Smart Card Talk : August 2010 : Feature of the Month

First Responder Authentication Credential

In the wake of 9/11 and Hurricane Katrina, U.S. homeland security professionals learned that responding to a disaster requires a multi-disciplinary response team including law enforcement, firefighters, medical professionals, and critical infrastructure workers. These emergency responders represent a broad array of disciplines within the local and state emergency management organizations and it is crucial for the incident command to recognize, in real-time, the certifications and abilities of each individual responding to the incident.

The Office of National Capital Region Coordination coordinated a major initiative to leverage a smart card identity system (the First Responder Authentication Credential) for emergency response officials (EROs). These smart cards would provide first responders from across the region with the ability to quickly and easily access government buildings and reservations in the event of a terrorist attack or other disaster. The initiative was designed to remedy access problems such as those encountered by state and local emergency officials responding to the 9/11 attack on the Pentagon.

The First Responder Authentication Credential (FRAC) is a secure and interoperable identity credential designed for the emergency management community. NIST, DHS and the Federal Emergency Management Agency (FEMA) have worked together to specify the recommendations for the FRAC card for all emergency responders nationwide. Adherence to these recommendations ensures a common framework to trust the identities and capabilities of those emergency response team members arriving at incidents to assist during emergencies.

The FRAC is an excellent example of the use of a PIV-interoperable credential. By leveraging the US Government FIPS-201 Personal Identity Verification standard, and the accompanying PIV-interoperable guidance from the CIO Council [1], interoperable identity verification is achieved among federal, state, local, non-profit and commercial organizations responding to an incident.

Under DHS National Incident Management System (NIMS) draft credentialing guidelines, three distinct and necessary components are required for an emergency responder credential:

At an incident scene, it is imperative to accurately verify both a person’s identity and KSAs . In locales around the country, there are regular news and online stories of individuals pretending to be a police officer or a firefighter or an emergency medical technician. Official-looking badges and clothing are available for purchase via catalogs and websites and, during the high intensity of a disaster, these fraudulent items can fool even the most experienced veteran responders. Unfortunately there are also cases where valid emergency responders are detained or delayed because they do not have an easy way to establish identity or KSAs at a checkpoint.

A person’s identity can only be trusted if it’s confirmed, issued and verifiable via a trusted issuing source. The NIMS has published the resource typing categories and certifications for Emergency Support Functions (ESFs) and National Infrastructure Protection Plan (NIPP). States and jurisdictions are required to identify and maintain lists of individuals who have the correct training and certifications for each of these NIMS categories. Privileges granted at an incident depend upon knowing the emergency responder’s ESF codes or NIPP sectors, training, certifications and licensure information.

FRAC Demonstrations

“Public Law 110-53: Implementing Recommendations of the 9/11 Commission Act of 2007,” was introduced into Congress on January 5, 2007 and signed into law by the President on August 3, 2007.[2] Under Public Law 110-53, FEMA, in collaboration with the Department of Health and Human Services (HHS), is responsible for creating credentialing and attribute guidance for emergency response across the nation. The first step is to establish federal preparedness, to be followed by outreach to state and local communities, the critical infrastructure communities, and the volunteer communities.

During the development of Public Law 110-53 and after its inception, several demonstrations were held to test the credentialing and attributes of the various emergency response communities. These demonstrations were named Winter Fox (February 2006), Winter Storm (February 2007), Summer Breeze (July 2007), Winter Blast (March 2008), Spring Blitz (May 2008), Summer Sizzle (July 2008), Autumn Rush (October 2008), and Spring Ahead [3] (May 2009).

All early adopter organizations issuing FRACS to date are issuing dual-interface or tri-interface smart cards with PKI credentials, with some including magnetic stripes or bar codes for legacy system compatibility.

The table below provides a brief synopsis of each demonstration objectives and participating organizations.

FRAC Demonstration Summary
Name and Date Description and Objectives Participating Organizations [4]
Winter Fox
Februrary 2006
Multi-agency demonstration to test:

  • Interoperability and usability of FIPS-201 smart cards, and
  • Standardized electronic identity verification for various levels of perimeter security at all demonstration sites regardless of agency affiliation
Department of Homeland Security Office of National Capital Region Coordination

DoD Pentagon Force Protection Agency (PFPA)

State of Maryland

Commonwealth of Virginia

Northern Command Headquarters (NORTHCOM)
Winter Storm
February 2007
Multi-agency demonstration to test:

  • Validation of credentials issued by a wide range of organizations including the FRAC, and other government recognized identity credentials such as TWIC, Mariner Administrative Card (MAC), the DoD CAC (which includes the National Guard population) and driver’s licenses
Department of Homeland Security Office of National Capital Region Coordination

