Alliance Activities : Publications : Emergency Response Official Credentials
Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery
Emergency response officials (EROs) require a means of identifying themselves and their abilities (skill sets and attributes) for daily access to work locations and sites during routine and emergency situations or special events. This need extends to all emergency response communities and applies both in their local areas and across the nation, as EROs are asked to provide support during national disasters and other emergency situations that may not be in their local jurisdictions. There are strong drivers to move from a flash-pass and paper-laden environment to one that uses a machine-readable credential with a fast, secure electronic validation process that works in all environmental conditions, even when neither power nor communication capabilities are available.
Secure and trusted identification credentials achieve two goals. First, they enable EROs to perform day-to-day activities efficiently, by providing access to facilities, locations, and information. Second, they provide identity authentication with a high assurance level during emergency response and recovery activities. The need for identification credentials that can be used every day and also be leveraged in an emergency on “the” day has been highlighted by a number of high profile events, including the September 11 attacks and Hurricane Katrina. The lack of electronically verifiable credentials that could be trusted across multiple jurisdictions was a major problem identified in both the 9/11 and Katrina Congressional post-incident reports. Standards need to be established to enable multi-jurisdictional trust in credentials used by EROs, both now and in the future. To address this issue, this white paper presents an ERO credential model that is based on Federal Information Processing Standard 201 (FIPS 201).
For both daily activities and emergency situations for EROs, it is necessary to quickly and unequivocally establish who is requesting access and what the ERO is allowed to do based on their certified skill set (e.g., medical personnel, law enforcement officer, firefighter). Without the ability to identify and qualify individuals with a high level of assurance, the response and recovery effort can be compromised, affecting the economic and human impact and the ability to return to life as normal. The need to answer these two basic questions is a primary driver for the implementation of a secure and trusted identification credential for EROs and an efficient infrastructure to support and sustain the credentialing process.
FIPS 201 and ERO Credentials
The goals for ERO credentials go hand in hand with the mandate established by Homeland Security Presidential Directive 12 (HSPD-12), which applies to employees and contractors of the Executive Branch of the Federal Government. Issued on August 27, 2004, this directive called out the need “to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification.” The directive specifically calls for the use of a common identification credential for “gaining physical access to Federally-controlled facilities and logical access to Federally-controlled information systems.”
As a result of this directive, the National Institute of Standards and Technology (NIST) published FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, initially issued on February 25, 2005 and updated to FIPS 201-1 in March 2006. FIPS 201 defines the identity vetting, enrollment, and issuance requirements for the identity credential, as well as the technical specifications for the PIV card.
FIPS 201 provides a set of technical standards and policies that can be leveraged to provide secure ERO identification credentials. An ERO credential that is technically compatible and interoperable with FIPS 201 will help establish and verify identity and link identity with attributes electronically, facilitating management of EROs during incidents and special events. The credential can also support a number of physical access use cases, from allowing site controllers to make command decisions based on trusted information to enabling individuals to use the credentials for equipment management. For an ERO credential to be used in these scenarios, the credential must conform to a common trust model. This model must rely on common processes for vetting, enrollment, issuance, attribute management, and training, and also provide the ability to audit compliance with these processes so that the trust model is established among ERO credential issuers.
The Federal Emergency Management Agency (FEMA) is required by H.R. 1 to implement an infrastructure capable of supporting much of the ERO community in the United States. Setting a credentialing and typing standard that will enable trust and interoperability of identity and ERO roles is a requirement. The use of a standard such as FIPS 201 enables the trust environment that is desired to address the needs of the 9/11 and Katrina post-incident reports. For this reason, and to achieve the benefits cited above, FIPS 201 credentials should be the de facto foundation for an ERO credential.
This white paper was developed by the Smart Card Alliance Identity Council and Physical Access Council after discussion with DHS personnel to understand the complexities of trusting identity credentials at disaster response and recovery scenes. The white paper assesses how technology and processes can support achieving a high level of assurance in the identity of resources on hand to enable rapid decision-making by incident scene commanders on both a local and national scale.
This white paper answers the following questions:
- What are the primary requirements for ERO credentials and how does FIPS 201 help to meet these requirements?
- How can FIPS 201-based ERO credentials be used for both emergency response and recovery and for daily access to physical facilities and online resources?
- What are the benefits of using FIPS 201 smart card-based identity credentials?
- What ERO credentialing programs have been demonstrated or piloted by DHS and the states?
The white paper presents use cases for ERO credentials that take advantage of the standards and investment that result from FIPS 201 and describes First Responder Authentication Credential (FRAC) demonstrations and pilots that DHS and state and local governments have implemented. Use cases discussed include:
- Identity and attribute management
- Emergency response, including incident scene access and incident scene tracking
- Physical access to facilities
- Inventory control and equipment access
- Continuity of operations and emergency operations center (EOC) access
- Logical access to networks and information systems
- Mobile command centers
- Secure email communications
The Smart Card Alliance encourages organizations that are involved in the important role of emergency response and recovery and that are now reviewing their identity, access, and credentialing requirements to consider a FIPS 201 smart card-based credential as the foundation for their credentialing programs.
About the Smart Card Alliance Identity Council
The Smart Card Alliance Identity Council is focused on promoting the need for technologies and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.
About the Smart Card Alliance Physical Access Council
The Smart Card Alliance Physical Access Council is focused on accelerating the widespread acceptance, usage, and application of smart card technology for physical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the physical access industry and that will address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software and reader vendors; physical access control systems vendors; and integration service providers.
Identity and Physical Access Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.