DC tests ID management for first responders

 

Connecting state and local government leaders

The challenges of controlling physical access in emergencies may be solved by a nationwide network of standard first responder credentials.

When an emergency occurs on federal property, responders from different agencies and jurisdictions arrive on the scene to help. Whether it's putting out a fire, inspecting a suspicious package or helping the injured get to a hospital, there are often a lot of boots on the ground and physical access is difficult to manage.

Without good access control, first responders could be walking into a situation they are not properly trained for. Even worse, an attacker could don a fireman's jacket and use the emergency to cover his entrance into a secure facility.

The problem of incident security ultimately will be solved with a nationwide network of standard first responder credentials, according to Karyn Higa-Smith, program manager of the Cyber Security Division of the Homeland Security Advanced Research Projects Agency. As part of the DHS's Science and Technology Directorate, she is working with state and local agencies to build just such a system.

"The idea is that when there is a large-scale incident, responders from state and local jurisdictions will come together," Higa-Smith said. "There will be a long line and a short line. The short line will be for those with identity cards linked into a unified bridge. The long line will be for those who have to go through a manual process like they do today."

But tying all state and local jurisdictions into a single system is not easy. To test the feasibility of such a system, DHS partnered with the Washington, D.C., government to set up a pilot program designed to control access to DC government buildings.  

Higa-Smith explained that while the nationwide first responder ID system had been tested successfully in a lab, the DC program provided an opportunity to show it operating in daily use in a real-world environment. Then when an emergency occurs, the system will be ready.

For the access control pilot, DC’s Office of the Chief Technology Officer used the open source ForgeRock Open Identity Stack, which it was already using for high-volume queries sent from identity cards to a backend database.

ForgeRock’s Open Identity Stack works with any sized population and can use almost any device and token combination. The stack consists of three integrated products: OpenAM, OpenDJ and OpenIDM. OpenAM is a single, unified access management program that provides authentication, authorization, federation, security and entitlements.

OpenDJ is an LDAP directory server that supports Representational State Transfer (REST) for use with almost any device. And OpenIDM is a lightweight user administration and provisioning solution.

In addition, ForgeRock offers Open Identity Gateway (OpenIG), which enables consistent enforcement of enterprise access policies for applications and APIs on premises or in the cloud.

The DC government had already issued cards to its workers and citizens for everything from access to schools and libraries to recreation centers and government buildings, according to Stephan Papadopulos, managing director of The Triage Group, which helped to implement the new system in DC.

ForgeRock's OpenAM was used to tie everything together into a single card. "The local DC government used ForgeRock to manage those identities across many systems, which can be accessed using a kiosk," he said. "Before that, they needed multiple logins and access cards to get into government buildings and IT systems."

Papadopulos explained that government visitors with PIV, CAC or even civilians with PIV-I cards could also use the system to gain access to DC buildings.

"Let's say someone from the FBI needs to go into a DC government building," he said. "They call ahead and have their identity confirmed. Then they are given access for a certain time. When they show up at the kiosk, they do a biometric scan and scan their card. The system reaches out and grabs their credentials and if it all matches up, they are given access to the building."

"Using the installed kiosk reader and controller, we were able to show that not only could the ForgeRock system work for physical access, but also logical access," Higa-Smith said.

The new system in DC can also support access based on conditions. In the example given by Papadopulos, the FBI agent would be granted access based on his credentials, but also because he had scheduled an appointment to be in the building at that time. In a first responder situation, the conditional element would be some type of declared emergency. Firefighters couldn't enter a government building because they were firefighters. An emergency would have to have been declared.

Working out the conditional elements within the system will be a key to its ultimate success, according to Higa-Smith. If there is a hazardous materials spill, for example, operators should be able to tell the system that only firefighters with hazmat training should be allowed on site, which would both maintain security and ensure that only responders trained for the situation are allowed access.

"We want to get to a situation where [access can be controlled by] a law enforcement officer with a handheld device at the physical point of access to an emergency response," Higa-Smith said. "The mobile device will be capable of reading the cards and verifying the identities and authorizations of everyone who responds to that incident, regardless of what jurisdiction they come from."

Higa-Smith says that the Personal Identity Verification-Interoperability/First Responder Authentication Credential (PIV-I/FRAC) Technology Transition Working Group, currently made up of 15 state and local government entities, is studying best practice solutions for PIV-I/FRAC credentials. They are also looking at technology gaps and solutions for sharing attributes with backend databases. Right now, she expects FRAC to leverage the backend attribute exchange system, as FRAC is universally recognized by the emergency and law enforcement communities.

Whenever a first responder completes new training, such as becoming hazmat certified, updating his credentials would allow him access to those situations he is qualified for.

"While some information is kept on the card, the majority of it would be updated in the database," Higa-Smith said. "The handheld device could simply reach out and obtain those credentials quickly in an emergency."

While the first real-world test of the system is taking place in the calm of DC office buildings, the next step will be to conduct pilots and demonstrations for an actual emergency. Higa-Smith said the Federal Emergency Management Agency plans to use a version of the prototype system to control access during the next event. Her hope is that as the successes of the FEMA National Continuity Programs and PIV-I/FRAC working group are shared, more state and local jurisdictions will sign up to be a part of the program, and the identity and access control standards can begin to be deployed nationwide.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.