Strengthening DoD's identity assurance through an enterprise-wide biometrics solution: biometrics—a prime security enabler that cannot be lost, forgotten, forged, or stolen - DoD Biometrics Program

Program Manager, March-April, 2003 by Dr. Linda Dean, MAJ. Stephen Ferrell, Lydia Kaizer

Imagine what it might be like for DoD employees, even when transferring from one area to another, to be able to easily access their computers and workplaces with the touch of a finger to a platen device, or by glancing into an iris scanner. Imagine, more importantly what it might be like for the DoD to know that users are able to access only the facilities and information to which they have been granted authority.

Traditional Forms of Identification Fall Short

The challenge to achieving such an end-state is easily stated: how does the DoD guarantee--at any given time, in any given location--that a person claiming authority to access valuable internal assets is actually the person to whom such authority has been granted? Recent events have made it clear that something in addition to the traditional forms of identification--photo IDs, Personal Identification Numbers (PINs) and passwords--might be necessary to meet this challenge. A tool is needed that cannot be lost or forgotten, forged or stolen; that can guarantee the identity, or verify the claimed identity, of an individual; that can ensure that the right person with the right privileges has timely access to secure systems and facilities across the DoD enterprise; and that can positively link an individual with certain activities or events.

To achieve these levels of identity assurance, the DoD is turning to measurable, individual-specific characteristics that can positively associate a person with the benefits-including facility and network access--to which he or she is entitled. These characteristics are referred to as biometrics. They include certain physical patterns and geometries that are unique to each human being: a fingerprint, the shape of a hand, the configuration of an iris, the arrangement of nerves in the retina, the topology of the face, the inflections and modulation of a voice.

Each of these and other individual-specific identifiers can be captured, measured, converted to a mathematical algorithm, and recorded for future use. Moreover, because they represent who you are, instead of what you know (a PIN or password) or what you possess (a token or key), each has the potential to allow for guaranteed identity assurance. That, in turn, translates to guaranteed security of the DoD's physical and information assets.

The DoD is no stranger to biometric technologies; the Department has been using these technologies to manage access to chemical demilitarization projects for many years. More recently, the Department has begun using iris scan and fingerprint technologies to manage physical access to restricted properties and logical access to critical computers and networks.

Looking to the future, the DoD is investing heavily in the research, development, and evaluation of emerging biometric technologies, including facial recognition, hand geometry, signature verification, and voice recognition, to determine their operational viability A list of qualified devices, however, is only half the equation. The question remains: how do you make each device functional within an enterprise as massive, multifaceted and geographically dispersed as the DoD?

The DoD Biometrics Management Office

In 2000, the United States Congress directed the Secretary of the Army to act as Executive Agent in leading, consolidating, and coordinating all biometrics information assurance programs for the DoD. To accomplish this mission, the Army created a DoD Biometrics Management Office (BMO). The mission of the BMO is to ensure that biometrics technologies are integrated effectively into information assurance programs, physical access control systems, and best business practices across the DoD. This mission entails two clearly defined objectives: 1) to test and evaluate currently available biometrics products for DoD applications; and 2) to develop an enterprise solution to facilitate the use of biometrics across the DoD.

Device Testing

The BMO maintains two criteria for selecting the biometric devices that it evaluates.

COTS Product

First, the device must be a Commercial-Off-the-Shelf (COTS) product. Through close working relationships with research and development organizations such as the Defense Advanced Research Projects Agency (DARPA), the BMO keeps informed of cutting-edge technology developments in the biometrics arena. Its mandate, however, is to build a solution that will satisfy current DoD requirements.

Interoperability

Second, the BMO considers only those devices that have the potential to integrate into a large, enterprise-wide solution. Interoperability is critical. Once these prerequisites are satisfied, the Biometrics Fusion Center (BFC), located in West Virginia, steps in to perform comprehensive testing.

There are three phases to the BFCs product testing process.

Product Assessment Phase

All devices claim certain levels of technical performance. The BFC's Product Assessment phase determines to what degree those claims are valid, and whether or not they meet certain DoD-determined minimum performance standards.