8:00 a.m.
Continental Breakfast & Exhibits

8:30 a.m.

Chairpersons' Opening Of Day Two & Presentation:
Why Identity Management – It's Not Just About Security

Making identity management important to the average person means making it personal. There are few things in today’s world that represent a more clear and visceral threat to individuals than identity theft. If the problem was, as many people think, limited to credit cards, it wouldn’t be much of an issue. The fact is that anything that you can do in your name… so can someone else.

Your whole life may crumble when someone uses your name to get healthcare (how many million people are without coverage?) and you are denied coverage because of what they did. What happens when an illegal immigrant uses your SSN to get work (an unintended consequence of eVerify) and you don’t report their income to the IRS? Perhaps it is that when you retire and find that someone is already collecting your Social Security benefits that it becomes important.

The fact is, many of the issues relating to identity theft do or will come back to the government to solve. In this session, we will discuss:

• What identity theft really is and why it matters
• The importance of how the government responds
• What happens when things go wrong
• Ways to move forward based on effectiveness, not perfection

James D. McCartney, Identity Management and Privacy Consultant
DELOITTE & TOUCHE, LLP

9:40 a.m.

Implementing HSPD-12 Provisions On A Shoestring Budget

The U.S. General Services Administration started their credential management program using an Access database with scripts to import required data from its HR system.  The little Access database grew into a web application that required the Personal Identification Verification Credential (PIV Card) for login.  The CIO Council’s Logical Access Working Group assisted many small agencies in getting their systems ready for mandatory usage of the PIV Card in Federal Information Security Management Act (FISMA) reporting.  What these and other projects have in common is that they were all implemented without costly third-party packages.

Attend this session and learn how your agency can implement a credential management project at a low cost.  Specifically, you will learn:

• Pre-implementation planning requirements
• How networks can implement smartcard login without costly add-on packages
• How web applications can use client certificates for identity verification using only what is built into the web server operating system
• Which pieces of an entire solution can be implemented separately – it doesn’t have to all happen at once

William Erwin, Program Manager
Identity, Credential & Access Management Office
U.S. GENERAL SERVICES ADMINISTRATION

10:25 a.m.

Morning Networking Break & Exhibits

10:45 a.m.

Identity Assurance Using Smart-Card Access Control And Multi-Modal Biometrics

The Pentagon Force Protection Agency (PFPA) is responsible for the physical security needs of the Pentagon reservation, Mark Center (under construction) and National Capital Region (NCR) facilities. The Concept of Operations was developed with a goal to transition to a FIPS 201-1 compliant Physical Access Control System (PACS). The existing PACS at the Pentagon reservation itself has over 7,000 card readers, 2,100 control panels and 90,000 active cardholder records. The future PACS will support the required identity assurance levels using smart card-based access control and multi-modal biometrics.

The goal of the PFPA HSPD-12 program is to leverage best practices and technology to ensure all personnel are correctly identified and authorized to access the resources of the Pentagon, including:

• Leveraging the mechanisms provided by the CAC to increase security
• Assigning a single identity per person for all activity in Pentagon
• Biometrically binding people to their identity
• Automating processes and reducing paperwork through the use of digital signatures
• Electronic accountability of all personnel – no more “flash” pass

This session will discuss the particular processes PFPA followed to prepare for HSPD-12 FICAM implementation, including:

• Developing requirements
• RFI’s to industry
• Developing a roadmap for implementation
• Product testing
• Concept of Operations, Standard Operating Procedures, lessons learned
• Education & Awareness
• Creating a training plan
• Budgeting

Lemar Jones, Director, Antiterrorism/Force Protection Directorate
PENTAGON FORCE PROTECTION AGENCY

11:30 a.m.

How To Leverage Cross-Agency Investments And Achieve Multiple Security Functions Using An External IT Vendor

The U.S. Department of Education’s Office of Management (OM) along with the Office of the Chief Information Officer (OCIO) jointly formed an Integrated Process Team (IPT) to develop, design and field a two-factor credential/token based on the already developed and fielded HSPD-12 / FIPS 201 compliant PIV credential. After OM initially addressed the physical access control (PACS) requirements of the standard, the OCIO reached out to leverage the PIV credential for the development of Logical Access control (LACS) capabilities. Adding an additional layer of complexity to the challenge, was that the Department’s IT infrastructure and environment was owned and operated by an external IT vendor. Key to the successful implementation of the LAC’s program, as well as the Enterprise Identity Management architecture, was the ability to develop the relationships necessary to leverage the Department’s Windows Active Directory platform, as the source for PIV authentication and end-user verification.

