November 9, 2007 • Volume 5 • Number 9

FEDERAL EXECUTIVE FORUM
IDENTITY MANAGEMENT

TRANSCRIPT
October 11, 2007

Broadcast on www.FederalNewsRadio.com

 

Moderator

• Jim Flyzik -Flyzik Group

Panelists 

• Mike Butler - Program Manager, GSA MSO

• Mary Dixon - Director, Defense Manpower Data Center, DOD

• Tom Lockwood - Senior Advisor, DHS

• Gordon Hannah - Managing Director, Public Sector Security and Identity Management Group, BearingPoint

• David Troy - Director, U.S. Government Identity Management Solutions Group, EDS

• Phil Myers - Director of Identity and Access Management Solutions, Unisys Corporation

 During today’s show we will discuss progress being made as we move forward with identity management and HSPD-12 programs in the federal government.

 Let’s get right into the issues and we’ll start off by asking  each of our panelists, this is our second show on this topic, we did one pretty much exactly one year ago, so what we are interested in hearing about to kick this thing off is from each of you progress made during the past year in achieving compliance with HSPD-12 and other identity management programs. Let’s start with Mike Butler who has the role of coordinating across the federal government, one of the key roles for HSPD-12. Mike can you tell us a little bit about progress made in your area this past year?

MIKE BUTLER, GSA

Because I was on the show last year, I think that where we are almost a year later is that at GSA what we’ve put together is a federation of different agencies to share the costs and share the infrastructure across the government. We did a new contract just in April and at that point we had 42 agencies signed up.

Since April we’ve now signed up 67 agencies boards and commissions and our population over the last year of agencies that have signed up has actually doubled from about 420 to we think we are around 860,000 people. So as far as actually getting some work done, we just started issuing cards and enrolling people about three weeks ago, four months into the new contract so we are pretty proud of that and I think that’s a pretty good step forward in just four months.

JIM FLYZIK, THE FLYZIK GROUP

 Yes, terrific. That’s great news. And the topic certainly is taking a life of its own. The topic of the town is identity management moving forward with it. Gordon Hannon at BearingPoint, can you give us an idea of what BearingPoint has been doing in this space?

GORDON HANNAH, BEARINGPOINT

 Sure. We are in the business of helping agencies move towards HSPD-12 compliance and be successful, and we’ve been helping a number of agencies including the Department of Defense, TSA has a prototype their TWIC program and move towards HSPD-12 compliance.

GSA when they initially set up their management services offer in meeting October 2006 mandate, as Mike said over 40 agencies; we are also working today with Health and Human Services and helping them comply with HSPD-12 as they begin to issue credentials; so (we are) busy overall in helping a number of agencies be successful with HSPD-12.

JIM FLYZIK, THE FLYZIK GROUP

Great. It’s clearly one of these programs which require a public/private partnership to move forward to keep this thing rolling. Tom Lockwood over at DHS, DHS has a lot of different challenges since I’m certain there’s a lot of different identity management programs throughout the various components. Tell us a little bit about your role and progress you’ve been making there Tom.

TOM LOCKWOOD, DHS

Like Mike and Mary and most of us here, we’ve been struggling with planning for the last several years. What you are going to hear from all of us is implementation now. Mike is talking about implementation on the HSPD-12 shared services, you are seeing that within the department, but you are seeing that within the department programs, for example the TWIC and the discussion of how to leverage this FIPS  201 environment and now it’s the activities of really enrolling and implementing programs, versus planning.

JIM FLYZIK, THE FLYZIK GROUP

Great, thanks Tom and we will come back and visit a number of those issues as the show moves on. David Troy over at EDS. EDS is one of the winners of the contracts over at GSA. Can you give us a sense of what you’ve been focusing on this past year?

DAVID TROY, EDS

Certainly one of our primary focuses has been working with Mike and supporting the GSA program. I think one of the interesting aspects of that is as you look at it the whole industry segment here has moved forward with moving towards industry compliant products and components and services and that’s really helped us from a systems integration perspective relative to being flexible and incorporate a number of products.

What’s interesting in the case of GSA specifically is that what we are really doing is extending the FIPS 201 standard to really reflect the requirements associated with multiagency support and that’s a very important piece and really when it comes down to it, it is something that comes down even within an agency you have multiple components within an agency and there’s often a variety of additional requirements associated with that. And what we’ve learned and what we’ve developed with GSA is the ability to support that. So that’s a key advancement.

JIM FLYZIK, THE FLYZIK GROUP

I think so too. I think that’s a great point and one that I hope we have a little time to revisit this whole issue of interoperability and how solutions work for one agency will be supported and work across other agencies. Mary Dixon over at the Defense Manpower Data Center, I guess Mary when we talk about doing a show on this, your name is one of the first that surfaces. Everyone says you need to talk to Mary because DOD has done so much in this area and Mary’s been a leader in this particular area. Can you give us some ideas of the exciting things that you have going on over there.

