About three years ago, Keith Ward, Northrop Grumman’s director of enterprise security and identity management, and a handful of his staff, began meeting with groups of department managers at a rural Virginia retreat to discuss a major new ID access plan. There was a lot to talk about: what to put on the smart cards, how to go about training, and how to alleviate concerns that might arise.
The plan was to outfit several thousand employees with the card. One badge would substitute for two or three. The single identity would align itself with the successful DoD program.
The system would be automated and would have the ability to grab disparate data from various sources, providing and cross-checking necessary background information to authenticate a person and clear them to be issued a card.
In a series of meetings, Ward and other staff gathered input from a range of managers, including those from security, human resources, and other departments that would play critical roles. The industrial security department would be responsible for the final badge issuances. The “entire process” was discussed, says Ward. Subjects ranged from diplomats’ unique applications to department training to any necessary policy changes.
One area of concern for managers was privacy. Managers knew the card technology’s capabilities. “With its microprocessor, they’re like distributed computers,” says Ward. Managers were also aware of alternative time-management applications at Northrop facilities such as shipyards, says Ward.
Many employees are represented by unions, and it was important to gain their support. Ward says concerns were lowered when he mentioned that unions would “become owners” of sensitive data from time management and other sensitive applications. Most managers were supportive after Ward described the business benefits, such as making it easier to access DoD facilities.
Card format. From the beginning, a major program goal was to closely follow the DoD model. “When we did initial research into a new card system, we found that some 90 percent of our existing contracts mentioned FIPS-201 or had similar requirements for proofing and vetting,” says Erik Bowman, a Northrop systems engineer.
The majority of the card’s technological format is laid out in a DoD publication. Each would contain 64k microprocessors, biometric templates, embedded antennas, magnetic (mag) stripes, and Triple DES encryption.
Initially, the goal was just to put a few applications on the cards, including physical access, computer sign-on, and online network portal entry. With DoD and other federal agencies, portal access has been one of the fastest-growing smart card applications in recent years. The mag stripe and other components would be used for applications such as time-keeping.
The computer sign-on functionality would be a move to two-factor authentication. Employees would enter a user name and password; they would then insert the card into a reader and enter a PIN on the keypad.
Each card would have the ability to use biometrics but only the more sensitive positions would activate that capability. That might, for example, apply to Northrop Grumman personnel who had to work in a battlefield situation with the DoD. In that case, the card would be inserted into a reader; the user would provide a live fingerprint while the reader examined the stored biometric template; then the user would provide the PIN for three-factor authentication.
System software. In addition to the cards, there would be the software, running the system, which would allow access to various human resource and access control databases. With the old system, information about a new employee’s physical access and computer access privileges would be segregated. With the new system, it was interconnected and access to the most recent updates was automated.
Automation is important, Bowman says, especially with 130,000 employees. In this case, only the first-time card issuance typically requires human authorization, he says.