Single sign-on capability is VA’s next mobile strategy goal

DJ Kachman, the Veterans Affairs’ director of mobile and security technology transformation lead in the Office of Information and Technology, joins Federal News Radio for an Ask the CIO online chat on April 10, at 1 p.m. Sign up today.

The Veterans Affairs Department went from 13 percent of all employees using their smart identification cards or other types of two-factor authentication to log onto their computer networks to 82 percent in less than a year.

And now it’s time to add a mobile component to that effort.

DJ Kachman, VA’s director of mobile and security technology transformation lead in the Office of Information and Technology, said the agency has plans to integrate smartphones and tablets with multi-factor network authentication under Homeland Security Presidential Directive-12 (HSPD-12).

Kachman said because using the HSPD-12 smart identification cards is challenging with smartphones and tablets, VA is exploring the use of derived credentials.

DJ Kachman is the Veterans Affairs’ director of mobile and security technology transformation lead in the Office of Information and Technology.

“That, not only from a security perspective, allows us to secure the authentication of the sending and receiving of the data, but it also is going to help us from a single-sign-on perspective that we are able to launch applications, leveraging that certificate securely, which gives our providers the ability not to have to log in multiple times to different applications,” Kachman said on the Ask the CIO program. “You also don’t have a cumbersome need to have a card reader plugged into that device. There are all sorts of different reasons why card readers can be problematic, largely because we have different operating systems, different card readers and different applications that can leverage those card readers.”

Derived credentials are cryptographic credentials that are derived from those in a Personal Identity Verification (PIV) card or Common Access Card (CAC) and carried in a mobile device instead of the card, according to Pomcor, a research firm in California. The phone communicates securely back to a database to verify and authenticate the credentials that will let the user log into their phone or application. This approach would replace the need to put the PIV card into a card reader that is either connected to the mobile device or uses near-field communication technology such as Bluetooth.

The Defense Department, for the most part, has led the way in testing and starting to implement this type of technology. Meanwhile, other agencies from the Agriculture Department to the Centers for Medicare and Medicaid Services to the Homeland Security Department’s Customs and Border Protection directorate are using derived credentials for some applications and mission areas.

Additionally, the National Institute of Standards and Technology finalized guidance for agencies to use derived credentials under HSPD-12 in Special Publication 800-157.

Kachman said VA is working on how best to create, deliver and consume the credentials.

“Part of derived credential is understanding your infrastructure, making sure you are able to implement a solution that is able to implement your infrastructure, and then, the hardest part of derived credentials, is simply the consumption of the derived credential itself. That is something that we found, that when most folks talk about derived credentials, there is this understanding that you put an application on a device, you put a credential on a device and those two work without a lot of configuration,” he said. “In fact, your applications have to be coded or use some sort of wrapper to consume that credential itself. There is a lot of work on the front end to make sure we can create the certification and meet the federal requirements. But then also deliver it to the device and then have it consumed by different applications.”

VA plans to pilot derived credentials in the next six-to-nine months to test out these concepts.
Kachman said the pilots will give them a better understanding if they are heading down the right path with the infrastructure support and credential provisioning.

“For the most part, all of our applications will leverage some other sort of authentication technology. In the cases where they do not, what we do is we basically focus on how else can we deliver that particular service to that particular staff person?” he said. “We are moving ahead pretty quickly. We’re in a unique position because we’ve opted to do user-based PIV enforcement. A lot of other federal agencies opted to do workstation based. So we are further ahead from a security perspective. But that also created a little bit of a technology difficulty because a lot of the technology out there focuses on the ability to leverage a third party to deliver some sort of authentication method to the actual application itself, which is basically just capturing a password someplace. Our passwords are gone so we have to use some sort of certificate to authenticate.”

Kachman said the difference between a user-based PIV and workstation-based PIV is how the Active Directory authenticates the user through a 256-character certificate.

“To authenticate to anything you have to have your PIV card and you have to have your PIN. That is the only way you can authenticate,” he said.

Another big focus area is standardization on devices, mainly for the ease of customer service.

Kachman said by having a limited set of smartphones and tablets, help desk services and support and updates become easier for the agency.

All of these efforts can happen now because of how VA has matured around mobile computing over the last five years.

Kachman said over the last two-or-three years, VA has shifted toward an enterprise approach for mobile computing.

“Everything is managed from a single location, a single infrastructure, so we are able to have standards across the organization,” he said. “This leads to a couple of different things. Security is greater when we are able to do that. The ability to deliver better customer service because there are knowns, we know what’s exactly on these devices. And we are able to really focus on delivering to the customer what they need versus having to figure what customer is having the issue and who serves that customer. So now it’s all under a single umbrella. It was really a big shift in our organization considering how large we are.”

Kachman said VA’s mobile strategy remains focused on serving the veteran without the employee or veteran worrying about what device they are using.

“The strategy is starting to combine if you look at what VA is doing, we have more cloud-type work that is going on. We have clinical health that goes out to the folks in the rural areas,” he said. “So delivering this mobile piece to those types of environments is all part of that strategy to make sure we are able to continue to deliver the best service we can.”