Pentagon Force Protection Agency

Commonwealth of Virginia

Commonwealth of Pennsylvania

State of Maryland

Southwest Texas Regional Advisory Council for Trauma (STRAC)
Summer Breeze
July 2007
Multi-jurisdictional demonstration to test:

  • Just-in-time issuance of credentials to responders and critical infrastructure and key resources (CIKR) from NIPP Sector 2: Banking and Financial Services
DHS FEMA Office of National Capital Region Coordination (NCRC)

DoD Pentagon Force Protection Agency (PFPA)

Various Federal government agencies

NIPP Sector 2: Banking and Financial Services

State of Maryland

State of Delaware

Commonwealth of Virginia

Commonwealth of Pennsylvania
Winter Blast
March 2008
Coordinated demonstration between FEMA and HHS for PL 110-53 and credentialing of medical response teams focusing on credentialing and identity validation in communications-disrupted (“comms out”) environment

Four different scenarios were tested including:

  • Electronic validation of state emergency volunteers and mutual aid EROs,
  • Ingress of Federal and mutual aid EROs,
  • Assembly at a rally point for continuity of government (COG), and
  • Egress to relocation sites. DHS FEMA Office of National Capital Region Coordination (NCRC)

Department of Health and Human Services (HHS)

Commonwealth of Pennsylvania

Commonwealth of Virginia

ESF 8: Health and Medical Services Providers

NIPP Sector 2: Banking and Financial Services
Spring Blitz
May 2008
Multi-jurisdictional demonstration to test large-scale events and hurricane preparedness, focusing on:

  • FIPS 201 electronic validation of designated EROs at demonstration site simulating disaster area access control points
  • Public-to-public and private-to-public mutual aid multi-jurisdictional interoperability
  • Driver’s license (DL) electronic verification at demonstration site simulating hurricane reentry access control points
  • Near real-time geospatial display of human resource situational awareness
  • Post-event reconstruction for accountability, traceability and liability of all personnel who were granted access
More than 25 organizations participated including:

DHS FEMA Office of National Capital Region Coordination (NCRC)

City of Tampa

National Football League
Summer Sizzle
July 2008
Multi-jurisdictional demonstration to test:

  • Just-in-time issuance
  • Electronic validation of ESF 8, “Public Health and Medical Services,” mutual aid EROs to include HHS/FEMA-approved subcategory skill sets
  • Electronic validation of Federal/state/local mutual aid EROs
  • Electronic validation of critical infrastructure/key resources (CI/KR) mutual aid EROs.
DHS FEMA Office of National Capital Region Coordination (NCRC)

Department of Health and Human Services (HHS)

Commonwealth of Virginia

George Washington University Hospital
Autumn Rush
October 2008
Multi-jurisdictional demonstration to test:

  • Electronic validation of participants using PIV-interoperable credentials including: DoD-issued CACs, federal-issued PIV cards and state-issued FRACs
  • Validation of driver’s licenses
  • Real-time geospatial display of participants for situational awareness
  • Electronic manifest for post-event reconstruction
 
Spring Ahead
May 2009
Multi-jurisdictional demonstration to test seven scenarios:

  • Relocation of essential government personnel via air, water and land assets
  • Just-in-time credential issuance
  • Routine and emergency access into seaports
  • Federal and mutual aid out-of-area ingress for disaster response
  • FIPS 201 transition technology (PIV-I)
  • Citizen evacuation / post-disaster re-entry / shelter-in-place
More than 30 organizations, in 20 locations across the United States simultaneously participated, including:

DHS FEMA Office of National Capital Region Coordination (NCRC)

Department of Health and Human Services (HHS)

District of Columbia

Commonwealth of Virginia

Commonwealth of Pennsylvania

State of Colorado

State of Hawaii

State of Illinois, Terrorism Task Force

State of Utah

State of West Virginia

George Washington University Hospital

NIPP Sector 2: Banking and Financial Services

FRAC and PIV Interoperable Credentials

In late 2009, the Command, Control and Interoperability (CCI) Division within the Science & Technology (S&T) Directorate, the FEMA Office of National Capital Region Coordination (NCRC), and the FEMA Office of Security (OS) partnered to convene the PIV-I/FRAC Technology Transition Working Group (TTWG). The TTWG is composed of state and local emergency management representatives, many of whom have already implemented innovative and secure identity management solutions in their own jurisdictions. Local and state participants in the work group include Colorado, Maryland, Virginia, District of Columbia, Missouri, Southwest Texas, Pennsylvania, West Virginia, Hawaii, and Illinois. The working group is focused on exploring PIV interoperable (PIV-I) credentials as the standard that will enable interoperability between local and state emergency response officials.

