Establish access controls & protocols
Use CACs or PIVs instead of usernames and passwords to secure system access for specifically designated Congressional staff. The first hurdle to developing a system that everyone can use is integrating with an identity provider that can meet the appropriate requirements for user authentication and authorization.
To be successful, selected Congressional staff need access to most PPBE-related data on unclassified networks without requiring new management processes or overhead. In order to provide this, the system must integrate with existing systems that maintain user accounts in order to validate that a person is who they say they are. DoD uses a single system for user identification, the CAC or PIV, that allows a user’s identity to be validated by something only they have (the physical identification card) and something only they know (the personal identification number, or PIN, for the identification card). This means that when a user logs in by presenting their identification card and typing their PIN, the system can be reasonably sure that the user is who they say they are.
Throughout our research, the suggestion of giving Congressional staff CACs was the most contentious issue we encountered. While there are commercial equivalents such as hardware tokens from RSA, Yubico, or Google, the DoD already issues CACs and PIVs to users. Implementing new systems, protocols, and hardware for such a small number of users adds unneeded complexity and will cause unnecessary delay. We understand that there is additional nuance to issuing CACs or PIVs but we recommend starting with the simplest and fastest path toward establishing access controls for Congressional staff to view relevant CUI.
By issuing selected Congressional staff members CACs or PIVs, the enclave would be able to securely display information up to IL 5. This would greatly increase the usefulness of the enclave over the current IL 2 pilot. It would save Congressional staff significant time and effort by allowing them to access CUI outside of a SCIF. It would also reduce the complexity of the enclave for both Congressional users and DoD technical staff.
While security background checks are required for CACs or PIVs, DoD already manages these routine requirements for hundreds of thousands of employees. The addition of a few additional Congressional staff should be easily absorbed into the technical and logistical processes the DoD facilities already take on. In many cases, these procedures may already be in place. Many Congressional staffers already have security clearances, they just don’t have access to DoD IT systems.
Integrate directory services for both the DoD and Congress. After validating a user’s identity, the next step is validating the user’s account. In DoD, this will involve integrating with Microsoft Active Directory, the system that maintains user’s account information such as email addresses and to which organizations they belong. In Congress, this will involve integrating with multiple different user directories as each staff and committee may maintain their own infrastructure. Because most enclave users are committee staff, it may only be necessary to access the directories of DOD’s four committees of jurisdiction1, although exceptions are likely to come up. By integrating with these authoritative user directories, the system can validate that a user’s identity is tied to a specific account.
Integrate with Defense Information System for Security (DISS).2 DISS is necessary to determine what specific data a user is able to access. There are many reasons a user may be allowed to see or be restricted from seeing specific data that may include the user’s organizational responsibilities, the user’s security clearance, or the user’s need to know. To validate this requires integration with a number of systems that include the DISS or similar systems where security clearance and background investigation information is maintained. Such systems will be able to authoritatively determine what information a user is able to see.