What NASA’s PIV Smartcard Means to You!
By Leslie Cahoon, Service Executive—Identity, Credential, and Access Management, and Rob Winters, ICAM Engineer
With sophisticated password-cracking programs commonly available, passwords alone provide little security in today’s information technology environment. This is especially true if hackers gain access to systems where user names and passwords are stored. Federal smartcard credentials such as personnel identity verification (PIV) cards provide multifactor authentication features that mitigate these threats, as well as digital signature and encryption capabilities. This permits workers to access Federal information systems with a much higher level of assurance.
Under the GPRA Modernization Act of 2010 the Executive Office of the President has issued several Cross-Agency Priority (CAP) goals to Federal agencies. The Office of Management and Budget (OMB) Memorandum 11-11 tasked agencies to achieve 95 percent utilization of PIV smartcards for authentication to information systems by the end of 2014. An interim goal assigned to NASA is to achieve 20-percent utilization of PIV smartcard authentication to Windows systems by October 2013. NASA began an Agency-wide Mandatory PIV Use Pilot Program for Windows workstations in November 2012. Currently, there are approximately 240 pilot participants. Beginning in July 2013, each NASA Center will implement its own early adoption program. The Agency will then begin incremental deployments to mandate the use of PIV smartcards on approximately 9000 Windows desktops and laptops by the end of FY 2013. This will meet NASA’s commitment to OMB and put us on the road to full PIV smartcard compliance.
PIV Smartcard Benefits
• Your PIV smartcard uniquely identifies you, right down to your fingerprints.
• Two factors are required to access your computer: your PIV smartcard and your PIN.
• No password will fall into the wrong hands and be shared across the Internet.
• PIV smartcard can be easily disabled if lost or stolen.
• You never have to change your PIN (although you can if you want to).
• Once you log in, most enterprise applications admit you without another login.
• There are no multiple usernames and passwords (for compliant applications).
• Eventually, the PIV card will replace the RSA token as well.
• One card for guard gate, turnstiles, doors, login, encryption, and signing.
The initial mandatory PIV smartcard use project has several limitations. Only the Windows 7 operating system will have the security controls in place at this time. Workstations used by NASA workers without PIV cards will be exempted, as will workstations whose function would be impaired by the security controls. Because the restriction itself is on computers and not user accounts for now, you will still have an NDC domain username and password to access noncompliant applications and systems, and you will still need to maintain that password. In the future, all systems and applications will use the PIV smartcard, and you will no longer need a username and password.
After Windows workstations are secured with the PIV smartcard, follow-on projects will be launched to tackle technical barriers to expanded use of the PIV smartcard. These include smartcard login for Macintosh and Unix computers; a strong password-free authentication solution for mobile devices: and unified smartcard capabilities for e-mail, virtual private networks (VPN), wireless LAN, and all other NASA applications and services. Eventually, the PIV smartcard will provide authentication to all systems, networks, and services, as well as guard stations, turnstiles, and electronic door locks. The NASA PIV smartcard will also be enhanced in 2014 to securely hold encryption and signing certificates that cannot be copied from the PIV smartcard. These certificates are currently installed in the Entrust program on your computer and can be easily copied to a USB drive or other media.