DOD tests contractors’ ID cards
The pilot program’s future could hinge on the question of who conducts background checks.
The Army is testing a program that allows contractors to use an identification card approved by the Defense Department to gain access to the service’s facilities and computers. The Army’s Materiel Command is running the Synchronized Pre-deployment and Operational Tracker program, known as SPOT, as a pilot project at Fort Belvoir, Va., in coordination with the nonprofit Federation for Identity and Cross-Credentialing Systems group — or FIXs — a vendor certified by that group, and others.“The ultimate goal is to give us visibility to the contractors in the battlefield,” said Col. Archie Davis, a spokesman at the Army command. “This goes a long way to solving that problem.”The project, which has been planned for several years, is one of the first in which DOD is participating in a federated identity management system with a private entity to verify identities for nongovernment personnel. The contractor ID cards are modeled after the federal employee identity cards developed under Homeland Security Presidential Directive 12.Federated identity systems enable portability of identity information across domains. Participants trust one another to properly verify identities and maintain various standards. In the Army pilot project, the trust is based on a 2006 memorandum of understanding between DOD and FIXs.The memorandum is rare because it allows a private entity to issue credentials for accessing federal facilities, said Raj Nanavati, partner at the International Biometric Group consulting firm in New York.But the Army’s motive is to create a scalable Web-based system to improve efficiency and save money in managing access for large numbers of contractors, who are difficult to track because they frequently change jobs and roles.If successful, the pilot project could spawn other credentialing projects at DOD and other federal, state and local government agencies, Nanavati said.Eventually, the SPOT program would be expanded to Afghanistan, Iraq and other military locations, Davis said. Initially, it is providing FIXs-certified credentials to about 3,000 contractors, according to the Army.Even if the pilot program succeeds, the prospects of its expansion remain murky because of lingering policy issues. Michael Mestrovich, president of FIXs, said one key unanswered question is whether DOD will accept a Level 3 card for which a FIXs-certified vendor performs the commercial background check. Level 3 is a lower level of access. For high-level credentials, the government performs the background check.“We are plowing new ground,” Mestrovich said. “For Level 3 credentials, the question is, ‘Can I trust your background check?’ I believe the government agencies are beginning to look at these federated solutions and whether they can accept them.”Other experts agree this is a key policy issue. “That is an important issue —whether the Army will accept a Level 3 credential” awarded by a private operation, said Bob Blakley, vice president of Burton Group’s Identity and Privacy Strategies Service.It also remains unclear whether the DOD/FIXs federated trust model can be converged with other federal credentialing programs, such as those sponsored by the General Services Administration, the E-Authentication program and the Federal Bridge Certification Authority. “Eventually, there will need to be convergence,” Mestrovich said. “We had hoped that the government would be further along in accepting the federated trust model.” Under the SPOT program, contractors may obtain a FIXs-certified credential from vendors that have been certified by the federation as having met all the requirements to operate one or more applications in federated identity management. That includes features such as biometric enrollment, card production, and data storage and security.FIXs, through a 2006 agreement with the Defense Manpower Data Center, is the conduit to the Pentagon’s credentialing networks. When a contractor presents a FIXs-certified credential to a card reader at a gate, the information is processed through the federation’s computer network.The FIXs identity credentialing network, founded in 2004, developed an identity trust model that is similar to the one that financial institutions use for automated teller machines. It is the only network certified to interoperate with the Defense Cross-Credentialing Identification System infrastructure, DOD’s credentialing network.The goal of FIXs is to improve efficiency in access control, said Kent Schneider, president of AFCEA International and a board member of FIXs. As a retired military officer, he has had many personal experiences with access control at the Pentagon headquarters in Arlington, Va., and other facilities.Since the 2001 terrorist attacks, outside contractors coming to work at many DOD installations are required to have escorts, which can be a laborious process, he said.“The Common Access Card is for government people and full-time contractors,” Schneider said. “The question is, what about the hundreds of thousands of people who are defense contractors? [FIXs] is a way to extend identification into the contractor community.”The federated identity model is “just beginning to get traction,” Schneider added. Although FIXs is the first group to take part in such an effort, he said he believes others are likely to be formedIn February 2008, FIXs certified its first vendor, WidePoint of Fairfax, Va., which is currently the only vendor authorized to issue FIXs-certified credentials. WidePoint is participating in the SPOT project through its subsidiary Operational Research Consultants.The FIXs network is processing several hundred SPOT credentials per month and hopes to work to several thousand monthly by January, Mestrovich said. He said two other vendors have applied to become certified as distributors of the credential.The SPOT pilot project has been achieving its goals, Davis said. “It is working well so far,” he said. “It is streamlining access to the installation and facilitating what contractors can do online.”
Lingering questions
Lingering questions
NEXT STORY: Buzz of the Week: Security on the mind