DHS S&T issues SVIP solicitation for preventing forgery, counterfeiting of certificates and licenses
A new Other Transaction Solicitation Call (OTS), Preventing Forgery and Counterfeiting of Certificates and Licenses, was recently issued by the Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Silicon Valley Innovation Program (SVIP) seeking innovative solutions from startups to enhance anti-forgery and counterfeiting capabilities for digital documentation which involves various biometrics and other Personally Identifiable Information (PII).
DHS said “it is interested in Blockchain and Distributed Ledger Technology [DLT] solutions that address the challenges of interoperable digital entitlement attestations that support individual control and accountability of data release, while incorporating digital counter-fraud technologies and tactics, enterprise lifecycle management, and a high degree of usability across service delivery modalities.”
Across DHS components and the Homeland Security Enterprise, the OTS disclosed “the need to issue entitlements, attestations and certifications for a variety of purposes including travel, training, education, affiliation, organizational identity and delegated authority and more. Current issuance processes are often paper based, non-interoperable, and are susceptible to loss, destruction, forgery, and counterfeiting.”
Consequently, DHS said, it has a hasty “operational need” for Blockchain and DLT, “from a government perspective,[which] holds the potential for enhanced transparency and auditing of public service operations, greater visibility into multi-party business operations, and automation of paper-based processes to improve delivery of services to organizations and citizens,” noting, “There are a variety of challenges that must be overcome to provide an equivalent digital capability that supports the multiple entities that are part of any such process while ensuring security, privacy, interoperability and integration with existing back-end processes.”
DHS said its operational components and programs also “have common needs across their mission sets for potential use of interoperable implementations of Blockchain and DLTs that also support the growth and availability of a competitive marketplace of diverse technology implementations for government and industry to draw upon to deliver cost effective and innovative solutions.”
The five-year SVIP OTS describes the overarching program details whereas the call describes the specific problem set. The solicitation was released in partnership with Customs and Border Protection, US Citizenship and Immigration Services (USCIS), and the Transportation Security Administration, and is the first SVIP solicitation supporting USCIS use-cases.
According to the OTS, “DHS is interested in innovative Blockchain and DLT solutions that address the challenges of interoperable digital entitlement attestations that support individual control and accountability of data release, while incorporating digital counter-fraud technologies and tactics, enterprise lifecycle management, and a high degree of usability across service delivery modalities.”
“The new SVIP OTS solicitation “seeks solutions that use Blockchain and DLT to issue digital documentation in a way that prevents fraud, counterfeiting and forgery,” and is “open to startups and small businesses that have not had a government contract in the past 12 months totaling $1 million or more and that have under 200 employees at the time of application.”
“The broad homeland security mission includes the need to issue entitlements, licenses and certifications for a variety of purposes including travel, citizenship, employment eligibility, immigration status and supply chain security,” said S&T SVIP Technical Director, Anil John. “Understanding the feasibility and utility of using Blockchain and distributive ledger technology for the digital issuance of what are currently paper-based credentials is critical to preventing their loss, destruction, forgery and counterfeiting.”
S&T SVIP Managing Director Melissa Oh, added, “SVIP is a bridge between the early-stage startup community and the Homeland Security Enterprise. DHS has need of the innovations coming from this community to ensure we are at least a step ahead of national security threats. By releasing this solicitation, we are asking the innovation community to contribute to this work through the application of commercial solutions to homeland security use-cases.”
The new SVIP OTC seeks technical capabilities that could serve the mission needs of one or more DHS operational components and programs including:
• Customs and Border Protection;
• US Citizenship and Immigration Services; and
• Transportation Security Administration.
Specifically, DHS is interested in solutions addressing one or more of the following Technical Topic Areas (TTAs):
• TTA #1: Issuance and Verification of Certificates, Licenses and Attestations;
• TTA #2: Storage and Management of Certificates, Licenses and Attestations; and
• TTA #3: Decentralized and Derived PIV Credentials.
The following is one of the “illustrative use cases … intended to describe where the technologies being sought by DHS … could potentially be applied. DHS is not necessarily seeking the technologies for these specific use cases, but instead are providing them to give some context for interested parties to frame their applications. Responses to this OTS Call may focus on these and/or other potential use cases.
In this hypothetical scenario, identity documents for travel, “TSA has a responsibility to confirm the identity of each passenger at the TSA security checkpoint and ensure that the identity presented on the digital document matches the identity associated on a confirmed travel reservation. Transportation Security Officers (TSO) currently review credentials (e.g., driver’s license), assess them for possible fraud or tampering, manually match the biographic information on the credential and the boarding pass, and visually compare the photo on the credential to the face of the traveler. This manual process needs to be performed in seconds to prevent creating a bottleneck in the queue and is highly reliant on the judgment of the TSO.
TSA is currently refocusing “towards electronic authentication capabilities to strengthen this process in support of TSOs.” The application of technologies sought in this OTS could, for example, potentially enhance the TSA capabilities to prove the authenticity and provenance of identity documentation at speed, and insure that the digital document has counter-fraud protections to:
• Increase the ease of authentication for the TSA;
• Increase capability to identify indicators of tampering or fraud;
• Increase the costs to actors attempting to spoof/fake the credential;
• Limit/decrease the useful lifetime of documents that are counterfeited; and
• Direct Passengers to certain screening lanes by applicable risk-based screening protocol (e.g., trusted traveler program participant, standard traveler, etc.)