MARY DIXON, DOD

We have a huge infrastructure that was already in place to do this, about 2,000 work stations in addition in about 1500 locations world-wide. So we have quite a challenge of our own in trying to roll this out and issue cards because we issue more than just secure cards.

But we, the precursor the CAC 2, the HSPD-12 credential we issued 10 million of those. We are now in the process of moving forward to the approved CAC following HSPD-12 we have already issued about 8,000 of those cards. We expect to see that blossom here in the next few months. In November we will turn on 400 of our work stations to start issuing these and then we will begin the roll out to the rest of the stations over the next year.

So we expect to see a large number of increases because we can issue within our infrastructure about 10-13,000 cards a day, so we will be moving in that direction. So we are very excited.

JIM FLYZIK, THE FLYZIK GROUP

That’s impressive. You obviously have a big jump on this particular program and I guess it’s taken off in a major way already over there at DOD. Phil Meyers over there at Unisys, you head up their Identity and Access Management Solutions group, can you give us some ideas of the areas you have been working in the past year to support government in this space?

PHIL MYERS, UNISYS

Sure. I think in order to evaluate where we are today, it’s worth looking back at where we’ve been from an agency standpoint and from an identity management industry perspective. About this time last year, in June, we saw the first 9 products approved for FIPS 201 compliancy.

In October that number reached 50 or 60 products, none of which would have provided a complete HSPD-12 solution. So we’ve seen both the agencies and the industry stepping up to help meet the directive guidelines. Today we have some 300 products on the GSA approved products list, over 30 systems integration and consulting firms that have been evaluated and approved for HSPD-12 implementations. So Unisys is continuing to work with these agencies in defining the next step of what do we do after we get the card.

JIM FLYZIK, THE FLYZIK GROUP

I think we’ll visit that also on the show today: what comes after the card. What I’d like to do is shift the attention over a little bit. Let’s talk about some of the major benefits that will accrue once we get to the point where we are able to positively identify individuals, issue a card, and are able to begin looking at privileges that are able to be put on this card. Let’s start with Mary. Mary since you’ve been working in this area for quite some time, what are some of the benefits that you are seeing by moving to the use of identity management cards?

MARY DIXON, DOD

This is my favorite subject because I think that sometimes we get so hung up on how to issue those cards that we forget about the important thing is using those cards. So I can tell you that since we have begun issuing our precursor to the HSPD-12  card, we have begun to use it for logging on to our networks. And since we have begun that we have reduced the number of successful intrusions into our networks by 46% and that is before we were fully implemented. We have reduced the amount of phishing by  30%.

We have begun to start the cultural change in the physical access world of moving away from the flash passes, if you will, to the ability to do rapid electronic authentication (that is) so critical to really understanding whether those cards are any good. It’s not enough to know that the card is good, I need to know whether it wasn’t revoked yesterday that the person didn’t leave and has lost that affiliation. So I think that the Department of Defense has really seen a lot of great things and is looking forward to improving even more.

Because HSPD-12 does make our card more secure, it makes the process more secure, but the critical thing, everybody should be banging their fists on the table, saying I need those cards because I want to reap the benefits, not that I can get the cards out.

JIM FLYZIK, THE FLYZIK GROUP

Yes, the big pushes at first were let’s comply and let’s produce a card. But I think that once you get beyond that it opens up a whole new world of opportunities of privilege that the card can address. Tom, how about at DHS, when you are thinking about some of the benefits that you see accruing from the cards?

TOM LOCKWOOD, DHS

You know, part of this discussion you’ve heard from everybody, the race to get to the starting line. It’s the race to get the enrollment cards, the people have cards. Now the creative part comes in with industry and with our industry partners. What are the opportunities for entrepreneurs to come in and plan this space for bundling products, for bundling services, for better network management if you will?

This will definitely drive the linkage to privileges. How do we efficiently provide privileges when we do business, provide services, when we make a decision, how do we do it in an informed way. Now as we are seeing HSPD-12 and the FIPS 201  framework FIPS 201 being applied to multiple applications.

We can see in demonstrations now 100% of authentication of people coming to an event. Now we’ve done nine demonstrations across the nation, three in ports, a number of incident responses. In these demonstrations you know exactly who the people are and who they are representing in real time. We never had that before.

Additionally we have the ability to provide that information real time to the operation centers that are really trying to manage an incident as well as providing a list to those parent organizations so that they are aware of some of their people who have been deployed. We have never had that before.

JIM FLYZIK, THE FLYZIK GROUP

Great progress. Mike how about as you work the programs at GSA and you are looking at what are some of the benefits you see accruing to the federal workforce and to federal programs as you move forward with smart cards and the HSPD-12 programs?

