VA PIV Project Concept and Scope
The PIV System is compromised of sub-systems and primary interfaces that work collaboratively to provide required services. The sub-systems that make up the PIV System are independent and fully functional systems, each with their own primary responsibilities and requirements that interface with one another to meet the objectives of FIPS 201. The sub-systems of the VA PIV System are:
- Public Key Infrastructure System – The sub-system responsible for the issuance and management of digital credentials, in the form of public keys and associated digital certificates, including the certificate status information in the form of Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responders.
- Card Management Service System — the sub-system responsible for the issuance and management of FIPS 201 compliant smart cards that serve as the mobile identity platform.
- Identity and Access Management System — the sub-system that serves as the integrated identity management service of the PIV system; managing authoritative data processing; user provisioning; access control and authorization policy definition; integration with Enterprise Directory Service; collection of user personalization data; capture of data necessary for card issuance and management; and serves as an identity feed to make data available to the other sub-systems within the PIV System.
- PIV Card System – the sub-system platform where the services of the PIV System are realized by the user, and where identity is consolidated and made available as a service that can be leveraged by the Enterprise.
One of the primary interfaces of the PIV System includes Physical Access Control Systems (PACS). This primary interface is a fundamental component captured within the PIV System architecture, given that the expectation of the PIV System are to integrate personnel, logical, and physical security services as they pertain to identity. PACS are expected to work in conjunction with the PIV System, in the sense that, the PACS will utilize the identity services of the PIV System and make access and authorization decisions based upon that service. In addition to the primary interface of PACS, there is also a need to have authoritative data made available to the PIV System to support the consolidation and provision of ubiquitous identity across the VA Enterprise. The following interfaces are defined for the PIV System:
- Human Resources/Personnel Interfaces – processes, data, and information relevant to the PIV System for validating a PIV Applicant’s Trustworthiness and Organizational Affiliation.
- Physical Security Interfaces — processes and data relevant to the PIV System for validating and authorizing PIV Applicants’ access to controlled areas.
- Information Security Interfaces – processes and data relevant to the PIV System for validating and authorizing PIV Applicants’ logical access to local and remote systems
The goal of the PIV System is to achieve compliance with HSPD-12 and FIPS 201. Within the context of this goal, the system intends to provide:
- >Personal Identity Verification (PIV) based on secure and reliable forms of identification credentials.
- PIV Credentials issued to support VA employees, contractors and affiliates who require physical access and/or logical access to VA controlled information systems and/or facilities.
- Issuance of PIV Credentials based on validation of an individual’s true identity and validation of the organizational affiliation.
- PIV credential holder Identity Management.
- Access Management and security policy enforcement surrounding the PIV processes.
- PIV Credential enrollment, registration, issuance and lifecycle management automation.
The VA PIV Project is a Departmental initiative intended to provide compliance with HSPD-12, FIPS -201, the Federal Common Policy, and related standards which address the Federal Government need for a standardized identity (PIV) credential to be issued all Federal employees and contractors. The PIV credential will be used for identification and authentication across Federal logical and physical access systems. FIPS-201 defines the requirements for the PIV credential enrollment and issuance processes necessary to provide a common assurance level under which all PIV credentials are issued.
The VA PIV System will implement PIV Card, PKI, and Identity and Access Management services to meet the requirements of FIPS 201. The VA PIV System automates the enrollment and issuance processes for the PIV credential, manages the identities of PIV cardholders, manages the lifecycle of the PIV credential, provides data management and provisioning services for interfacing systems, and provides audit and reporting data on PIV System transactions and events. The VA PIV System is also designed to deliver “security as a service” by integrating with the VA Enterprise Architecture service-oriented systems model. It provides an integrated approach to the broad, heterogeneous VA network and forwards the concepts embodied in the One-VA strategic goal. In doing so, the program intends to reduce the cost of ownership for identity services. Further, the initiative offers improved security of critical VA assets and extends broad protection for privacy and identity information maintained by VA.
The VA PIV Project represents a significant commitment by management to control, reduce, and establish reasonable cost structures for authentication and authorization services required to support HSPD-12 compliance. Further, the PIV Project is central to VA’s broad One-VA strategy and will facilitate VA compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the E-Sign Act, new privacy and financial legislation like the Gramm-Leach-Bliley Act, Sarbanes-Oxley, the Architectural and Transportation Barriers Compliance Board Electronic and Information Technology Accessibility Standards (Section 508) and will resolve a VA authentication and authorization “material weakness” that has been cited by the Office of the Inspector General (OIG). The PIV Project will ensure compliance with HSPD-12 and FIPS 201, facilitate VA’s move towards a One-VA approach, reduce costs, and improve the enterprise security posture.