Another example illustrated a hypothetical scenario involving USCIS citizenship, immigration, and employment authorization. USCIS administers the nation’s lawful immigration system, and is also responsible for the issuance of documentary evidence of citizenship, immigration, and employment authorization. The application of technologies sought in this OTS could potentially enhance these capabilities by enabling digital representations of those documents that:
• Provide identity protections that allow for disclosure of information under the control of the owner of the credential;
• Provide the ability to remotely mange the lifecycle of the credential (electronic document); and
• Integrate with the current secure issuance processes.
DHS said, “Applicants should consider the illustrative use-cases provided in the solicitation when applying. The proposed solution must be applicable to one, some, or all of the following mission needs:
• Identity Documents for Travel;
• Identity of Organizations and Organizational Delegates;
• Tribal Identity Documents for Travel;
• Citizenship, Immigration and Employment Authorization;
• Cross-Border Oil Import Tracking; and
• Origin of Raw Material Imports
While DHS noted that, “Blockchain and distributed ledger technologies are still in their infancy,” they also “are currently in a phase where there is an increasing amount of tension between business/system owners, both in the private sector and public sector, and their technology and solution providers.”
“For example,” DHS pointed out, “a technology provider’s desire to gain traction for their particular Blockchain implementation may run up against the business/system owner’s expectation of having an open architecture environment for their systems, rather than vendor-specific approaches to prevent technology lock-in. Technology providers may recommend a replacement strategy to implement their Blockchain, which runs counter to the business/system owners desire for innovative technology that integrates with their current business processes and technology to preserve and leverage existing investments.”
DHS warned that, “This potential for the development of ‘walled gardens,’ or closed technology platforms that do not support common standards for security, privacy, and data exchange, would limit the growth and availability of a competitive marketplace of diverse, interoperable solutions for government and industry to draw upon to deliver cost effective and innovative services based on Blockchain and distributed ledger technologies.”
So, DHS said, “While novel and innovative solutions are being sought as part of this [OTS], DHS S&T and its mission partners have over the last 3-plus years conducted extensive R&D, proof of concepts, and community engagement to understand, demonstrate, and champion a path that accelerates the development and usage of specifications and standards to foster a baseline of interoperability, security, and privacy.” And, “As such, this [OTS] will require any proposed solution to incorporate the lessons learned from DHS investments in R&D, specifications/standards, and proof-of-concepts that has resulted in our support for existing and emerging standards-based protocols, data exchange formats, and security policy frameworks to ensure interoperable integration with enterprise systems.”
“There is no expectation” that all holders (a person, citizen or employee that controls a Digital Wallet or Personal Data Store that stores entitlements, attestations and certifications and key management materials); issuers (an authoritative source that is capable of issuing credentials e.g. government agency, employer etc.); verifier (an entity that validates integrity and provenance of the credentials provided by the holder and ensures that the credentials asserted belong to and are relevant to that holder); and Blockchain / Distributed Ledger (the infrastructure that supports the public validation of potentially private data, like credentials, without the need to directly store that data), “are managed or operated by a single entity but instead represents an ecosystem that enables a pluralism of operators and technologies to ensure interoperability, encourage diversity, and prevent technology lock-in,” DHS said.
“Providing Application Programming Interfaces (APIs) that are publicly documented, patent free, royalty free, non-discriminatory and available to all mitigates technology and vendor risk to issuers and verifiers while simultaneously providing the technology provider the ability to utilize innovative and possibly proprietary technologies behind the API,” DHS emphasized, saying:
• The holder shall have control over and be accountable for the release of their data (credentials) to the verifier;
• The solution shall provide very high resistance to data deletion, modification, masking or tampering e.g. Show equivalency or better between the digital solution and physical security features currently required official licenses and certificates;
• The solution shall not have a dependency on a single Blockchain or DLT implementation;
• The identity verification component, i.e., present credential/verify ownership aspect shall use standardized, strong authentication technologies (e.g. FIDO, OIDC etc.) that is at least Authenticator Assurance Level 2 (AAL2) compliant as documented in NIST Special Publication 800-63 Revision 3 (or later);
• The holder should have the ability to selectively disclose credential information with consent;
• The solution should support online and offline presentation of credentials to the verifier;
• The solution should support non-Certificate Revocation List (Non-CRL) based revocation methods (issuer initiated, person initiated, Multi-Sig based and others) that removes issuer dependencies, i.e. “Phone Home Problem;” and
• The solution should support Federal Information Processing Standard (FIPS) compliant cryptographic algorithms for hashing, encryption, digital signatures, random number generation, and any other relevant cryptographic operations that are performed as part of the solution.
“In order to make sure the project is on target and meeting relevant milestones and deliverables,” the OTS stated, “the awardee will provide Monthly Project Status Reports, due at the end of the reporting month. In addition, a telephone conference call will be conducted each month to discuss project status and any issue/concerns/problems, questions that the awardee may have. Applicants should [also] consider the illustrative use-cases provided in the solicitation when applying.
The solicitation and current operational needs within DHS S&T and partnering components will be discussed at an Industry Day on December 11, 2018, in Menlo Park, California.
Companies participating in SVIP are eligible for up to $800,000 in non-dilutive funding over four phases. Participation in SVIP does not ensure procurement contracts with DHS or its components.