Security of Application Software in Higher Education
Excerpts from the Department of Education’s August 20, 2009
FSA Software Developer’s Conference
00:00 - Begin
00:36 – Tim Bornholtz,[1] Question 1:
“I’ve got a couple related questions about NIST 800-53. The, NIST[2] has defined the four levels of assurance. Do, does FSA[3] have a, or what is the level of assurance that FSA systems require?”
00:51 - Bob Ingwalson:[4]
“Ok”
00:53 – Tim Bornholtz, Continue Question 1:
“Or, is that public?”
00:55 - Bob Ingwalson, Answer to Question 1:
“Well, that’s an interesting topic because NIST identified, in 800-53, that systems with a moderate impact should have a, should have two factor authentication, which equates to a level three of insurance. However, we did a analysis of our systems, we came up with a level two.”
01:23 – Tim Bornholtz, Question 2:
“Ok. Do you have any recommendations for registrars and FAA,[5] or financial aid offices for what level of assurance they need in their office when accessing and storing student financial data?”
01:35 - Bob Ingwalson, Answer to Question 2:
“Again, there’s a tool out there that a lot of different factors go into determine the level of authorization, assurance, and it wouldn’t be wise for me just to say that. But, I could tell you that because their systems have pretty much the same as ours, it’d probably be level 2 or level 3.”
Questions to Ganesh Reddy[6]
02:07 – Tim Bornholtz, Question 3:
“You talked a little bit about the ESB and shared common services.[7] Do you have any plans to expose those shared common services to partners?”
02:15 - Ganesh Reddy, Answer to Question 3:
“We are still looking at it. We’re looking at it in terms of which business functions we can expose to. When we re-engineer our systems, we will evaluate which functions we can expose to outside entities. At this point in time, we are still in the process of re-engineering our first systems. We maybe talk about it when the next talk is out about that. When we [inaudible] at that, we will look at it and see what, which services are appropriate to expose to external users.”
02:51 – Michael Sessa, Question 4:
“You mentioned WebSEAL. Is that a department product, or is that a vendor product?”
02:55 - Ganesh Reddy, Answer to Question 4:
“It is IBM, it is part of an IBM Tivoli identity manager and access management tool suite.”
03:00 – Michael Sessa, Question 5:[8]
“Ok. And, a lot of what you talked about rings true, or familiar to Homeland Security Presidential Directive 12, HSPD 12.[9] Is that the governing rule here, is that what you’re tending towards?”
03:15 - Ganesh Reddy, Answer to Question 5:
“Some of it, not all of it. One of it calls for two factor authentication, for instance. And there are a lot of others like tracking user’s IP addresses and all those things. Some of them, we are slowly but steadily implementing them. Federal Student Aid has somewhat of a bigger challenge than other agencies because we have, every year we have 15 to 20 million applicants. I don’t know how many, approximately 15 million applicants every year. So, to roll out new technologies and put constraints on them will only discourage users from applying for federal aid, and that’s not our goal. So, when we implement these new technologies, [inaudible] things, we are very mindful of that. We just don’t want to implement, just because it’s [inaudible] we just don’t want to roll it out. We discourage the whole purpose of title 4.”
04:07 - Michael Sessa, Question 6:
“You talked about logical access and physical access and, but it doesn’t sound like you are, you’re parallel track with HSPD 12.”Executive Director, Postsecondary Electronic Standards Council
04:15 - Ganesh Reddy, Answer to Question 6:
“Right. We, some of the policies, we absolutely have implemented and we are moving in that direction. Yes.”
04:25 - Michael Sessa, Question 7:
“I have a quick comment, more than a question probably, but. President Obama’s administration and through NCES[10] grants coming out of the states are requiring states to assign student IDs, unique IDs. And so my question is, is that being considered so that we, I’m not sure we’ll ever stop the generation of new IDs, I mean we’ve down here before, we’ve been here many times. But is there any consideration to what NCES is doing and any coordination with NCES?”
05:00 – Renee Wade,[11] Answer to Question 7:
“I think we can take that into consideration since we are still kind of in these beginning stages, we can look at that and see if we can maybe somehow incorporate that, or exactly how we can do that.
05:15 – Tim Bornholtz, Question 8 to the Round Table:
“Can you give us status on the FSA gateway range during you talked about last year?”