MIKE BUTLER, GSA

I’ve been doing this for a long time and over the last few months there is a new thing that surprised me because we do have some agencies that have signed on with the managed service and they have no requirement to do the HSPD-12, they are not under the mandate.

And when I talked to them, some of their senior, even at the commission head or  board head member said, we are small and we’ve never really been treated like federal workers and I want my people to have a common credential that says that I work for the federal government and serve the people of the United States. And I found that to be, it was very simple, because I’d never thought of that, and I think especially as we are starting to move into the trenches on this because I see the jumble of badges that are out there, but I am starting to see on the metro, you can look down and you occasionally see somebody wearing one of these and you know who it is.

So I think that’s an interesting cultural thing which I think the Department of Defense went through, to me we are starting to act like a federal government with a common credential, and why haven’t we always had that? Maybe five years from now people will say, why was this so hard? I just find that interesting.

JIM FLYZIK, THE FLYZIK GROUP

I actually do, that’s a fascinating thought there, the issue of breaking down the culture. Before everybody had their own unique badge and it was almost like your badge is welcome only in your agency but you dare not come through into my agency with that badge. But as you move forward and start moving to some more common approaches and interoperability and so forth, you are right, you might be creating a culture of agencies beginning to think a lot different than they do today.

TOM LOCKWOOD, DHS

There is a culture around the badges as Mike said, some people see a status symbol in the number of badges that they have around their neck. But maybe security managers would look at this as a liability if it’s hanging around someone’s neck. With multiple badges. So really the opportunity is to integrate into the culture real time authentication into the business practices and that’s part of the challenge now for the next couple of months and years.

JIM FLYZIK, THE FLYZIK GROUP

Gordon, how about in the private sector view point? What are some of the benefits that you see that can achieve either internally for your own company or benefits that can be brought to government programs?

GORDON HANNAH, BEARINGPOINT

Thanks Jim. I think there are quite a few actually. The ability for contractors from our side and government employees to move into an organization more quickly. We call it on-boarding, but basically getting into a position to do your job more quickly. We think that is going to be streamlined very greatly with this new HSPD-12 compliance.

More security around when it’s time to leave, your accounts are deactivated and your access is taken away so we think overall your agencies are going to have a lot more security. And the convenience to not have to remember several user names and passwords for various applications to do your day to day job. So more seamless work across the agencies, anyone who has spent a couple of hours in visitor control for an agency knows that they might be able to get to do their job more quickly and faster access all around with automated work flow.

JIM FLYZIK, THE FLYZIK GROUP

 I agree. A lot of good things happening out there and a lot of good things about to happen. I want to also hear from David and Phil on this subject.

Break

JIM FLYZIK, THE FLYZIK GROUP

We are talking HSPD-12. David over at EDS, what do you attribute or see some of the major success or benefits that could accrue from some of these programs?

DAVID TROY, EDS

I think that one of the things and I’ll follow on from what Mike and Tom had mentioned earlier. Essentially I think that the FIPS standard has established a level of trust now that wasn’t there before that is now present or can be present between agencies.

And I think that that’s going to be a fairly valuable benefit that will actually, hopefully  make government more interactive and be more efficient. It’s interesting we are actually seeing a fairly significant interest on the part of commercial entities as well as the state and local community to also adopt an HSPD-12 alliance solution so they can participate in that trust model. And I think that’s really a critical aspect because if you look at it, all these  agencies in addition to interacting with themselves and with other agencies that interact with state and local environment, the contracting community, other entities.

It’s a very virtual world and having that trust model and that trusted identity is going to be critical to that. I think that one of the other things that we are seeing is in the case of what we are doing with Mary. It’s very satisfying to see a critical mass of cards out there, then being used in ways that were not anticipated before and in more of a straightforward application.

If you look at it at MCI an individual can take their tack card and go to any work station and have their work environment loaded on to that based on reading of the tack card. I think that’s some natural benefits in addition to what Mary had mentioned.

JIM FLYZIK, THE FLYZIK GROUP

I view it that we are putting in place infrastructure that will allow a whole new world of creativity and probably new things that none of us have even thought of yet that could be happening down the road. Phil Meyers over at Unisys what are some of the benefits that you see accruing from use of HSPD-12 and the movement towards identity management solutions?

PHIL MYERS, UNISYS

It is a new world.. The most important aspect of FIPS 201 is the interoperability comes to the forefront. Integration of logical and physical access is no longer an option, product venues will start moving away from proprietary technologies and begin embracing national and international standards. Certainly the introduction of dual technology cards where both contact and contactless cards are sharing common memory and processing have opened up new opportunities for physical and logical security convergence.

