Identify the Solution
For a small company, South Bay Sand Blasting and Tank Cleaning (SBSBTC), based in San Diego, California, has a big job. The organization completes critical system flushing for the U.S. Navy’s surface vessels and submarines. The flushing prepares ships for the water again after becoming contaminated. “Our team performs this work all over the world; basically wherever the ships break, we go,” says Kirk Boettner, director of the technical flushing division at SBSBTC. This includes Japan, Bahrain, Spain, Diego Garcia, and parts of the United States and its territories, such as Florida, Guam, Hawaii, Virginia, and Puget Sound regions.
SBSBTC also has one of the largest tank-cleaning operations in San Diego, and provides non-skid surfaces for military vessels’ flight decks, cargo decks, and more.
As a U.S. government contractor, SBSBTC must comply with an array of requirements, including security vetting for personnel who need access to the multiple naval installations and vessels where the company does its work.
“To work on the naval bases, as well as the private shipyards, all of our people have to be drug tested and undergo background checks to make sure they don’t have any felonies, or things of that nature,” Boettner says. He adds that the U.S. government is continually increasing its security requirements for contractors, particularly in the realm of cybersecurity. Many of those requirements are mandated by the U.S. National Institute of Standards and Technology (NIST).
“The government in general has raised its bar for what their own people have to do to gain access to information and to gain access to computer networks,” he says, citing recent cyberattacks linked to nation-states like North Korea and China. He acknowledges that contractors are the weakest link in terms of letting hackers access government information.
To address this issue and to help keep hackers and cyberterrorists from accessing controlled unclassified information (CUI), the U.S. Department of Defense (DoD) requires all of its contractors to be compliant with the NIST 800-171 mandate by the end of December 2017.
One of the key provisions in that framework is the use of multifactor authentication—a PIN, biometric, or smartcard will be needed, in addition to a username and password, to log onto computer terminals and into certain government websites.
For SBSBTC, this meant the company had to develop a policy differentiating between who had access to CUI and who did not. Those with access would need the multifactor authentication. Separating the two types of employees can be a challenging task for a company like SBSBTC, where worker numbers widely vary.
“In our industry, with the workload spikes and turnover, we could be 400 employees in one month and 70 the next,” Boettner says. “So trying to maintain and manage that policy would be extremely difficult, and require lots of oversight to ensure that we stay in compliance with NIST.”
That’s where the company’s relationship with SureID, an identity-solutions provider, came in. SBSBTC has been a SureID customer since 2011 when it adopted the RAPIDGate program to gain streamlined access to naval installations.
The RAPIDGate Program is SureID’s authentication solution, used by the DoD and other U.S. government agencies, that allows physical access to military bases and other facilities in a quick, efficient way.
At the gate to the Navy installations, armed DoD personnel check the RAPIDGate credential, which has the cardholder’s photo and a barcode. DoD employees use handheld scanners to read the barcode associated with the RAPIDGate Program credential.
The card also provides multifactor authentication for logging onto computer terminals because it complies with NIST’s Personal Identification Verification standard. That framework verifies the “identity of individuals seeking physical access to federally controlled government facilities and logical access to government information systems,” according to NIST’s website.
In the end, SBSBTC decided it would be more efficient to certify all of its employees under the new standard, and provide multifactor authentication for the non-RAPIDGate personnel through the SureID Certified PIV-I (Personal Identity Verification Interoperable credential).
“It was more beneficial to just have our overhead and general administrative staff on the same level as our RAPIDGate personnel, and just say the whole company has access to CUI,” Boettner explains.
The RAPIDGate card already meets all the protection levels and limits for the requirements in the NIST 800-171 program. “For people who already have RAPIDGate, which is most of the company, it serves both functions,” he says. “It gets them physically onto a location, as well as also covering the two-factor authentication; it’s a two-in-one card.”
For staff not requiring physical access, the SureID Certified PIV-I credential provides the same access except for admission to military locations and vessels.
“A PIV-I credential is provisioned with digital certificates, photo, and fingerprint and among the most effective ways of addressing security vulnerabilities both online and on-premise,” a white paper from SureID explains. “A would-be hacker would have to infiltrate a given Public Key Infrastructure (PKI), and hack each individual card where the information is stored. Doing so would be practically impossible for a cyber espionage group physically located on the other side of the world.”
A SureID customer service representative came to SBSBTC in March 2017 to fingerprint and photograph the staff who didn’t have the RAPIDGate card to sign them up for the SureID PIV-I credential.
“They set up a registration station at our facility here and we were able to process through all of our employees over two visits,” Boettner notes. SureID maintains the database for both the RAPIDGate and PIV-I cards.
When logging onto their computers, SBSBTC employees insert their SureID PIV-I or RAPIDGate card into a reader and enter their username and password. The cards are valid for a three-year period and can be renewed electronically.
Boettner adds that there is much more to meeting the NIST 800-171 requirement than credentialing employees for multifactor authentication.
“There’s a myriad of other changes we had to go through,” he says. “We had to get a whole new firewall, brand new hardware in our network closet, we had to switch servers; we had to do all these different things to be compliant.”
He notes that the SureID PIV-I credential, however, has made a huge difference moving toward meeting the deadline.
“We’ve advanced very far down the requirement ladder because of them,” he says. “Probably more than a third of the work….we knocked out just by working with SureID.”
For more information: Aaron Cohen, [email protected], www.sureid.com, 503.924.5297