05:20 - Ganesh Reddy Answer to Question 8:
“Yeah, Gateway is one of those initiatives we wanted to do this year, but for budget reasons they had to postpone. What we are looking at is how to communicate with external systems and external entities, not users, individuals, but external systems and [inaudible] data as well. We wanted to do it, but weren’t able to. So, we are still continuing to use our new system that we, I just mentioned a few minutes ago, FSA SAIG[12] gateway, based on ClickCommerce’s product for transferring public data.[13] That remains in the next 12 months to 18 months still because we have new services coming in, we have new initiatives that are going on. So we didn’t want to get [inaudible] on the process. But we are looking at technologies and what we are going to do is to get user input into that because it’s easy for us to engineer our put it in play, put in play, mechanisms but since we will be exchanging information with external entities we want to gather as much info as possible and deliver the best technologies that is good for all of us and not just for Federal Student Aid. I, just to be more specific onto your question. We will be looking at the gateway probably in 9/10 [September 2010]. Maybe 9/10, 9/11 year.”
07:00 – Tim Cameron,[14] Question 9 to the Round Table:
“My question’s with regard to the FAN.[15] Is it expected that software vendors and others outside of the department will be required to pass that?”
07:12 - Renee Wade,[16] Answer to Question 9:
“For the FAN, we haven’t gotten that far. The thought is that, yes, eventually you would pass it to us. But we would definitely include you in any conversations when we’re talking about that, to make sure that you understand what that is and what that means.”
07:27 - Tim Cameron, Question 10 to the Round Table:
“If we are going to be required at some point to pass that, and the goal is to move away from using personal identifier information if we’re, by the fact that we’re exchanging it doesn’t it yet become just another piece of personal identifier information?”
07:44 - Renee Wade, Answer to Question 10:
“Yes, technically you could look at it that way. But what we’re really trying to do is, the FSN, I mean that’s what people were really frightened about at this point in time.[17] So, that, it would be tied to an FSN, but if you’re not passing the FSN around. It’s something that we’d have to think about, and exactly what we would do to compensate for that. So, that’s why we would want you involved in those conversations, so we can come up with a correct solution.”
08:18 - Tim Cameron, Question 11 to Round Table:
“In conjunction with the two factor authentication process and PRMS, is FSA looking at supporting any or participating in any federated models of authentication, such as the InCommon federation?”[18],[19]
08:34 - Ganesh Reddy Answer to Question 11:
“We did participate, actually, we had an eAuthentication framework in place that worked with other federal agencies that you would need to have only one identity for the federal government, and that agencies would share it. But, unfortunately, for whatever the reason, GSA[20] has dropped that plan, because GSA was the body that was coordinating this activity. So at this point in time, it is retired, sort of. But we are looking at participating in InCommon and other, we are very much interested in doing that because we would like to, particularly if the students would like to access [inaudible] creating their own identity, they could do that using this student ID. So those are the policy decision we have not made, yet. But we are really much interested in authentication and that kind of thing, yes,federated identity.
09:32 - End
instructional media + magic, inc.1October 18, 2009
[1] The Bornholtz Group.
[2] U.S. Department of Commerce, National Institute of Standards and Technology
[3] U.S. Department of Education, Federal Student Aid
[4] Federal Student Aid
[5] Financial Aid Administrator
[6] Federal Student Aid
[7] Enterprise Service Bus
[8] Executive Director, Postsecondary Electronic Standards Council
[9] Homeland Security Presidential Directive 12 “Policies for a Common Identification Standard for Federal Employees and Contractors,” 27 August 2004.
[10] U.S. Department of Education, Institute of Education Sciences, National Center for Education Statistics.
[11] Federal Student Aid
[12] Student Aid Internet Gatewaly.
[13] The product was identified as “Training Delivery Manager (TD Manager),” but could not be confirmed.
[14]Project Manager, Meteor Project, an initiative of the National Council of Higher Education Loan Programs.
[15] Financial Aid Number—a number assigned to applicants for federal financial aid that is expected to be used for all future transactions with FSA.
[16] Federal Student Aid
[17] FSN could be a misinterpretation of FAN. There are no references to FSN on the U.S. Department of Education’s website except those for Family Support Network.
[18]Person Record Management Service (PRMS): The PRMS is a centralized system of record for Person data for all Federal Student Aid Application systems.
[19] “The mission of the InCommon Federation is to create and support a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States. To achieve its mission, InCommon will facilitate development of a community-based common trust fabric sufficient to enable participants to make appropriate decisions about the release of identity information and the control of access to protected online resources.” From 17 October 2009.
[20] U.S. General Services Administration