We believe FIPS 201 will have many benefits to the agencies. Employees gain a single unified access control mechanism, administrators can supplement traditional read password only systems with multiple forms of authentication and have a single repository for employee IDs and provide for the immediate and real time authorization and replication of all enterprise resources. Likewise, auditing and forensic groups will now have a single location for ISIS control investigations, and finally the legal department can show improvement in access control efforts which will help meet regulatory requirements.

JIM FLYZIK, THE FLYZIK GROUP

Great. A lot of good points there of improved processes and improved accountability and transparency in a lot of ways from government agencies are all key points.

TOM LOCKWOOD, DHS

 I think that one of the key points that Phil had raised is the question of an open architecture and the evolution of standards. One of the key things that you see is DOD, GSA, DHS, as we work together it’s an economy of scale for things like basically enrollment stations for commonality all the subsets of things that make an enrollment station work.

As we start reducing the variance from the different streams of resources that people have purchased things, their buying power is better for what they buy over time. Because there is a common standard. The ability to leverage the schedules that Mike is putting together now for the schedule  70 special supplemental and linking that to the grant streams that DHS provides, so that you do leverage the buys and you are creating levels of standards that will really make it much more effective.

JIM FLYZIK, THE FLYZIK GROUP

Great points. Thanks, appreciate that. Let’s switch over and talk about the hard stuff; the things that are challenges and constraints; and the things that are still difficult that we need to address to really keep the program moving forward. What are some of the difficult challenges or constraints that need to be overcome? Let’s start with Gordon over at BearingPoint. Gordon, what are some of the things that are more challenging that you still need to work on to try to overcome to keep this program going forward?

GORDON HANNAH, BEARINGPOINT

I think one of the biggest ones that we encounter is that this is an enormous change management challenge to the agencies. This is a new system being introduced that really touches every individual’s lives at the agencies. So we’ve really taken it upon ourselves to make sure that there is strong communication and change management tools in place because having the information in the right hands at the right time becomes very important.

The funding I think has always been an issue. It’s an unfunded mandate that everybody’s trying to meet, so finding the money to pay for some of these systems and programs is always a challenge. And then at the end of the day I think policy and trust is going to become a big issue when we start looking across agencies. I think FIPS 201 is a great framework but the execution of it becomes up to the individual agencies over which credentials they will accept and how they will verify them, so we are working through those types of issues with a number of the agencies now.

JIM FLYZIK, THE FLYZIK GROUP

And I’m sure the trust issue deals with that culture issue again. I remember somebody telling some of my employees, if we want trust worthy employees the first thing we’ve got to do is trust them to get started in this program. Phil from your perspective, what are some of the big constraints and challenges yet to  overcome?

PHIL MYERS, UNISYS

Just to follow up on Gordon’s comment, policy and trust needs to start at the home actually, within your agency. Some of the challenges that we are going to see moving forward are this mapping of physical and logical identities for a holistic approach to security. If agencies aren’t utilizing a centralized provisioning system it’s going to be a lot more difficult.

Both IT and physical security groups have lived in different worlds for quite some time so we are going to see some cultural changes taking place there and that goes back to that policy and trust between the different groups. Physical and IT security functions may not require explicit reorganization of the groups but there must be a strong cross collaboration of capabilities. And again it all boils back to that to that policy and trust.

JIM FLYZIK, THE FLYZIK GROUP

Good point. David, anything you can add from a private sector point of view on challenges and constraints?

DAVID TROY, EDS

I guess I would echo that, if you look at it culturally within agencies, there’s a lot of cooperation that’s required to actually implement this. There’s a lot of definition of policy that often has to occur. Those are often the challenging aspects.

The technology tends to be challenging to a degree but I think the cultural issues tend to be the most and that’s where the change management, as Gordon mentioned earlier, comes in very critical. I think one of the interesting things from a technology perspective is the fact is that none of this technology is stagnant.

We will see multiple generations of card technology, we’ll see multiple generations of access control technology, we are seeing the convergence of the physical and the logical and HR systems and that all needs to be managed without negatively impacting the mission of the agencies.

JIM FLYZIK, THE FLYZIK GROUP

Great. Let’s talk to our government guests on that same question. The challenges and constraints and Mike Butler over at GSA I guess when you are looking across at having responsibilities to look at not just one agency but government wide at agencies that have been around for hundreds of years and new agencies and just diverse sets of cultures and diverse missions. How do you approach that challenge and what are some of the other challenges and constraints that you face on a day to day basis?

MIKE BUTLER, GSA

One of the challenges that we do have is when you have some agencies or commissions that are five people and then you also have some that are 110,000 people. The business rules for all of those are very different and diverse so we have tried to take and be as flexible as possible to be all of those.

But one of the things that we have really just started in the past two to three weeks is about 20% of the people who come in to enroll have some data issue with their identity. And this is coming right out of the HR systems of the agencies. And I think that one of the things that people really need done is we are not really good at doing this in our country, and I think that a lot of the agencies are wrestling with the challenge of anchoring people’s identities with  the normal documentation that people would expect like a passport and things like that and getting that data back into their systems and making sure that it’s consistent.

We’ve already seen, like I said, about 20% issues and that’s a huge, that’s a multiyear process when you do something like HSPD-12 it starts to wring out these gremlins that we’ve lived with for many, many years. This is a huge place where it’s going to impact a lot of agencies. It’s a big deal.

JIM FLYZIK, THE FLYZIK GROUP

Yes, absolutely. But I’ll tell you some of the nay sayers when it was first announced we had people saying that’ll never happen, but it has happened and it is moving despite some of these challenges and constraints, we seem to be overcoming them. Tom, what would you add as some of the big challenges you face day to day in moving these programs forward? You’ve got a whole series of diverse components to work with.

TOM LOCKWOOD, DHS

There are nearly 50 screening credentialing identity management programs that DHS has, let alone the new ones that we have in HR and the thing that you’ll hear from all the technologists, many times it’s not the technology, it’s the culture. And in this case when you are trying to integrate the technology, especially one that really hits people at a personal level, it’s perceived loss of power, prestige, notoriety, celebrity within the processes, and the way how we try to get through that is through a series of demonstrations to show people what are the opportunities if you have this.

What are the misperceptions about how do you extend and revoke privileges, how do you make informed decisions to protect your data? Because it is your data and you have the accountability and your jurisdiction and your organization for that. As we walk through the demonstrations we can show real practical value and use utility of making informed decisions. And that’s really what we’ve been doing to address this challenge of cultural change.

JIM FLYZIK, THE FLYZIK GROUP

That’s a good way to approach that. A non-threatening way. You are not trying to reinvent people’s jobs or anything like that, just trying to make progress and moving forward. Mary Dixon, you’ve been working the program for some time. What are some of your day to day challenges and constraints that you need to overcome to get to where you want to be?

MARY DIXON, DOD

There are two areas. One is relatively small relative to the second one The first is that we are having to make some changes in our process for doing the background checks. Because we have been pretty much a paper based system it does not help us in making sure we have a chain of trust from the ten prints to the verification when I issue the credential.

So we are working through that and that is a big challenge for us because of the mere size of our situation. The other one that continues to be a challenge to us and has been since we started the working in the physical access world.

And I think that it is a situation where everybody has to have their own badge. Everybody thinks that the badge has to be the thing that tells what accesses and privileges you should have and to try to change that culture has been quite a challenge. So when we say that we are moving to a card that is an issue for people. The ability to understand how to do this real time authentication, not just on the card but against some backend system. We can do that in the logical world with our PKI and our federal bridge and we can work across, but wouldn’t it be great if we could extend HSPD-12 because HSPD-12 takes care of the federal government community.

Let’s extend that a little bit beyond the federal government because we want to try to issue cards to contractors. Think about the fact that some contractors work for DOD, some work for DHS, they work for GSA, not GSA, but some of these contractors work across some of the agencies that have similar missions. Why are we all trying to figure out who is going to issue their credential?

Why don’t we figure out a way so that we can trust our industry partners to issue those credentials against our rules and then we can trust each other’s credentials. It improves security because they know best about their people and when they are coming and going. It improves privacy because I don’t have to store all this privacy information about all these people at all these different systems, you keep it within your own home base if you will. So I think this is just the beginning of where we need to go.

TOM LOCKWOOD, DHS

What Mary’s raising is so exciting right now of where we are really going over time. Say for example we have an acquisition professional community challenge within the federal government. Really need to find strong program managers, T and E managers, developmental managers, so we are effective in the execution of the resources we are providing.

This has a framework to really understand what you really have. How much gas you have in the gas tank and how are you tying that back into your employee developmental system so that you know you have good people in the pipeline. And the ability to sometimes leverage best practices and extend people between organizations the contracting bases as well as the government employees, which we really don’t have the framework to do now. The challenge now is implementation as well as the management of attributes and privilege back through the enterprise.

JIM FLYZIK, THE FLYZIK GROUP

Phil you had a comment?

PHIL MYERS, UNISYS

Just to follow up on what Mary said, she might have been reading some of our top secret papers because at Unisys we have started a FIPS 201-like credential that we indeed hope someday we will be able to manage the access into the different federal agencies and gain the privileges that we need as contractors.

JIM FLYZIK, THE FLYZIK GROUP

Terrific. Mary?

MARY DIXON, DOD

I just wanted to come back because somebody had a quote that I thought was very appropriate. It was about the fact that you do not have to know everything about me to trust me, but you have to know that the person who issued my credential, you have to trust that person to have followed the rules. And you can know just a small amount of information about me to grant me privileges as long as you have that trust somewhere in the system.

JIM FLYZIK, THE FLYZIK GROUP

Very good point. It’s almost like you secure a supply chain, securing the trust amongst the entities involved in the credential and knowing who that particular entity is that’s issuing the cards. Let me shift again and combine a couple of issues here. Talk about the interoperability in the federal government and also the need to coordinate with state and local government. Has there been anyone thinking beyond this next step when talking about coordination with state and local government and interoperability across these enterprises? Tom?

TOM LOCKWOOD, DHS

For the last several years, really between the Department of Defense, who’s been a great partner, with Mike and Mary, we were able to take and leverage the work that DOD was able to do and present that in a way and work with our state and local partners to build the first responders partnership program. We’ve gone from the last time we talked about it as a plan to actually being implemented in very progressive counties like Arlington County, Alexandria here in the National Capital Region.

That then provides us a framework to work with Pentagon force protection to say, now that we all have credentials that we can validate real time, how does that impact day to day law enforcement around the Pentagon. And as we start talking about an airport, and as we start talking about the different law enforcement communities and how they interface with the public safety community to make informed decisions. So what we see now is a family of interoperable product lines, if you would, between HSPD-12 implementation and the individual agencies to leverage the CAP framework that all uniformed services, including the national guard that’s already in state and local government in their presence, back over with public health.

But to say now TWIC is being implemented, so now you have that within the ports. We are talking in the airports the ACES program. It’s very, very preliminary, we are talking about how do you leverage this FIPS 201 architecture in a way that again people manage their own data in an interoperable way. They manage their own privileges in an interoperable way.

JIM FLYZIK, THE FLYZIK GROUP

You are hitting on a lot of points that we are going to talk about here in our next segment when I ask each you to think and talk about what we see happening down the road into the future.

Break.

JIM FLYZIK, THE FLYZIK GROUP

Phil give us some of your ideas on where we are going on a broader scale in the future. What are some of the exciting future applications and things we might be looking at down the road in identity management space?

PHIL MYERS, UNISYS

It is an exciting future for all of us in the identity management space. If you start looking at the foundation that we now have this common credential called the PIV card, we start seeing a lot of different uses for that. Certainly a coming up indication credential like a PIV card moves you right into the area of secure single    sign on and the authentication objectives.

It’s very easy to move into a direction where you have a single sign on that gets you into all of your applications and gets you in securely. One of the things that we also see at the very beginning of this process, everybody goes through an enrollment and they get provision for that enrollment, wouldn’t that be a great opportunity to start looking at ways to deploy enterprise and digital rights management type activities where we are actually not only controlling application access but we are also looking at access down at the application of the data level itself. Who has access to read, write and change documents in my organization and likewise who has the ability to send those documents out to other organizations.

We can also look a little bit down the road to possibly tying this PIP card to an asset tracking mechanism where when you walk out of the agency in the afternoon the laptop that you are carrying is also being tracked by that PIP card. So there are a lot of exciting things that could happen outside of what we know as the standard PIP card today.

JIM FLYZIK, THE FLYZIK GROUP

And a lot of times we still remain somewhat of a reactionary society but a lot of these issues we are talking about, we have these problems today and these cards can address these problems and potentially be a solution for them. Mary over at DOD, what are some of your thoughts Mary about where this is all going in the future and some of the exciting things you will see in the world down the road as these things mature and become part of our standard business processes?

MARY DIXON, DOD

There are so many so let me try and pick out a few. I think in the eGovernment side of the house it allows us to work in a global organization which the Department of Defense certainly is, that allows us to conduct business without having to move pieces of paper. So I can now move pieces of paper electronically, be assured that the people on the other end are the right people. I can use digital signatures to get rid of the web signature if you will and I can do a lot of things to simplify my business processes and become more efficient.

I can use this card to simplify other systems, so we are now doing a pilot project in the Department of Defense that uses the CAC to provision our purchase card or our credit card if you will and eventually perhaps our fuel cards and our travel cards.

We have the whole series of things of ePurses, electronic purses and be able to manage cash which is a big thing for overseas and the navy on ships, because it costs a lot of money to move money around on ships for people to use in those deployed locations. Think of how heavy coins are and what it costs to move things in an airplane to an overseas location. Being able to work the transportation industry and take care of our metro subsidy in the back end without having to go through these long lines that you see people standing in line to get their subsidy.

But probably the biggest area that I see in the future is if you look back at 9/11, one of the biggest concerns that fell apart in 9/11 was information sharing. We couldn’t figure out how to share information because certain people shouldn’t see certain things but couldn’t see other things and it’s really about identity.

If we could know who those people were and what roles they had and what attributes they had, then we would know which kinds of information we could share with people, so this is the beginning of our ability to really do a good job with information sharing, the right people seeing the right information at the right time.

