The Federation for Identity and Cross-Credentialing Systems ( FiXs) -- a little-known group of non-profits, government contractors, commercial entities, and government agencies -- has recently unveiled a first-of-its-kind global infrastructure to support distributed, integrated identity management and cross-credentialing across organizations. The implementation combines several existing security technologies along with a set of trusted models, policies, and operating rules to insure the accurate identity of personnel accessing physical sites or logical systems.
Already in a pilot mode at a handful of government agencies and defense contractors, the FiXs identity management initiative does not have a hard date for broad deployment, although the impediments do not appear to be technical. "The cultural gap with the public in general is still too wide," said Dr. Mike Mestrovich, President of FiXs. "I think there would have to be a public consensus to move us in that direction and I don't see that happening until at least 2009 or beyond."
Founded in 2004 and based in Virginia, FiXs counts among its members the Department of Defense (DoD), Wells Fargo, Lockheed Martin, EDS, and several others. Modeled after secure electronic payment systems and initially implemented by the DoD's Defense Manpower Data Center (DMDC), the FiXs initiative meets the objectives set forth in the October 2006 Homeland Security Presidential Directive (HSPD-12).
"Until now, cross-bordering policies between government and industry had not been established," said Mary Dixon, director at the DMDC. The FiXs implementation does not assign roles, grant or deny access, or otherwise act as a gatekeeper. Rather, the mission of FiXs is simply to authenticate the identity of participants within its member organizations. Once verified by FiXs, individual site managers and systems administrators assign or designate access controls based on the role of the individual and the policies of a given organization.
FiXs' capabilities allow it to cross between both public and private sector organizations using a federated trust model. The implementation is available worldwide in local or remote settings via both wireless and wired environments. Access is available in real time. An individual's specific identity data remains within their vetted source organization.
"By its very nature, the federated solution aids in privacy because there is no central database and individual data can be stored in only one vetted place," Dr. Mestrovich said. Yet the distributed design and cross-organizational model found in the FiXs implementation does offer the possibility of a future national or international identity management system that might cross borders and organizational boundaries. "The federated approach can actually take the place of a mandated National ID system," Dr. Mestrovich stated.
Still, the head of FiXs does not see a national or international identity management implementation as a near-term reality for a couple of reasons. First, no schedule has been defined to implement such a system on the federal, state, or local level, let alone among the broader private sector. "We are speaking to a couple of States about using FiXs, but no timetable has been set," Dr. Mestrovich said.
More to the point, even though the federated identity management approach could power a national or international system, policy and implementation agreements would be needed among federal, state, and local government agencies as well as corporate governance boards, civil libertarians, foreign governments, and the population at large.
The initial DMDC pilot leverages the trust model, operating rules, policies, and security defined by FiXs and it can be considered a reference implementation. Several technologies underpin this early federated identify management and cross-credentialing deployment. Among these is the Common Access Card (CAC), which contains individual information housed in a barcode and within an integrated circuit chip. The card is used to secure both physical sites and for systems access.
In this implementation, CAC is combined with the Defense Biometric Identity System (DBIDS) to accurately identify personnel -- whether full time employees (FTEs) or contractors. Beyond CAC and the DBIDS, FiXs also includes cross reference capabilities that include photographs, textual, and fingerprint data. Industry standard encryption is used to secure the identity management process.
The FiXs organization currently has just under thirty member organizations, but the group is open to additional members. With this early implementation, group members can help to shape identity management policies and technologies as FiXs begins to be leveraged by a broader number of public entities and private sector firms.