Nearly two years in the making, the Justice Department proved that governing the online access of federal, state and local law enforcement officials to specific data is both possible and beneficial.
Through the back-end attribute exchange, agencies can have a standard way for different organizations to safely and securely share data.
And now DoJ’s successful demonstration of identity management and access control is creating a thirst among other agencies. Other federal, state and local agencies are eyeing how they could use the concepts behind the back-end attribute exchange (BAE).
“We want to practice responsible information sharing by ensuring the correct attributes and ease of doing it. If it’s not easy, it’s not useful,” said Mike Kennedy, the executive for assured interoperability for the Program Manager of the Information Sharing Environment (PM-ISE), in an exclusive interview with Federal News Radio. “With the ease of this, it makes providing attributes for the officers or for the agents or for the analysts or whomever is using it, it’s transparent for them that the attributes are being provided and it’s not difficult for them so they are more inclined to use it. Once it’s in, then it’s automated and required, and it protects your information from being disclosed to people who don’t have the attributes that are required in order to get it. So in that case, it’s perfect for safeguarding.”
The BAE is a standard or specification that provides a way for agencies to share information securely through the use of identity management and access control procedures.
Under the DoJ pilot, federal law enforcement officials shared data in the gang tattoo database with state and local police officers in Texas through the Regional Information Sharing System (RISSNet) program.
Kennedy said dozens of agencies took part in the pilot that lasted a few days with a goal of validating whether the BAE could work in real-world circumstances.
“It’s more of the fact it was a proof of what was being piloted all along was ready to go operational,” he said. “We proved BAE is ready to go operational at this point in time. We proved we could retrieve, were able to pass along information and were able rely on the information they got.”
During the pilot, Texas Department of Public Safety users took an online course in order to qualify for the attribute to access the secured data.
“RISSNet hosted the protected information and relied on the attribute that Institute for Intergovernmental Research provisioned to the Texas DPS users in order to allow or deny access to the resource,” Kennedy said. “In other words, that attribute would let the folks know automatically whether or not the user who was requesting the information had the privileges and the rights to do it. In addition to protecting and doing responsible information sharing, it has a key for privacy and civil liberties protections because it only provides the information that’s required and not a conglomerate of information.”
The communication between the officer and RISSnet was automatic and invisible to users. If a police officer stopped a suspect and they had a tattoo that the officer thinks was gang related, the official can query RISSNet to see if the suspect is wanted for a crime, and if so, make an arrest on the spot.
Previously, Kennedy said officers had to push paper, make phone calls and fax requests, which was a cumbersome and time-consuming process, to get the same data.
“With the BAE, all attributes don’t have to reside on all computers in all networks. The attributes can be maintained by a third party somewhere else,” he said. “When the request for information goes in, the owner of the information can send out a query to ask if this person has the required attributes to have access to this information. The query will go out to whomever holds the attribute, then the holder of the attribute will return it to the person who holds the information. At that point, the information is returned or not returned to the requestor.”
Kennedy said the other key piece of the BAE is the information is updated as fast as the agency revises it with the holder of the attributes. So if someone leaves their job, the agency can cancel their access to information immediately instead of depending on a fax or email and hoping the relying parties update their lists in a timely manner.
Interest in the tool increasing
Kennedy said the ISE, which acts as a hub to bring interested parties together, is signing up more federal, state and local partners as relying parties, which means they trust each other because each organization promised to abide by the identity management and access control standards.
The desire in government to control users’ access to data through standards such as the BAE has grown after high profile leaks by Edward Snowden and WikiLeaks over the past few years,
Additionally, President Barack Obama issued a memo in November 2012 requiring agencies to develop policies to combat insider threats. The BAE, in many respects, helps agencies comply with some of the requirements in the memo.
“The BAE could be used for anything, not just people, but machine-to-machine capability, system-to-system capability and there are people attributes as well as there are information attributes and tagging, so all this does is it allows the capability for those various attributes to be held at different locations yet pulled in centrally when required,” Kennedy said. “It can be scaled up, but what it requires is the parties, the person who provides the attributes, the person who has the information and will use the attributes, the person who will tag the data with the attributes it needs, the provider of the network and the individuals who will fill in the information that is required by the attributes that are there. It’s fairly simple and fairly straightforward, and ready to go operational.”
Kennedy said GSA is working with other agencies and relying parties to build the infrastructure of the BAE.
“I can see in the next year or so several other instances actually standing up,” he said. “basically, we are looking at other use cases that we might be able to bring in other agencies to bring in user attributes that can be used to fulfill the business cases that are out there.”