JIM FLYZIK, THE FLYZIK GROUP

I agree with you. Often times with the groups I’m involved in people talk about identity management and then information intelligence sharing being such important national security issues and they really do go together. David, from EDS, your job there, what do you see with where this stuff is going down the road and some of the new and exciting things we should look forward to?

DAVID TROY, EDS

Jim I think Mary and you are absolutely right. I think information sharing and the collaboration that is going to be opened up with this new sense of trust and this new focus on trust and the ability to rapidly bring together teams that are diverse from different organizations and to quickly be able to collaborate and resolve issues and deal with any kind of circumstance that is presented is a very, I think it’s going to be a new paradigm in a lot of respects.

And essentially it is something that has occurred before. If you think about it there was a convergence of identity management and a new approach to identity management prior to  HSPD-12 but it was a slow moving train and I think with HSPD-12 and really the federal government’s efforts in this area, it’s been a catalyst that’s really accelerated that change in thought and the industry in general  and I think that’s where you are going to see, if you look at it, not only will the federal government be advancing ecommerce and eGovernment significantly, how long have we been working PKI and the ability to actively sign our emails or do assigned work flow, that type of thing.

With the use of a credential and what it brings with it as an enabling technology, I think  that will really advance that ecommerce and eGovernment. I think that’s what the state and local market is looking at, the commercial area, they are all looking at how they can participate in that.

We’ve seen a lot of international interest in this that really sort of leads in a way to a ubiquitous card for credentialing for an approach to identity management that when we really think about it, if it does get down to the citizen level, and I think it will, you are really talking about a way of thwarting identity theft.

JIM FLYZIK, THE FLYZIK GROUP

I agree, you are making some good points there about what it will do to facilitate economic issues and international competitiveness by much more efficient operations and everything else. It’s got a tremendous amount of value there. Tom Lockwood at DHS if you think this through and picture down the road what do you see in your vision for some of the benefits and exciting things for the future?

TOM LOCKWOOD, DHS

Many of us have lived through the birth of the internet, the real adoption of the internet. We’ve seen the adoption of charge plates in a broad environment. The evolution of ATM machines and all of those have profoundly added to the quality of our life. Many of us have decided to become a doctor or a nurse, an engineer or a scientist or an administrator because they believe in that.

And somehow they’ve gotten distracted from their jobs by things like trying to do business expense reports and filling out HMO forms and many cases things that had it been built in the trust model of the enterprise they can concentrate on the thing that they chose to do in their life’s profession. We see people going to school now remotely to take classes whether they are DOD people where ever they are assigned throughout  the globe, people that are at home, people that are now being educated through the internet, you have the opportunity to fundamentally understand products and services in a distributive environment, the quality of life for our citizens and guests is going to be profoundly better.

JIM FLYZIK, THE FLYZIK GROUP

Well said Tom. Gordon at BearingPoint, where do you see this all going. Is this step one of ten steps and when we get beyond ten steps, what will the world look like? These new exciting things that we’ll be doing that we are not doing today.

GORDON HANNAH, BEARINGPOINT

I think this credential is going to enable what’s becoming a much more mobile workforce. To Tom’s comments, the use of the internet and now the cooperation with a strong ability to identify individuals along with a backend management of privileges and access, I think when you combine all those factors with the movement of business and commerce and transactions to online becomes much greater.

The ability of the digital signature for example, to now sign paper that traditionally moved around from desk to desk, the hope is the business of government and of industry will become much more streamlined as individuals can be much more strongly authenticated and their transactions can be authenticated. The ability to reduce paperwork. The ability to do more telecommuting, work from home because now you have this stronger on line identity that can conduct transactions and make decisions.

So overall we think it’s really going to enable faster decision making. As Mary mentioned when we start to think about possibly adding financial applications capability to this credential you have a very powerful tool, one that you basically use throughout the day to get on the metro, to use bus services, to get in your building, to get on to your systems, to conduct transactions or to do all that from home as well. We think it’s going to make lives better and it’s going to make our security stronger.

JIM FLYZIK, THE FLYZIK GROUP

Terrific. Thanks Gordon. Mike Butler at GSA. You’ve been working these issues now for quite some time and I guess as you are focused on your day to day issues at times you have to be thinking out to the future about what this all means down the road and what it will mean for the future of our government and for our citizens. Give us your thoughts on where this will all go in the future.

MIKE BUTLER, GSA

I’ve listened to everybody else here and they’ve covered a whole wide range of different aspects and I guess one of the things that I would say is we have a slide that we do our presentation on and it gives the whole list of all the HSPD-12 directives,  it talks about all sorts of identity management and identity related programs that have come into play really since 9/11. And when you put that slide up in front of people and then you ask them to step back, it’s almost breathtaking.

Someone, or we just got lucky, really thought about this over the last four or five years and we are really laying a foundation for identity in our country that not only allows HSPD-12 for government folks, but will end up addressing things like a new transit standard, which has been talked about, and I’ve had some exposure to overseas and Europe and also in Canada, and people all over the world are looking at this because we had the guts to do this.

