, the
trust is based on a 2006 memorandum of
understanding between DOD and FIXS.

Army officials hope to create a scalable
Web-based system to improve efficiency
and save money in managing access for
large numbers of individual contractors,
who are difficult to
track because they
frequently change
jobs and roles. The
FIXS card is modeled
after the federal
identity cards
issued under
Homeland Security Presidential
Directive 12.

If it is successful, the pilot program
could lead to other credentialing projects
at DOD and other federal, state and local
government agencies, said Raj Nanavati,
a partner at the International Biometric
Group consulting firm in New York.

The Army plans to expand the SPOT
program to Afghanistan, Iraq and other
military locations, Davis said. Initially, it
will provide FIXS-certified credentials to
about 3,000 contractors.

Although the project appears to be successful, some questions
remain. For example, the government
performs the background
checks for high-level
credentials and the FIXS-certified
vendor performs the
commercial background
check for a Level 3 credential,
a lower level of access. It is not
clear whether DOD will
accept that clearance process,
said Michael Mestrovich,
president of FIXS.

"We are plowing new
ground," he said. "For Level 3 credentials,
the question is, 'can I trust your
background check.' I believe the government
agencies are beginning to look at
these federated solutions and whether
they can accept them."

Bob Blakley, vice president of the
identity and privacy strategies at the
Burton Group, agreed that was a significant
unknown. "That is an important
issue ? whether the Army will accept a
Level 3 credential" awarded by a private
operation, he said.

Also, there are questions about
whether the DOD/FIXS federated trust
model can eventually be combined with
other federal credentialing initiatives,
such as those sponsored by the General
Services Administration, the
E-Authentication program and the
Federal Bridge Certification Authority

Several contractors, including
Lockheed Martin and Northrop
Grumman, are members of FIXS and a
private entity called Certipath LLC,
which provides trusted identity assurance
between organizations and has a
trust agreement with FBCA.

"Eventually, there will need to be convergence,"
Mestrovich said. "We had
hoped that the government would be
further along in accepting the federated
trust model."


The FIXs identity credentialing network,
founded in 2004, developed an
identity trust model similar to the one
used for automated teller machines.
It is the only network certified to
operate with the Defense Cross-
Credentialing Identification System

In the SPOT program, contractors
may obtain FIXS-certified credentials
from vendors that have been certified by
the federation as having met requirements
to operate one or more
applications in federated
identity management. That
includes capabilities such as
biometric enrollment, card
production, and data storage
and security.

As a result of an agreement
made in 2006 with the
Defense Manpower Data
Center, FIXs is the conduit to
the Pentagon's credentialing
networks. When a contractor
presents a FIXS-certified credential
to a card reader at a gate, the
information is processed through the
federation's computer network.

In February, FIXS certified its first
vendor, WidePoint, of Fairfax, Va.,
which is participating in the SPOT project
through its subsidiary Operational
Research Consultants. Two other vendors
have applied for certification.

The FIXS network is processing several
hundred SPOT credentials per

"We hope to ramp up to thousands by
January," Mestrovich said.
The FIXS-certified credential verifies
a contractor's identity and attributes,
when read through the FIXS network in
an interface with DOD. But it is still up
to a defense facility gatekeeper to determine
whether an individual should be
allowed unescorted access or computer
access, Schneider added.

"You have to separate verifying the
identity and providing access," he said.
"We are still testing it."

Although FIXS is the first group to
create a federated identity network with
DOD, Schneider said other groups are
likely to be formed. "FIXS is just beginning
to get traction."

At some point, most contractors will
want to get involved with some kind of
identity service, he added, "whether it is
FIXS or others."

Alice Lipowicz (alipowicz@1105govinfo.com) is
a staff writer at Washington Technology.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Wed, Jan 14, 2009 Martin http://www.e-motional.com/TScreenLockSC.htm

It is nice to see support for the military Common Access Card growing. Mainstream software providers are providing support in their software. One example that I recently found was for the Transparent Screen Lock product I was not able to use because of the Smart Card reader access we have here. You can check out the product at http://www.e-motional.com/TScreenLockSC.htm

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB