CLIENT STORY
Physical access control is a fundamental government security requirement, assuring that only authorized individuals (employees and contractors) can enter government systems and facilities. The federal civilian agency responsible for assisting agencies (both defense and civilian) with federal identity, credential, and access management (ICAM) systems also manages the Federal Information Processing Standard 201 Evaluation Program (FIPS EP) and Approved Products List (APL). The FIPS EP verifies that vendor products used in PIV credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs) meet strict security, functionality, and compatibility requirements.
PACS undergo some 630 Functional Requirements and Test Cases (FRTCs) in order to be approved for placement on the APL, a prerequisite for vendor product sales to the government under the Federal Acquisition Regulation.
PROBLEM
Path discovery and validation (PDVAL) are key elements of the PACS testing process performed by the FIPS EP. APL Test Certificate Authorities (CA) create the trust paths and host/generate the revocation data required to validate them. FRTC PACS testing employs roughly 30 different certificate trust paths.
When Electrosoft won the PACS Lab management contract, the APL Test CA was hosted on another vendor’s cloud-based platform. In early September 2023, the agency learned that the vendor’s platform would be decommissioned on September 30, 2023. Agency efforts to negotiate new terms were unsuccessful, and the agency looked to Electrosoft for a solution.
Electrosoft faced some extraordinary constraints. First, the APL Test CA had been developed 10+ years ago. No documentation existed, and no personnel connected with its development could be located. Second, and more critical, no one possessed the password to the virtual machine (VM). Thus, it could not be accessed and was essentially a black box. Third, Electrosoft faced a hard deadline of less than three weeks.
Failure was not an option. Vendors rely on the test cards and test paths generated by the APL Test CA to complete FRTC testing and be listed on the APL. Electrosoft needed this VM to continue PACS testing. Government agencies require APL-listed PACS products to keep their facilities secure.
The APL Test CA was a black box with a ticking clock.
SOLUTION
Electrosoft approached this challenge from two perspectives. First, a working version of the existing VM needed to be preserved to ensure uninterrupted revocation testing. Three weeks simply did not afford sufficient time to create another instance, especially absent knowledge of how the VM was coded and operated. Second, Electrosoft needed to devise a methodology for accessing the black box infrastructure so that future program requirements, such as creating new data and employing new test cards, could be met.
Electrosoft opted to migrate the APL Test CA into Electrosoft’s cloud environment on the AWS Elastic Compute Cloud (EC2) computing platform. We harvested all the APL Test CA URLs using an in-house automated tool that was written for this purpose. We then migrated the VM and updated the DNS to the new public IP Address on Azure. We verified that all URLs responded correctly by running a script/crawler designed for that purpose. Absent any post-migration vendor complaints, which were verified through our testing, the migration was deemed a total success.
With a failsafe instance secured, Electrosoft pursued several options to gain access to the APL Test CA. Ultimately, we created an Amazon machine image of the running system. After transferring the image to the Electrosoft PACS Lab environment in Amazon, we created a new system based on the image. The credentials provided by Amazon allowed us to log in and inspect the environment. We ascertained that all the data was present, and this machine copy worked perfectly.
RESULTS/BENEFITS
Within a seemingly impossible deadline, Electrosoft achieved the improbable. We stood up an instance that allowed the PACS testing program to continue uninterrupted. In the process, we gained efficiencies by migrating the tool to a modern cloud environment. Notably, the transition was seamless; not a single vendor experienced an issue or outage. From the end-user’s perspective, everything operated as usual throughout the migration.
Electrosoft also solved the access problem by creating a new machine copy. Obtaining a key gave us control over its infrastructure, which we are now documenting. We are currently studying its source code and comparing it to some dated code we found on GitHub. This knowledge will give Electrosoft the capability to update and enhance the VM as government needs and requirements change.
By beating the clock on a ticking black box, PACS Lab functioning continued uninterrupted. Some 20+ vendors retained the ability to have their PACS products tested for FIPS compliance and be listed on the APL. Civilian and defense agencies, which can only purchase items off the APL, could continue to procure PACS that safeguard access to their facilities. Last, but not least, an important tool can now be updated and modified to meet government needs well into the future.