Personal Identity Verification (PIV) Card Implementation

Summary

When our client learned that new federal guidelines would require their collection of mission-critical legacy applications to support login via PIV smart cards, CSNW undertook to extend all five applications as well as manage the user transition. As a large, secure agency doing essential work in areas critical to US infrastructure, our client had two key areas of concern: (1) the retrofit must also include tools for managing and deactivating smart cards from user accounts, and (2) as these applications were in daily use by hundreds of employees for mission-critical operations, the transition process must be managed with the utmost care. Our specialization in software modernization allowed us to take a thoughtful, measured approach that avoids massive re-writes and re-implementations, carefully addressing the weakest links with an eye to reducing failure modes and increasing ROI.

Goal

For those with an IT-centric viewpoint, it is all too easy to undervalue a working, if dated, system. But our client’s collection of legacy applications capably served their mission to advance the safe transport of materials that are essential to the daily lives of Americans. Representing years of hard-won business functions, these applications needed only to meet then-new federal guidelines and the client’s related specifications. Our goal was to satisfy those needs while maintaining the high ROI typical for these applications.

Work Performed

Because real-world utilization can often creep beyond the original intent of the software or system, we believe it’s best practice to devote significant survey resources early in any work involving legacy applications. Based on the use survey we conducted, we then wrote implementation specifications and corresponding tests for each key finding. In order to facilitate incremental, test-driven development of the smart card capabilities across all applications, we next deployed a safe development environment that mirrored the production environment. This allowed us to test and retest each use-case scenario without end-user impact.

The client’s heavy daily use of these applications informed our development sequencing: from most complicated application to least. This helped us to identify shortcomings in our approach early on and adjust it and our testing methodology accordingly. Starting with the easiest first might provide for quick wins but would also expose us to late-in-project surprises that could negatively impact user transition. Once the solutions were implemented and tested in the development environment, we tested deployment operations against the staging environment. This provided us a valuable first-time-install experience and influenced communications to stakeholders prior to the production release. Contrary to development sequencing, we deployed the changes starting with the simplest, least-used applications in order to minimize any operational impact of unexpected events during production deployment.

Results

In preliminary analysis, we identified several vendors with products that purported to solve the issues at hand. Because the legacy systems had all the requisite technology to implement the PIV smart card specifications, the client’s choice to modernize saved them both the risk and license cost of adding new technology to a legacy system. Other outcomes include:

1. All five legacy applications support login via PIV smart cards.
2. Administrators can revoke and disable user accounts in the added PIV management view.
3. Verification checks for blank serial and duplicate serials prevent them from being associated with an application account or used to login.
4. Server alerting and auditing modules now include alerts and audits for PIV-related events.
5. This agency is well-positioned to begin accepting PKI-based identity cards from other partners (e.g., State Governments).