interagency advisory board (iab) meetinglessons learned • hspd-12 works!!! • go to vendors with...
TRANSCRIPT
Interagency Advisory Board Meeting Agenda Tuesday November 1 2011
1 Opening Remarks (Mr Tim Baldridge IAB Chair) 2 FIPS 201-2 Update and Panel Discussion with NIST Experts
in QampA Session (Bill MacGregor and Hildy Ferraiolo NIST)
3 Securing Mobile Devices for Government Specific Apps (Debb Blanchard Verizon)
4 Enabling HSPD-12 and Biometrics to Secure the Pentagon and Mark Center (Derek Nagel and Roger Roehr PFPA)
5 An Example of Enabling HSPD-12 in Multi-Tenant Building by Operating a PACS Platform as a Service (Tom Corder Bridgepoint Systems)
6 DoD PIV-I Update (Paul Grant DoD) 7 Closing Remarks (Mr Tim Baldridge IAB Chair)
33
Pentagon Force Protection Agency Pentagon Force Protection Agency
Privilege Management Program
Enabling HSPD-12 and Biometrics to Secure the
Pentagon and Mark Center
1 November 2011
PFPA Project Integration Directorate
HSPD-12 Team
34
Pentagon and NCR Environment
bull The Pentagon is the worldrsquos largest flat office building ndash 67 Million SqFt 175 miles of corridors ndash Manage 10116 parking spaces
bull NCR buildings occupied by 87000 DoD employees in 28 major buildings and 76 other locations
25000 Assigned Personnel
35
HSPD-12 Program Goals
bull Use CAC and PIV (from other Federal agencies) for permanent access and PIV for visitor entry
bull Automate back end processes (FICAM) and use digital signatures for
ndash Door Access request ndash Parking request ndash Visitor sponsorship ndash Escort pick up of visitors
bull Add biometric authentication of people entering the
Pentagon and the Mark Center
bull Upgrade PACS equipment to support PIV
36
HSPD-12PMP Training Education amp Awareness
bull Education amp Awareness Plan bull PFPA Intranet and internet bull Flyers posters brochures and other multi-media bull HSPD-12 email PFPAHSPD-12pfpamil bull Kiosk and awareness videos bull Building circulars bull Pentagon Police Department roll calls
37
MARK Center
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
33
Pentagon Force Protection Agency Pentagon Force Protection Agency
Privilege Management Program
Enabling HSPD-12 and Biometrics to Secure the
Pentagon and Mark Center
1 November 2011
PFPA Project Integration Directorate
HSPD-12 Team
34
Pentagon and NCR Environment
bull The Pentagon is the worldrsquos largest flat office building ndash 67 Million SqFt 175 miles of corridors ndash Manage 10116 parking spaces
bull NCR buildings occupied by 87000 DoD employees in 28 major buildings and 76 other locations
25000 Assigned Personnel
35
HSPD-12 Program Goals
bull Use CAC and PIV (from other Federal agencies) for permanent access and PIV for visitor entry
bull Automate back end processes (FICAM) and use digital signatures for
ndash Door Access request ndash Parking request ndash Visitor sponsorship ndash Escort pick up of visitors
bull Add biometric authentication of people entering the
Pentagon and the Mark Center
bull Upgrade PACS equipment to support PIV
36
HSPD-12PMP Training Education amp Awareness
bull Education amp Awareness Plan bull PFPA Intranet and internet bull Flyers posters brochures and other multi-media bull HSPD-12 email PFPAHSPD-12pfpamil bull Kiosk and awareness videos bull Building circulars bull Pentagon Police Department roll calls
37
MARK Center
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
34
Pentagon and NCR Environment
bull The Pentagon is the worldrsquos largest flat office building ndash 67 Million SqFt 175 miles of corridors ndash Manage 10116 parking spaces
bull NCR buildings occupied by 87000 DoD employees in 28 major buildings and 76 other locations
25000 Assigned Personnel
35
HSPD-12 Program Goals
bull Use CAC and PIV (from other Federal agencies) for permanent access and PIV for visitor entry
bull Automate back end processes (FICAM) and use digital signatures for
ndash Door Access request ndash Parking request ndash Visitor sponsorship ndash Escort pick up of visitors
bull Add biometric authentication of people entering the
Pentagon and the Mark Center
bull Upgrade PACS equipment to support PIV
36
HSPD-12PMP Training Education amp Awareness
bull Education amp Awareness Plan bull PFPA Intranet and internet bull Flyers posters brochures and other multi-media bull HSPD-12 email PFPAHSPD-12pfpamil bull Kiosk and awareness videos bull Building circulars bull Pentagon Police Department roll calls
37
MARK Center
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
35
HSPD-12 Program Goals
bull Use CAC and PIV (from other Federal agencies) for permanent access and PIV for visitor entry
bull Automate back end processes (FICAM) and use digital signatures for
ndash Door Access request ndash Parking request ndash Visitor sponsorship ndash Escort pick up of visitors
bull Add biometric authentication of people entering the
Pentagon and the Mark Center
bull Upgrade PACS equipment to support PIV
36
HSPD-12PMP Training Education amp Awareness
bull Education amp Awareness Plan bull PFPA Intranet and internet bull Flyers posters brochures and other multi-media bull HSPD-12 email PFPAHSPD-12pfpamil bull Kiosk and awareness videos bull Building circulars bull Pentagon Police Department roll calls
37
MARK Center
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
