2018 SERVICE TO THE CITIZEN AWARD WINNERS
Craig Wilson, J’son Tyson, and Mark Lucas strengthened FEMA’s cybersecurity posture in managing the FEMA rollout of derived credentials to nearly 19,000 mobile devices held by over 15,000 FEMA and Surge Capacity Force employees and contractors. This represents the first enterprise-scale derived credential implementation in the U.S. federal government . A derived credential is a “virtual personal identity verification (PIV) card that resides on the user’s mobile device such as an iPhone or iPad. The derived credentials enable FEMA PIV card holders to securely access FEMA email, intranet, and other applications simply by using their registered FEMA mobile devices.
Derived credentials is transforming the way FEMA and Surge Capacity Force mobile device users access their email, intranet, and applications and provides disaster responders the freedom and ease to access FEMA systems anytime and anywhere. FEMA is one of the first agencies to comply with the HSPD-12 on mobile devices through the use of 2-factor authentication at the enterprise level.
To overcome the challenge of costly, cumbersome, device-specific card readers, they worked with industry partners to architect a solution within the NIST guidelines that “derives” credentials for mobile use - commonly referred to as derived credentials or PIV-D.
Derived credentials enable more effective and efficient authentication processes and ensure confidentiality, security and integrity of mobile devices. They feature an enhanced user experience by minimizing the use of multiple, complex passwords. The derived credentials architecture relies on the current FEMA investment in PIV infrastructure by leveraging the well vetted and trusted identity of the PIC cardholder to PIV-enable a mobile device. It is based upon the existing DHS PIV card issuance capability to issue the derived credentials coupled with the capability to provision the derived credentials to FEMA mobile devices. The derived PIV credentials private key is stored in a FIPS 140-2 validated cryptographic module on the mobile device to support multi-factor client authentication, digital signing, and encryption. In addition, the architecture conforms to the Federal Identity, Credential, and Access Management (FICAM) model and leverages the Federal Public Key Infrastructure (FPKI) for authenticating and authorizing users.
In the face of proliferating cyberattacks and high-profile breaches, FEMA is taking action to harden its cybersecurity defense posture by extending certificate-based authentication to mobile.
IDENTITY, CREDENTIAL AND ACCESS MANAGEMENT (ICAM) LEAD, FEMA
IDENTITY, CREDENTIAL AND ACCESS MANAGEMENT (ICAM) CHIEF, FEMA
CHIEF SECURITY INFORMATION OFFICER,