DHS seeks reach-back tech for fielded rapid DNA systems; ICAM on-the-fly
To enhance its multimodal biometric collection for enhanced border security and the prevention of human trafficking and smuggling, the Department of Homeland Security (DHS) is looking for development of “an accredited DHS reach-back capability to review results from fielded rapid DNA systems using the Office of Biometric Identity Management (OBIM) DNA Store/Match/Share (SMS) capability” under a new Small Business Innovation Research (SBIR) Program Solicitation by DHS’s Office of Procurement Operations on behalf of the Science & Technology Directorate (S&T) and the Countering Weapons of Mass Destruction Office.
Meanwhile, another SBIR solicitation seeks the development and demonstration of an Identity, Credential, & Access Management (ICAM) solution that will allow all first responders supporting a multi-jurisdictional event to be able to safely and securely share information , including Personally Identifiable Information (PII).
S&T developed rapid DNA technology under a prior SBIR program “to provide family relationship verifications in the field, a capability that no other biometric provides,” the new solicitation explained. “Rapid DNA is an innovative technology that reduces the testing and analysis time for DNA from the classical three to six months down to 90 minutes using a printer-size portable device. Rapid DNA also internally analyses the DNA profiles and with OBIM Store/Match/Share software can verify family relationship claims of biological relatedness (kinship). This has direct application to improving processes and reducing fraud in immigration, human trafficking/smuggling at the borders, and for reunification of families following a mass casualty event. This SBIR topic builds on the established rapid DNA capability, adding the necessary capability to provide for reach-back review of rapid DNA results in an accredited environment.”
The statutory purpose of the SBIR Program is to strengthen the role of innovative small business concerns in federally‐funded R/R&D in order to: stimulate technological innovation; strengthen the role of small business concerns in meeting federal R/R&D needs; foster and encourage participation by socially and economically disadvantaged small businesses (SDBs) and by women‐owned small businesses (WOSBs); and increase private sector commercialization of innovations developed through federal R/R&D, “thereby increasing competition, productivity, and economic growth.” Consequently, under the new DHS SBIR solicitation, appropriate businesses are asked to submit innovative proposals.
DHS, the Department of Defense (DOD), and FBI began conducting the “Rapid DNA” initiative in 2015 to “focus on developing and integrating commercial products that can fully automate the creation of a DNA profile from a buccal swab within 2 hours. Rapid DNA includes the goal of initiating biometric enrollment and identity matching while a suspect is in police custody during the booking process.”
While the FBI had already established a Rapid DNA Program Office in 2010 to facilitate development and integration of rapid DNA technology for use by law enforcement in conjunction with DOD, National Institute of Standards and Technology, National Institute of Justice, and other federal agencies “to ensure the coordinated development of this new technology among federal agencies,” The Rapid DNA Act of 2017 (Public Law 115-50) authorized the FBI director to “issue standards and procedures for the use of rapid DNA instruments and resulting DNA analyses.”
The FBI said at the time that, “Now that the law is in place, the Bureau will be working toward the testing and implementation of this new technology and is poised to deliver the capability to process a rapid DNA upload and search in the CODIS software within 2018. The FBI anticipates testing of components to begin in 2019. Integration into the booking process of states that are authorized to collect DNA samples at arrest, as well as the federal system, will follow.”
The FBI began “working with the Scientific Working Group for DNA Analysis Methods (SWGDAM) and other stakeholders to develop standards and procedures for the FBI approval and operation of the rapid DNA systems in booking agencies. The Bureau recognizes that National DNA Index System (NDIS) approval of the rapid DNA systems and training of law enforcement personnel using the approved systems are integral to ensuring that rapid DNA is used in a manner that maintains the quality and integrity of CODIS and NDIS.”
Today, however, DHS said “S&T has had a significant role in developing, overseeing, testing and evaluating the rapid DNA technology, and it is now commercially available and ready to be implemented. Better than 90 percent of the time rapid DNA produces a DNA profile cable of supporting a match and the instrument returns a green checkmark. But the remaining 8 percent of the time, the profiles receive either a yellow or red flag, and need to be reviewed. Some of these yellow or red flags are due to issues with the DNA profile that will not impact the kinship analysis, and some are due to processing issues by the technology. Either way, DHS needs an ability to reach-back to a DNA analyst to review the DNA profiles and to re-run a DNA sample when necessary. The DNA analyst and the facility also need to be accredited so that the fielded rapid DNA results and those of the reach-back capability are shown to be repeatable and accurate to stand up in court, if challenged.”
According to the SBIR solicitation, Customs and Border Protection’s (CBP) Laboratories and Scientific Services Directorate (LSSD) “has multiple regional laboratories and satellite offices for the processing of multiple forensic sample types, but does not currently have a human DNA laboratory.” Therefore, under the SBIR solicitation, DHS said, “We are seeking any innovative/alternative solutions that would provide a reach-back capability for fielded rapid DNA systems, anticipating that the developed solution would ultimately transition into the LSSD laboratory for long-term operational support to DHS field components.”
According to DHS, its “research into potential reach-back solutions [will] need to address the analysis of innovative or potential solutions to provide reach-back support for rapid DNA; the interface an analyst uses to review and annotate rapid DNA field results; the use of DNA data sharing standards; the accreditation of the reach back capability; location/staffing/costs for the reach-back capability; and, the eventual transition of the new capability to DHS LSSD facilities.”
Once alternative reach-back solutions are proposed, DHS said “a pilot solution would be developed to implement the reach back capability” that “would include specifying and acquiring the appropriate technology; developing the detailed documentation to establish and maintain accreditation; researching and developing training materials; establishing performance metrics and risk mitigation recommendations and measurement plans; and, addressing access and privacy protection solutions.”