The FRAC is one usage scenario of the PIV-I credential which is successfully driving adoption in the state, local and commercial sectors. Early adopter organizations issuing FRAC/PIV-I cards to date have attempted to closely align with the maturing PIV-I recommendations to ensure current and future interoperability and trust. In some cases, such as the Commonwealth of Virginia, early pilots for issuing “PIV-like” cards generated feedback to the federal community which was used to help define the PIV-I recommendations.

Early adopter organizations have also been leveraging the PIV-I technology for a range of additional applications in-development and pilot phase. Some of these applications closely mirror the Federal Identity, Credentialing and Access Management (ICAM) objectives, with an added benefit of extended focus on daily usage external to an enterprise. A sampling of the population of credentials issued and applications implemented includes:

The following sections provide sample case studies from two of the states currently deploying FRAC/PIV-I credentials.

Commonwealth of Virginia First Responder Authentication Credentials [5]

EROs from across the region were present at the Pentagon site on 9/11, including EROs from Arlington County and the City of Alexandria. Immediately following the attacks, onlookers were able to mingle with rescuers. This presented a serious challenge for incident commanders–to make sure that only credentialed EROs had access to the most sensitive areas. It became evident that a credentialing process was needed to simplify this effort in the future.

In February 2007, as part of the DHS National Capitol Region (NCR) First Responder Partnership Initiative, the Virginia Department of Transportation and Commonwealth of Virginia began issuing FRACs. The Virginia FRAC identity proofing and registration processes follow FIPS 201 as closely as possible for a non-Federal entity and use products from the FIPS 201 GSA Approved Products List. The design of the Virginia FRAC card was also based upon FIPS 201.

The goal of the FRAC initiative, now being deployed in the NCR and Hampton Roads area, is to provide state and local EROs with a new, Federally-approved PIV-interoperable smart credential designed to achieve the following:

Using a wireless handheld device, commanders at an incident scene can read and validate data from the FRAC and authenticate the ERO’s identity and attributes.

Among the first localities in Virginia to be issued the new FRACs were Arlington County and the City of Alexandria. Virginia is now working on a FRAC deployment in the Hampton Roads region. This deployment includes eight locations for the biometric enrollment and issuance of PIV-interoperable credentials, 39 handhelds for offline credential validation and 11,495 FRACs. [7]

Colorado First Responder Authentication Credential

Colorado identified as a high priority the need for an interoperable first responder credential. The Colorado first responder authentication credential (COFRAC) initiative provides the ability to electronically validate the identity and the knowledge, skills and attributes of those who are required–or volunteer–to respond to natural or man-made disasters or acts of terror.

In June 2007, a Statewide Credentialing Working Group was formed, chaired by the Governor’s Office of Information Technology (OIT). This Working Group, comprised of individuals at the State, regional and local levels, developed a program that addresses the needs of Colorado, while being mindful of the Federal standards and the need for interoperability with Federal agency responders. The overall goal of this working group was to provide recommendations for a common identification standard for State and local first responders that promotes interoperable first responder credentials across the State and:

The COFRAC standard is focused on incident management and interoperability, and does not specify access control policies or requirements for State departments and local agencies. State and local departments and agencies were encouraged, however, to investigate how the FRAC technology can be leveraged for both physical and logical access.

The Colorado credentialing standard was published in April 2008.

Colorado’s North Central Region (metropolitan Denver area) began its COFRAC deployment in October 2008 with plans to issue between 10,000 and 15,000 FRACs in the North Central Region. [9]

References and Notes

[1]: Personal Identity Verification Interoperability for Non-Federal Issuers, CIO Council, May 2009

[3]: “Electronic Designation and Validation of Federal/Mutual Aid Emergency Response Officials (F/EROs) in support of National Preparedness,” Craig Wilson, FEMA, presentation, CTST 2009, May 2009

[4]: The participating list of organizations is a summary list only. Additional organizations and jurisdictions may have participated in each exercise.

[5]: Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Smart Card Alliance white paper, October 2008

[6]: Virginia First in Nation to Issue New First Responder Credentials, Government Technology, March 13, 2007

[7]: “Commonwealth of Virginia First Responder Authentication Credential (FRAC) Program,” Mike McAllister, Governor’s Office of Commonwealth Preparedness, Smart Cards in Government Conference, October 2009

[8]: Colorado State First Responder Authentication Credential Standards: Best Practice Standard, Colorado Governor’s Office of Information Technology, April 10, 2008

[9]: First Responder Credentials Expedite Access, NLECTC TechBeat, Winter 2010

About this Article

This article was developed as an implementation profile for the Smart Card Alliance Certified Smart Card Industry Professional (CSCIP) program. The Smart Card Alliance thanks LaChelle Levan, Probaris, for providing content for the profile.