Home | About Us | Security Solutions | Certificates & Credentials | Partners | Portfolio | Contact Us | Support

Federal Trade Commission

Operational Research Consultants, Inc. (ORC) was engaged by the U.S. Federal Trade Commission (FTC) to deploy and implement a managed service for assuring the identity of users and issuing credentials in the form of a PIV by the HSPD-12 deadline.

This managed service allows the FTC to protect access and comply with HSPD-12 as defined by the Federal Information Processing Standards (FIPS) 201 specifications developed by the National Institute of Standards and Technology (NIST).  FIPS 201 describes a PIV system with printed and electronic components that include personal identity proofing, registration, credential issuance and management. It also provides detailed technical specifications to support interoperability among federal departments and agencies.


HSPD-12 required federal agencies to begin issuing compliant security cards in October of 2006, and ORC developed and began implementing a managed service that allows the FTC to implement personal identity verification services that are fully compliant with HSPD-12 and FIPS 201. “The FTC needed an outsourced solution, and ORC developed the back-end services for supporting HSPD-12 and FIPS 201 compliance,” said Daniel E. Turissini, CEO of ORC. “We’re hosting card management and the identity management system, and are the FTC’s Shared Service Provider (SSP) for Public Key Infrastructure (PKI).”

ORC prepared the engineering changes and documentation necessary for ORC’s hosted PIVotal ID© Card Management System (CMS) to interface with the FTC for enrollment in accordance with FIPS 201 and the Federal PKI Common Policy Framework (FPCPF). This solution enables the FTC to issue PIV credentials and provide ongoing management of the PIV credentials throughout their lifecycles. ORC began the implementation in October 2006 and is issuing PIV credentials to the first 450 employees. The current contract includes support for up to 2,500 subscribers.

The FTC opted for a managed service so that it could swiftly support HSPD-12/FIPS 201 compliance while protecting access and making efficient use of its IT budget. “The FTC performed a return on investment analysis and concluded that it could most efficiently meet its security goals by selecting an outsourced solution,” stated Turissini. “The FTC has a small, highly focused IT organization and saw the efficiency in selecting a managed service from a proven integrator authorized to issue PKI-compliant certificates.”

As one of only two U.S. government-approved External Certificate Authorities and the recent recipient of U.S. General Services Administration (GSA) SSP approval, ORC is a well-established and trusted partner to U.S. federal agencies.  Turissini said, “It is a privilege to provide the trusted services necessary to fulfill FTC’s HSPD-12 requirements. We provide an efficient solution at an economy of scale that ORC is confident many other agencies will embrace and appreciate.”

ORC deployed RSA® Card Manager and RSA Certificate Manager on its internal servers, and established a secure Virtual Private Network (VPN) connecting ORC to the FTC’s enrollment center. The FTC performs all the necessary vetting of personnel, defines role-based access privileges and enters the information into a Web-based interface.
Once the FTC personnel have completed the enrollment for an employee, RSA Certificate Manager is accessed for issuance of certificate-based credentials tied to that employee’s identity. It integrates with the RSA Card Manager, allowing FTC personnel to print the “PIV cards” locally and distribute them to employees. Each smart card contains a photo ID and the electronic credentials assigned to the user, and privacy protection is provided by the ORC infrastructure and powered by technology from RSA, The Security Division of EMC.

RSA Card Manager software is a smart card management solution designed to manage the entire smart card lifecycle and it serves as the central hub for integration with other critical components of a smart card-based identity and access management strategy. It enables the FTC to implement card-based identity management, provisioning and policy enforcement and addresses the entire smart card credential lifecycle. “The FTC performs the enrollment for each user and we issue and manage the credentials,” said Turissini. “RSA Card Manager allows the FTC to print the secure smart cards locally, and integration with RSA Card Manager allows us to centrally manage digital certificates throughout the lifecycles of smart cards.”

By selecting a managed service, the FTC was able to minimize capital costs of the solution and begin implementing a smart card system without disruption to its existing security infrastructure. “RSA provides two critical technologies that enable this managed service,” said Turissini. “RSA Card Manager allows the FTC to implement local enrollment and then port the information over a secure VPN, and RSA Certificate Manager allows us to perform lifecycle management of digital certificates and keys so the FTC can protect both physical access to its facilities and logical access to its applications and information.”