Making derived mobile credentials work

Derived personal identity verification (PIV) credentials could get wider use if the latest National Institute of Standards and Technology guidelines get traction.   NIST is currently considering comments on a second draft of Special Publication 1800-12 practice guide that includes two sample implementations showing how federal employees using mobile devices could be authenticated to access secure information systems and applications.  

Seeing the applications laid out in the SP 1800-12 is a huge boon to derived PIV credentials (DPC), which are intended for use by federal agencies that need to authenticate the identity of workers and contractors who must access to information systems at varying levels of security, said Chris Edwards, CTO at Intercede, a cybersecurity firm specializing in digital identities. The company was one of five industry consultants on the second draft, which builds on the concepts laid out in last year’s original draft.

“The theory’s great,” Edwards said. But “what does it actually take to put this lot together? What are my components? How do I assemble a solution that does this?”

That's what the practice guide provides.  

“The Derived PIV Credentials guide aims to help agencies understand the options, capabilities, and limitations of the solutions available in the market today and to deploy the solutions that fit organizational needs,” Bill Newhouse, security engineer at NCCoE and lead author of the draft, said via email.

The security architecture examples illustrate how DPC can be issued to mobile devices using commercial products that use the PIV standard for remote authentication to IT systems. The National Cybersecurity Center of Excellence built an enterprise network environment using common components such as identity repositories, supporting certificate authorities and web servers. NCCoE then selected products and capabilities that demonstrated life cycle guidelines in NIST SP 800-157, Guidelines for DPC.

One implementation uses a software-only solution with cloud services managing the life cycle of PIV and DPC. It also introduces enterprise mobility management into the workflow, Newhouse said, because that’s “useful in applying SP 800-157 life cycle guidelines by integrating an organization’s mobile device issuance process with DPC issuance. EMMs can also assist with terminating the DPC by remotely destroying the EMM’s software container.”

The other implementation uses an enterprise credential management system to issue credentials to a software container and taps Intel Authenticate to store the DPC.

Both examples use cloud where possible through a software-as-a-service component, and they’re mapped to the NIST Cybersecurity Framework and the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework.

In translating these implementations to a given agency, IT managers may be able to pick and choose among the examples’ capabilities.

“We demonstrated a standards-based reference design that provides agencies with the information they need to replicate the DPC example implementations,” Newhouse said. “Nevertheless, the reference designs are modular. They can be deployed in whole or in part, or an agency can use the guide as a starting point for tailoring and implementing parts of the DPC example solutions.”

In weighing how best to adopt DPC, Intercede’s Edwards said IT managers should consider what hardware they might need, such as the type of mobile device and registration kiosks.

Agencies must consider whether they need a completely new system or if they can enhance and upgrade their current system. They also must decide how much control they want over it, Edwards said, because those kinds of questions will help determine whether an agency needs to make an expensive replacement of the entire system or "being able to say, ‘I just need to drop this derived credential component on and I can do that with a relatively light touch at a relatively low cost.’”

Although the draft is not intended to endorse a product or company, the input from vendors was crucial, Newhouse wrote.

“NCCoE cannot develop relevant cybersecurity solutions in isolation and without input from government and industry -- collaboration and feedback from all interested stakeholders is critical to our success,” he said.

Edwards said Intercede is starting to have projects come through for delivering derived credentials.

“The logjam has been cleared,” he said,  “and I think that this NIST report has played some part in that in giving agencies the confidence to say, ‘Yes, this is now a solution that can be deployed.’”