NIST has put out some PIV card guidelines over the past
couple of
months. I haven't looked at them, but they are up on
http://csrc.nist.gov/publications/nistpubs/index.html
SP 800-85A just came out. I had it in my inbox. "PIV
Card Application
and Middleware Interface Test Guidelines"
This is the official announcement. You can sign up to get
these on the
NIST CSRC website.
"NIST is pleased to announce the release of NIST
Special Publication
800-85A, PIV Card Application and Middleware Interface Test
Guidelines
(SP800-73 Compliance). This document provides Derived Test
Requirements
(DTR) and Test Assertions (TA) for testing the PIV Card
Application and
PIV Middleware interfaces for conformance to specifications
in SP 800-73
(Interfaces for Personal Identity Verification). The
Guidelines are to
be used by the developers of software modules and testing
laboratories.
SP 800-85A is the first of the two documents (the other one
is SP
800-85B to be released shortly) that will replace SP 800-85
released in
October 2005."
I don't know the authority for it (I'll research it if
somebody really,
really, really needs to know) but every government system is
subject to
an "E-Authentication Assessment" which is
similar to the mode of
operation (system high, multi-level, dedicated, etc) used in
DITSCAP and
DCID 6/3. In fact, if anyone is working with DHS and is
interested,
I'll send them the spreadsheet they use to determine their
E-Authentication level.
HTH
--Mike
Michael J Smith, CISSP-ISSEP michael.j.smith unisys.com
Information Security Architect
703.419.3109 W
491.3109 N
703.855.0890 C
"Those who do not understand Unix are condemned to
reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: Mark Curphey [mailto:markcurphey.com]
> Sent: Thursday, April 06, 2006 6:52 AM
> To: anthony.cicallabankserv.com; psrcsecurityfocus.com
> Subject: RE: hspd-12 and ffiec
>
>
http://www.ffiec.gov/pdf/authentication_guidance.pdf
looks like it is
> still
> in draft.
>
> I think the key here is the sentence
>
> "....where risk assessments indicate the use of
single factor is
> inadequate
> financial institutions should implement multi-factor
authentication"......
>
> So its all back to the risk assessment. I would suspect
if you have a
good
> track, implement other appropriate measures to detect
identity
management,
> have appropriate controls around user management and
monitoring your
risk
> assessment *may* well determine the risk justifies
single factor OR of
> course multi-factor but I am not sure its
"mandated".
>
> As for HPSD-12 I am not sure but I suspect I know a man
who would
follow
> such things. Earl?
>
>
>
>
> -----Original Message-----
> From: anthony.cicallabankserv.com
[mailto:anthony.cicallabankserv.com]
> Sent: Thursday, March 30, 2006 1:51 PM
> To: psrcsecurityfocus.com
> Subject: RE: hspd-12 and ffiec
>
> I am attempting to find out about how hspd-12 would
affect ffiec
client
> authentication methods. Below is his question and I am
just looking
for
> some outside input. I found hspd-12 but it looks to me
as if it's
just a
> mandate to get a uniform security identification card
for all
agencies.
>
> What I'm most interested in is how this would impact
us on the user
> authentication front. Specifically, we have heard a
claim that there
will
> be new requirements coming from the Fed with respect to
strengthened
> authentication requirements. I know that that FFIEC
has mandated
> multi-factor authentication but we heard someone else
touting that the
> HSPD-12 required strong authentication for information
systems.
> I couldn't find that in any of the supporting
materials.
>
> Thanks in advance for all input on this.
|