A matter of trust
ID card for contractors undergoes testing at the Defense Department
- By Alice Lipowicz
- Oct 02, 2008
For contractor employees, gaining
access to Defense Department
facilities has become more difficult
since the 2001 terrorist attacks.
Most contractors must wait at the
entry point for badges and escorts. But
when a large number of them arrive at
the same time, gaining entry can be timeconsuming
and labor-intensive, said
Kent Schneider, president of AFCEA
International and a retired military officer
who has often been through the
That's the reason Schneider and others
are promoting a new DOD-approved
identification card for employees of
defense contractors not eligible for the
existing Common Access Card. The new
card is certified by the nonprofit
Federation for Identity and Cross-
Credentialing Systems (FIXS), of which
Schneider is a board member.
"The Common Access Card is for government
people and full-time contractors,"
he said. "The question is what about
the hundreds of thousands of people who
are defense contractors. [FIXS] is a way
to extend identification into the contractor
The Army Materiel Command is testing
a program that allows contractors to
use the FIXS-certified credential to gain
access to defense facilities and
The Synchronized Predeployment and
Operational Tracker (SPOT) program is a
pilot project at Fort Belvoir, Va., in coordination
with FIXS and a vendor certified
by that group. The credential is being
used for physical access and computer
"The ultimate goal is to give us visibility
to the contractors
in the battlefield,"
said Col. Archie
Davis, a spokesman
at the command.
"This goes a long
way to solving that
problem."FIRST OF ITS KIND
In this project, DOD is participating in a
federated identity management system
with a private entity to verify identities
for nongovernment personnel. Federated
identity systems allow identity information
to be transferred across domains.
Participants trust one another to properly
verify identities and maintain various
standards. In the Army pilot project, the
trust is based on a 2006 memorandum of
understanding between DOD and FIXS.
Army officials hope to create a scalable
Web-based system to improve efficiency
and save money in managing access for
large numbers of individual contractors,
who are difficult to
track because they
jobs and roles. The
FIXS card is modeled
after the federal
Homeland Security Presidential
If it is successful, the pilot program
could lead to other credentialing projects
at DOD and other federal, state and local
government agencies, said Raj Nanavati,
a partner at the International Biometric
Group consulting firm in New York.
The Army plans to expand the SPOT
program to Afghanistan, Iraq and other
military locations, Davis said. Initially, it
will provide FIXS-certified credentials to
about 3,000 contractors.
Although the project appears to be successful, some questions
remain. For example, the government
performs the background
checks for high-level
credentials and the FIXS-certified
vendor performs the
check for a Level 3 credential,
a lower level of access. It is not
clear whether DOD will
accept that clearance process,
said Michael Mestrovich,
president of FIXS.
"We are plowing new
ground," he said. "For Level 3 credentials,
the question is, 'can I trust your
background check.' I believe the government
agencies are beginning to look at
these federated solutions and whether
they can accept them."
Bob Blakley, vice president of the
identity and privacy strategies at the
Burton Group, agreed that was a significant
unknown. "That is an important
issue ? whether the Army will accept a
Level 3 credential" awarded by a private
operation, he said.
Also, there are questions about
whether the DOD/FIXS federated trust
model can eventually be combined with
other federal credentialing initiatives,
such as those sponsored by the General
Services Administration, the
E-Authentication program and the
Federal Bridge Certification Authority
Several contractors, including
Lockheed Martin and Northrop
Grumman, are members of FIXS and a
private entity called Certipath LLC,
which provides trusted identity assurance
between organizations and has a
trust agreement with FBCA.
"Eventually, there will need to be convergence,"
Mestrovich said. "We had
hoped that the government would be
further along in accepting the federated
trust model."VENDOR CERTIFICATION
The FIXs identity credentialing network,
founded in 2004, developed an
identity trust model similar to the one
used for automated teller machines.
It is the only network certified to
operate with the Defense Cross-
Credentialing Identification System
In the SPOT program, contractors
may obtain FIXS-certified credentials
from vendors that have been certified by
the federation as having met requirements
to operate one or more
applications in federated
identity management. That
includes capabilities such as
biometric enrollment, card
production, and data storage
As a result of an agreement
made in 2006 with the
Defense Manpower Data
Center, FIXs is the conduit to
the Pentagon's credentialing
networks. When a contractor
presents a FIXS-certified credential
to a card reader at a gate, the
information is processed through the
federation's computer network.
In February, FIXS certified its first
vendor, WidePoint, of Fairfax, Va.,
which is participating in the SPOT project
through its subsidiary Operational
Research Consultants. Two other vendors
have applied for certification.
The FIXS network is processing several
hundred SPOT credentials per
"We hope to ramp up to thousands by
January," Mestrovich said.
The FIXS-certified credential verifies
a contractor's identity and attributes,
when read through the FIXS network in
an interface with DOD. But it is still up
to a defense facility gatekeeper to determine
whether an individual should be
allowed unescorted access or computer
access, Schneider added.
"You have to separate verifying the
identity and providing access," he said.
"We are still testing it."
Although FIXS is the first group to
create a federated identity network with
DOD, Schneider said other groups are
likely to be formed. "FIXS is just beginning
to get traction."
At some point, most contractors will
want to get involved with some kind of
identity service, he added, "whether it is
FIXS or others."Alice Lipowicz ([email protected]) is
a staff writer at Washington Technology.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.