36
HSPD-12PMP Training Education amp Awareness
bull Education amp Awareness Plan bull PFPA Intranet and internet bull Flyers posters brochures and other multi-media bull HSPD-12 email PFPAHSPD-12pfpamil bull Kiosk and awareness videos bull Building circulars bull Pentagon Police Department roll calls
37
MARK Center
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
37
MARK Center
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
Enrollment PMP May 2011
38
Iris capture Fingerprint Capture
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
Mark Center turnstile August 2011
39
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
40
bull Mixture of legacy and PIV compliant equipment bull 7100+ PACS readers
ndash Installing Oct 11 ndash Apr 12 multi-technology magstripe and PIV readers
bull 2100+ PACS panels ndash Approximately 700 panels upgraded remaining to be
upgraded in FY12 bull Turnstile upgrade
ndash Coridor 5 ndash Pentagon Athletic Center
Pentagon Physical Access Control System upgrade
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
Pentagon HSPD-12 entrance September 2011
41
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
New entrances designs
42
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
43
Identity Credential Access management (ICAM)
PMPA
uthe
ntic
atio
n
Proofin
g and
VettingRoles
Identitybull Place of Birthbull Date of Birthbull Namebull Biometrics
Credentialbull CACbull PIVbull TWIC bull US Armed Services
Identification Cardbull Alternative Card
Accessbull Whatbull Wherebull When
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
44
Integration Road Map For Privileges
HSPD-12 FIPS-201 SP 800-76
SP 800-73 SP 800-78 SP 800-79 SP 800-87 SP 800-103
Authorization Sponsor Background Check Security Clearance
Identity Name Place of Birth
Parent Names Biometrics
DOB
Credentials PIV Building amp Visitor passes SSN
Licenses Vehicle Hang Tags
Accounts Physical Access Logical Access Visitor Escort
Parking Authorizing Agent
Access Control Building and Door Access Parking Lots and Spot Logical SP 800-116
Audit amp Investigations
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
PMP Design amp Impelmentation
45
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
46
Hand Geometry
Factor of Identity
Unique
Non
repu
diat
ion
4 Digits PIN
6 Digits PIN
8 Digits PIN
Card Read
Card Read with Cryptography
Fingerprint
Iris
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
47
design inspiration
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
48
Developing Authentication Requirements
High Security = CAC + PIN + Biometric Restricted Areas
Medium Security = CAC + Biometric Perimeter
Low Security = CAC
Suites
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
49
Choosing Biometric Modality
bull Standards based bull Interoperable bull Store the reference image not
the template bull For speed we chose stored on
device biometrics solutions
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
50
Why Multimodal Biometrics
25000 People Enter Daily
People can not enroll using either iris or fingerprint approximately 001 (1 x 1) or 3
People who can not enroll using fingerprints approximately 1 or 250
People who can not enroll using iris approximately 1 or 250
5800 people enrolled 0 failure to enroll in at least one biometric
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
PMP Enrollment screen
51
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
FOR OFFICIAL USE ONLY - Dissemination Governed by
Distribution Statement E
52
Integrated Biometrics Turnstile Concept
Fingerprint Biometric Reader Entry
Iris biometric reader
Card Only Reader Exit
Employee exits turnstile uses CAC
Employee enters turnstile uses CAC and biometric
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
Prototype testing March 2011
53
Tested with 3 groups of 10 people bull Internal staff bull External staff bull Light duty officers
Each group conducted 6 tests with 100 card read per a test
Turnstile bull Card only bull Card + Finger bull Card + Iris bull Card + user choice Iris or Finger ADA portal bull Card only bull Card + user choice Iris or Finger
When user are given a choice of biometric the total authentication time is only increased by 3 sec
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
54
Turnstile Testing
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
55
Lessons Learned
bull HSPD-12 works bull Go to vendors with a plan bull Virtualization works bull Test Test Test bull Enrollment is where trust starts bull Document current process and why bull Define Define Define new process bull Be a change agent but listen to critics bull Offer a straw man process for review bull Listen to the end user bull Senior Leadership buy in is critical
bull Donrsquot Ever Give UP
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
56
Contact Info
Derek Nagel Pentagon Force Protection Agency Project Integration Directorate Access Control Branch Chief dereknagelpfpamil 703-681-3122 Roger Roehr Pentagon Force Protection Agency Project Integration Directorate HSPD-12 Physical Security Engineer Contract Support rogerroehrctrpfpamil 703-681-3169
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation
57
Pentagon Force Protection Agency
Protecting Those Who Protect Our Nation