The goal was to create a federated identity system over a secure network that would allow private-sector contractors to use their company’s employee badges to access bases, labs, plants and other secure facilities around the world. That same system also would have to meet credentialing requirements for access to information systems, as demanded by HSPD-12. (Read more about the HSPD-12 project here.)

What resulted was the completion late last year of the first leg of an experimental, third-party intermediary cross-credentialing network called the Federation for Identity and Cross-Credentialing Systems (FiXs). A second phase, aimed at integrating this network for access systems, should be completed in a year, says Mary Dixon, director of the Defense Manpower Data Center.

The effort reflects nearly two years’ work defining legal, auditing, privacy, operation and implementation rules with the help of FiXs, a network of 23 contractors, financial institutions, authentication vendors, system integrators, and other businesses and organizations. This network represents about 600,000 FiXs card-carrying workers, whose credentials can interoperate in a secure, ATM-style network. The network also accepts 3.3 million defense workers’ access cards.

Dixon says the biggest challenge was getting the Pentagon to accept third-party credentials that were not managed and revoked by the Defense Department directly but rather by contractors. “We needed assurances that the employer who’s responsible for the credentials will have properly vetted and entered the employee into the system” through FiXs, Dixon says. Safeguards also included nixing credentials for fired contractors, or making other status changes, within three hours.

Once a contract worker is enrolled, his data is kept within his employer’s database, and queries against those credentials are processed through the FiXs authentication station—essentially a smart switch sitting in front of the database. DoD also has its own trust gateway smart switch that interfaces with the FiXs gateway. Basically, all this amounts to a Web-based application that reads the credential, goes through a trust broker to reach the appropriate employer’s database, and returns a photograph and some biographical and biometric information that allows the DoD facility to confirm that the credential is valid.

Because many of the large defense contractors helped create the FiXs network, many of their employees are also FiXs card carriers, offering a large pool of contractors and civilian workers already on the FiXs network for DoD agencies to chose from. Some examples include SRA International, which provided the mobile authentication hardware and software for the project; EDS, which handled enrollment through its Assured Identity program; and Northrop Grumman, which handles network operations management.

Paul Stamp, senior security analyst at Forrester, says he expects to see more FiXs-style networks because it advances the HSPD-12 policy that “attempts to address some of the policy issues around setting up a common set of processes to validate an identity prior to credentialing.”