Thread Subject: Re: one more item for considerationinself-contained/closed

From: Tom Brett
Date: Wed, May 23 2007 5:20 PM

• Return to this mailing list's archives
• View all messages in this thread
• Next message in thread: None
• Previous message in thread: terry.weaver@gsa.gov: "Re: one more item for considerationinself-contained/closed"
• Messages sorted by: Author | Thread | Date

I concur that the National Security Exemption is based upon Clinger Cohen.
However post 9/11 executive order and regulation - FIPS PUB 201 - have
expanded the technical definition of national security:



"Special-Risk Security Provision-The U.S. Government has personnel,
facilities, and other assets deployed and operating worldwide under a vast
range of threats (e.g., terrorist, technical, intelligence), particularly
heightened overseas. For those agencies with particularly sensitive OCONUS
threats, the issuance, holding, and/or use of PIV credentials with full
technical capabilities as described herein may result in unacceptably high
risk. In such cases of extant risk (e.g., to facilities, individuals,
operations, the national interest, or the national security), by the
presence and/or use of full-capability PIV credentials, the head of a
Department or independent agency may issue a select number of maximum
security credentials that do not contain (or otherwise do not fully
support) the wireless and/or biometric capabilities otherwise
required/referenced herein. To the greatest extent practicable, heads of
Departments and independent agencies should minimize the issuance of such
special-risk security credentials so as to support inter-agency
interoperability and the President's policy. Use of other risk-mitigating
technical (e.g., high-assurance on-off switches for the wireless capability)
and procedural mechanisms in such situations is preferable, and as such is
also explicitly permitted and encouraged. As protective security technology
advances, this need for this provision will be re-assessed as the standard
undergoes the normal review and update process"



I have highlighted what FIPS PUB 201 says about extant risk.this includes
national interest or national security. FIPS PUB 201 does provide
alternatives to biometric forms of identification. These alternative forms
were added prior to the final issuance of the regulations. The
alternatives were identified to be in comformance with the current Section
508 standards. HSPD 12 was required to be implemented in a very short time
frame and agencies have invested significant money in procurement of the
hardware to comply with the Executive Order.



I do believe that having fully accessible fingerprint readers is a necessary
part of Section 508 but also believe that that unless the wording of the
final provisions of the standards specifically address how accessibility
must be achieved, some biometric forms of identification will be implemented
that cannot be used by people with disabilities.





Tom Brett



_____

From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of
= EMAIL ADDRESS REMOVED =
Sent: Wednesday, May 23, 2007 4:41 PM
To: TEITAC self contained/closed products subcommittee
Subject: Re: [teitac-closed] one more item for
considerationinself-contained/closed



The National Security exemption is based on the Clinger-Cohen definition of
same which does not include anything except functions that are command,
control or crpytological (sp) related in the military environment. Before
the creation of DHS, the government was dealing with the fact that
non-military agencies wanted to apply this to any job that had a physical
capability requirement and supported homeland security-like functions. Our
response has been that National Security exemption did not apply there.

_____

----- Original Message -----
From: "Hoffman, Allen" [ = EMAIL ADDRESS REMOVED = ]
Sent: 05/23/2007 03:17 PM AST
To: "TEITAC self contained/closed products subcommittee"
< = EMAIL ADDRESS REMOVED = >
Subject: Re: [teitac-closed] one more item for
considerationinself-contained/closed



NO. Not necessarily.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303





_____

From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Tom Brett
Sent: Wednesday, May 23, 2007 3:09 PM
To: 'TEITAC self contained/closed products subcommittee'
Subject: Re: [teitac-closed] one more item for
considerationinself-contained/closed

Well you could say that but couldn't a government agency claim that
fingerprint readers would fall under the national security exception?



Tom Brett



_____

From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, May 23, 2007 2:57 PM
To: = EMAIL ADDRESS REMOVED =
Subject: [teitac-closed] one more item for consideration
inself-contained/closed



This may be for hardware, if so feel free to slap me there.

Biometric input "surfaces" must be tactually discernible, but they are not
controls, so may need to be called out specifically. For example, a
fingerprint reader must at least allow someone who is blind to feel where to
put their finger.



Allen Hoffman
DHS : CRCL & OCIO;
DHS Office On Accessible Systems and Technology
v: 202-447-0303; c: 202-213-1835; tty: 202-401-0725
email: = EMAIL ADDRESS REMOVED = or = EMAIL ADDRESS REMOVED =

This communication, along with any attachments, is covered by federal and
state law governing electronic communications and may contain sensitive and
legally privileged information. If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination,
distribution, use or copying of this message is strictly prohibited. If you
have received this in error, please reply immediately to the sender and
delete this message.

Thank you.

• Next message in Thread: None
• Previous message in Thread: terry.weaver@gsa.gov: "Re: one more item for considerationinself-contained/closed"