Under phase 1 of the program, potential offerors “shall research” the viability of providing a reach-back solution for fielding rapid DNA systems.
A Phase I final technical report “shall be submitted addressing the analysis of potential solutions to reach-back support for rapid DNA; the use of DNA data sharing standards; the accreditation of the reach back facility or laboratory; facility location, staffing, costs; and the eventual transition of the new capability to DHS LSSD facilities. In addition to the final technical report, monthly progress reports shall be submitted.
Phase II will continue the R&D under Phase I to develop “a pilot solution to implement the reach back capability” to include “specifying and acquiring the appropriate technology for an analyst to review and annotate rapid DNA results; developing the detailed documentation to establish and maintain laboratory or facility accreditation; researching and developing staff training materials; establishing performance metrics and risk mitigation recommendations and measurement plans; and addressing facility access and privacy protection solutions.”
DHS expects “deliverables” to include monthly progress reports, a final technical report detailing the developed solutions, and a prototype reach-back capability that connects to at least one government provided rapid DNA instrument.”
Finally, under Phase III, commercial or government applications “would transition the pilot solution into a DHS LSSD laboratory or other government operational” setting that would then provide the necessary ongoing operational reach-back for fielded rapid DNA systems. “All technical and operational policies and procedures would be established and validated and accreditation of the solution would be achieved” to directly assist DHS to establish “DNA as a biometric that supports family relationship testing for immigration, border patrol human trafficking/smuggling prevention, and reunification of families following mass casualty events.”
State and local law enforcement, medical examiners, and disaster preparedness agencies are all evaluating the use of Rapid DNA in their operations. This reach-back capability is necessary in all of those applications to ensure that their solutions are validated and accredited, and that a human analyst has the ability to review the results.
Under the SBIR ICAM solicitation, S&T’s Project Responder Report “identified key capabilities to help first responders be more effective in their mission,” including “the need to securely share information, validate responders from other organizations, and securely maintain records.”
DHS stressed that, “These challenges only increase as responders rely on more data. There is a critical need for responders to securely validate users and share information. Identity, Credential, & Access Management principles can mitigate these challenges.”
According to DHS’s solicitation, ‘ICAM is a framework of policies built into an organization’s IT infrastructure that allows system owners to have assurance that the right person is accessing the right information at the right time for the right reason,” emphasizing that, “first responders need to safely and securely share information between jurisdictions,” but that “first responder “organizations do not currently have federations set up to aid in information sharing.”
“Instead,” DHS said, “during multi-jurisdictional responses, organization[s] might be forced to manually provision an un-vetted new user or take days to vet a new user’s identity and certificates. Lead agencies require quick and secure solutions to vet identities and credentials in real time as well as auto-provision users into information sharing applications.”
The ICAM On-the-Fly solution will “allow new users to show up to assist in a public safety event, bringing their own credential, their own device and the role they are to provide during the event.”
ICAM On-The-Fly must:
• Perform quick identity proofing; (e.g. validate that the user is who they says they are);
• Validate applicable certifications and attributes required to access the information to be shared; (e.g. EMT Certified, sworn law enforcement);
• Automatically provision (register) new users;
• Be built using open standards to preserve interoperability;
• Be cross platform (iOS/Android) compatible; and
• Recognize a broad array of credential attributes in diverse environments (i.e. multiple types of LDAP, active directory, etc.)
During the six-month Phase I period of performance, “the SBIR performer will conduct a technical analysis and propose a development road map for constructing an ICAM On-The-Fly solution.”
The technical analysis must identify the state-of-the-art identity proofing, application validation and automatic provisioning technologies using its own or industry R&D resources. This technical analysis must also identify the technical gaps that the performer will incorporate as part of its proposed solution architecture. “At a minimum,” DHS said, “the performer shall cover the following:
• Identification of public safety stakeholder requirements;
• Evaluation of current services, tools, and commercial capabilities;
• Determination of open standards and connectors to enable interoperability to maintain compatibility with NIST SP 800-63-3; and
• Develop a roadmap to construct an ICAM On-The-Fly system that must show the steps necessary to produce a minimum viable product (MVP).
The MVP must, at minimum, include:
• A system architecture, inclusive of multifactor authentication using open standards such as FIDO U2F and NIST SP 800-63A (built to at least, IAL2: remote proofing);
• A complete set of system policies, including but not limited to, credential attestations to be harmonized across entities, and aggregate and weighted values for credentials being vetted from multiple truth sources; and
• A development work plan clearly demonstrating the path to completion.
The 24 month Phase II period of performance will continue the R&D that began in Phase I, and will deliver a prototype implementation designed to meet the ICAM On-The-Fly needs. The prototype will be demonstrated in test and evaluation in an operational exercise to demonstrate the capability. At a minimum, Phase II should include the following:
• A MVP;
• Build proof of concepts to integrate commercially available products with the MVP;
• Simulate and demonstrate an operational environment; and
• Document implementation guides, lessons learned, and custom code.
“In addition,” DHS said, “deliverables should include monthly progress reports and a final technical report detailing the technical analysis and proposed solution architecture.”
Phase III will consist of commercial or government applications, and may also require further technical development to address gaps discovered during the T&E and further end-user feedbacks.
“The R&D efforts from Phase III will result in the commercial or government application in which at least one agency will take delivery of the tool and its services. Example may include:”
• Delivery of the automated tool via network-as-a-service or software-as-a-service to a designated public safety agency for end-user application; and
• A standalone tool delivered to designated commercial or public safety agency with standard tool training and technical support.