• Formalization of departmental interagency roles and responsibilities
• The importance of a pre-issuance specification
• Obtaining senior leadership buy in
• Negotiations - union participation and acceptance
• Choosing the right service provider – one that is committed to your success and not just sales
• Developing a wide ranging and often repeated communication plan
• Policy development at the same pace as the development and fielding of the technology
• Limited duplication of work between physical and logical activities - true capitalization and maximization of our investment

Winona Varnon, Principal Deputy Assistant Secretary, Office of Management
Phillip Loranger, Chief Information Security Officer and Acting Director for Information Assurance, Office of the Chief Information Officer
U.S. DEPARTMENT OF EDUCATION

Join a small group of your colleagues for lunch with an informal discussion facilitated by one of our expert speakers. Take this opportunity to join others in a small, interactive group setting to network and brainstorm solutions to your most pressing identity management concerns.

1:45 p.m.

Panel Discussion: The IT Industry's Perspective On Identity Credentialing

Hear expert representatives from leading companies in the IT industry discuss and share their perspective on identity credentialing, including:

• Identity management standards put in place for Federal employees
• Establishing interoperability with external communities
• How their companies have incorporated those standards into their
  product line and strategy

Moderated By:
Tim Baldridge, Computer Scientist
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

Panelists:
Dominic Fedronic, CTO
ACTIVIDENTITY

John Biccum, Security Strategist
MICROSOFT

John Landwehr, Director, Product Management
ADOBE SYSTEMS INCORPORATED

Tom Greco, Director, Vertical Solutions
VERIZON

2:45 p.m.

Afternoon Networking Break & Exhibits

3:00 p.m.

Program And Architectural Perspectives In The Evolution Of ICAM:
A NASA Case Study Of A Post HSPD-12, Second Generation Framework

Attend this session and receive the inside story on NASA’s experience with HSPD-12 compliance from the Federal ICAM Architecture Working Group’s Co-Chair.  You’ll hear about what NASA has accomplished thus far, what they hope to do in the future, and plans to improve their efforts the second time around.

Key takeaways will include:

• Identity Life Cycle Management (Independent of Credential and Access)
• Credential Life Cycle Management (including PIV and non-PIV, with plans to accept other Agency PIV, PIV-I and other credentials)
• Access Management (provisioning and de-provisioning of access, continuous risk based access management determination)
• Access Control Enforcement (Where is the policy decision point of enforcement?  Is it in or beyond the scope of ICAM?)

Tim Baldridge, Computer Scientist
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

3:45 p.m.

Redundant Security Credentials: How Interoperability Can Reduce Costs And Improve Efficiency

Various mandates in the Patriot Act, the Maritime Transportation Security Act, and other relevant pieces of post-9/11 legislation have demonstrated that background vetting will play a significant role in the transportation of goods by air, ocean, truck and rail for the foreseeable future.  Utilizing sundry legislative mandates, agencies have created a balkanized security credentialing regime—sometimes even for multiple vetting programs operated out of a single agency. 

This session will focus on the various security credentialing programs in the transportation industry, the similarities between their vetting requirements, and how their lack of integration has dealt harm to the U.S. economy.  Multiple credentials will be examined, but the presentation will focus upon two specific credentials issued by the Transportation Security Administration: the Hazardous Materials Endorsement for the Commercial Drivers License and the Transportation Worker Identification Credential (TWIC) and one issued by the U.S. Customs and Border Protection: the Free and Secure Trade card.

Specifically, you will learn:

• The similarities in vetting requirements and physical/machine readable zone(MRZ)/biometric qualities embedded in each credential
• Processing multiple credentials for one employee
• Opportunities to save federal funds and manpower by instituting interoperability between the various credentials

4:30 p.m.
Chairpersons' Recap: Key Takeaways And What To Do When You Get Back To The Office

We'll recap the highlights of the past two days and ask you to share key insights and next steps with the group.