A review of PIV-I physical access control at ASIS
06 October, 2009
category: Contactless, Corporate, Government
By Salvatore D’Agostino, IDmachines
IDmachines spent time with dozens of vendors of physical access control products, systems and related system integrators at the recent ASIS 2009 event in Anaheim, Calif.
This is an ongoing exercise that IDmachines conducts several times a year and has been doing so for nearly four years–or as long as the standard has existed. In a nutshell, FIPS 201 and HSPD-12 are now mainstream requirements that drive the solutions being developed in the marketplace.
I’ve pointed out that there exists a wide range of performance provided by vendors who claim they meet the FIPS 201 specification. As the number of vendors who support the standard grows this remains the case.
The big difference is the number of vendors and integrators that finally realize that supporting the standard matters. And as a result there exists a wide range of conformity to the specification and the related security and assurance levels and interoperability and trust that are described in the related NIST special publications.
When I first started asking the physical access control world about how they support HSDP-12 and FIPS 201 several years ago most of them looked at me as if I was from Mars. A year ago there still existed many vendors who thought IDmachines’ was focused on an edge issue.
The big deal at this ASIS conference was that every single vendor knew something about the question being asked. Even those that did not support the standard knew about it and in most of these cases intended to support it.
This is not surprising since millions of credentials that leverage this standard have been issued in the last year. And a number of commercial sectors have adopted the standard in the last year. I am sure that a year from now there will be even greater breadth and depth to the standard’s adoption.
Two other things for now
First, it is still incredibly surprising that some major vendors of access control systems and reader technology either still do not support the standard at anything other than a basic (read dangerously low) level of assurance and/or still lack the domain expertise to understand how to meet/address the recommendations for the use of PIV credentials. In some cases the “second tier” of providers has passed the major players in the extent of their solutions and knowledge.
Second, there still exists a lack of understanding of the differences between, PIV, TWIC and PIV-I among major vendors.
IDmachines ran into multiple cases–including major vendors–where claims that TWIC solutions address the needs of PIV cards and that because they can implement the higher TWIC assurance levels that they can do the same for PIV. In most cases those making false and broad claims about the applicability of their solutions also failed to understand the difference in establishing trust among credential issuers.
There is a failure to understand the difference between a TWIC solution–which is monolithic–and PIV and PIV-I, which are at times federated. A future entry will drill down on this subject.