 It was a very bold move and I think that what we are seeing now is that the foundation is laid down. This is a new highway of a new industry and we are only at the 1% point and who knows what we are going to be able to do with this after we get over the dog work of putting the credentials out?

JIM FLYZIK, THE FLYZIK GROUP

I’ve been jotting down notes as we’ve talked here today and what I’d like to do for the remaining five minutes or so that we have,  is I’ll make a few comments and summaries here of what I’ve picked up and then ask you the panel to relate to some of these comments. In looking down the road with this vision, you are right Mike, if you go back since 9/11, one of the first things I did out of government when I became chair and founded the ITAA Homeland Security Committee and the very first issue we had on the very first day we had a meeting was we need to focus on identity management issues because they are important. Now this is well before HSPD-12 and so forth.

But since then we’ve had HSPD-12 act now which is a big issue with the states and driver’s licenses, the western hemisphere travel initiatives, the TWIC cards, a whole series of cards around immigration and so forth, I mean an entire industry has grown up and there’s an entire cottage industry growing up around identity proofing, which works similar to your credit scores, you can get identity scores, to prove that Jim is really Jim. So it’s come a long, long way in a very short period of time.

The other thing I heard here today is when we think of identity management we shouldn’t just think of the card and the person. Identity management is about people, things, perhaps electronic bits. Things being cargo coming in and out of our country, and allowing the good cargo in and keeping the bad cargo out, about bits coming in, we want to identify let the good bits in and keep the bad bits out. Take it to another level of thinking and it just opens up a whole new world of opportunity.

I guess when I think of it I think sometimes of every place where you have to sign your name. The IRS comes to mind. And IRS tax returns. If you could just get to the point where you can eliminate that need for signing your name, what would that do for productivity improvements across our country.

And things like shopping, the elimination of identity theft was mentioned, the whole concepts of money can change. The whole concept of how our government looks in the future. Are we moving to a place where the agencies would focus on their critical mission and perhaps policy but all these other services would be done sort of as a utility.

You’d have a series of infrastructure utilities maybe instead of the General Services Administration, you’d have the Government Services Administration that’s administering these utility services. I think it could dramatically change the way our government is shaped and looks in the future and the way it runs.

And we didn’t talk too much about those biometrics, we still talked today about the card, but will we get to the point where the card won’t be necessary? Because we’ll be identity proofing based on a biometric identifier.

Those are just some thoughts. Tom, can I ask you to add to those thoughts?

TOM LOCKWOOD, DHS

I guess I’ll sum it up by a phrase that Mark Twain said, it took a brave man to eat the first oyster. It’s going to take a braver person to really accept the certification that’s been done by another department or agency. And it’s going to take leadership and guts when it doesn’t go right the first time.

When you are accepting somebody into your enterprise and in fact there was a problem in vetting maybe in the original organization and you are burned. So what is the commitment to the vision? It comes back to what Mike said, what is the guts to move forward in this to create something that is profoundly better for the future? And that’s the challenge.

JIM FLYZIK, THE FLYZIK GROUP

Terrific. Mary can I ask you for a last word? From your perspective, to react to some of the comments made here?

MARY DIXON, DOD

I think I would agree with Tom. I think that what it takes is people who are the strong leaders in the government and outside the government to understand what we have here, to be able to use it, and to understand what we could have if we  really are committed to this.

Because the first time something goes wrong, as Tom points out, we have to go back and look at ourselves and say did we do the right job or is this something that would have happened even if we had done the job. We need to be able to do that to be able to trust other people and figure out ways to trust. There is a quote that says trust but verify.

We need to figure out what that means. We need to not be so hung up with HSPD-12 or the FIPS card can only be issued by the federal government. Today that’s true. But next year, two years from now, three years from now, what we are trying to get to is the standard. What is the standard that we are going to all live with and that we can then trust other people. And it’s a struggle because look at all we do with clearances. We are supposed to have reciprocity and how many places have you heard, oh well I don’t trust their (whatever).

TOM LOCKWOOD, DHS

This trust relationship is fundamental in where we are going as a country, as a community. When we talk about a knowledge based community, we are talking about working in a distributive environment. The ability to cross boundaries as a matter of course very, very quickly. It’s absolutely fundamental, this trust model.

MARY DIXON, DOD

Think about the first responders who in a first responder organization the perimeter changes on a moment by moment basis. The requirement changes. I might need the firefighters in there first, but the next thing I need in are the doctors. How do I make that system work and be responsive to that kind of changing environment on the fly? And I can only do that if I’ve put the right infrastructure in place and have the right enabling technology.

JIM FLYZIK, THE FLYZIK GROUP

I hate to cut off the great dialogue we’ve got going but we are running out of time.