Smart Card Alliance and Security Industry Association both working to educate and impact federal government smart card efforts
With about a year remaining before federal agencies have to comply with the FIPS 201 standards, the Smart Card Alliance has come forth with a 43-page white paper describing some of the issues involved and the work that remains to be done. It’s called: FIPS 201 and Physical Access Control: An Overview of the Impact of FIPS 201 on Federal Physical Access Control Systems and is available at the SCA web site.
The paper provides a roadmap to the key specifications that federal agencies need to consider in implementing FIPS 201 compliant physical access control systems (PACS). The paper also provides an overview of some essential but unresolved questions.
While FIPS 201 and its associated special publications define many aspects for an interoperable federal identity card, the standard also provides a variety of options for implementation and permits individual agencies to define their own approaches to meeting agency-specific access requirements. The new Smart Card Alliance white paper provides guidance to agencies on how the new PIV card should be used in physical and logical security, how the standards compare to previous specifications, and what aspects of the specifications are still open that might affect an agency’s implementation.
As the white paper says in its introduction, “Logical and physical access control functions have been separate domains managed by different personnel implementing related but uncoordinated policies. As a result, the architecture, equipment, and identity verification requirements were independent and oriented toward their specific functional goals. The staff was trained and experienced in different security skills, with the physical access control system (PACS) typically managed by security personnel and the logical access control system managed by the IT department.
“Today, however, logical and physical access control systems are beginning to converge. Verifying the identity of individuals both within an organization and among different organizations has become critically important…A prime example is (HSPD-12)…which mandates the establishment of a standard for identification of Federal Government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to Federally-controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.”
While this “convergence of logical and physical access control functions required by HSPD-12 benefits agencies in many ways…it also raises a unique set of challenges. In particular, combining physical and logical access on a single credential requires agencies to address issues that were handled by separate functional groups in the past.”
According to the SCA white paper, one of the unresolved issues–key to practically any physical or logical access control system–is the biometrics component.
“The format for prescribed fingerprint data is still undecided,” the SCA document points out. “If the decision is made to store interoperable fingerprint templates on the PIV card, these templates would provide an appropriate interoperable biometric technology to use for rapid authentication in a PACS (physical access control system).
“But, the paper added, “It is important to remember that Federal agencies and departments are not precluded from implementing any alternative biometric data formats and modalities that may be required for their unique physical access control operations and do not need to be interoperable with other agencies.”
John G. Moore, program analyst for GSA and chair of the Federal Smart Card Project Managers Group in Washington, D.C., explained it this way: Remaining (biometric) issues include whether smart cards should contain fingerprint images which are more based on law enforcement requirements or templates that are more directed at access to buildings and computers.
Besides biometrics, there are “other areas in which work is still needed,” according to the SCA document:
A Cardholder unique identifier (CHUID) definition. Work is continuing here, with “key open items” including “use of the expiration date and additional data elements that may be required. The paper warns that “agency PACS implementations may be affected by any changes to the CHUID definition.”
Another work in progress is “post-issuance updates,” or defining policies for updating PIV cards after the cards are issued. “Key issues include policies for writing data to the contactless interface and for writing data to a PIV card issued by a different agency,” the report says.
Revocation processes. “A variety of approaches can be taken to implement PIV card revocation depending on the capabilities of an agency’s PACS. How revocation is to be handled across multiple agency systems is a major consideration during implementation.
“Acquisition process. Both OMB and GSA have outlined the acquisition process, with guidance to agencies about the use of End Point and Transitional products and services (as defined in NIST SP 800-73).
End Point vs. Transitional products. Says the white paper: “Agencies need to be aware of whether they are using End Point or Transitional card systems when they implement their PACS to ensure that the system meets their needs. Card and reader vendors are now making Transitional products available and are working toward End Point products as End Point system specifications are finalized. Physical access control system vendors have also begun the process of implementing FIPS 201, focusing on Transitional smart cards. As FIPS 201 End Point cards are better defined and other specification ambiguities are resolved, PACS vendors will move to meet the requirements of End Point cards.”
The SCA also points out that FIPS 201 is affecting state and local governments, which “are being encouraged to adopt the provisions of FIPS 201, and businesses that provide goods and services to the Federal government will find that a substantial segment of their workforce will need to be credentialed.” SCA points out that just in the last two years, HSIP12large companies like Boeing, Microsoft, Sun Microsystems, and Johnson & Johnson “have been migrating toward the use of smart cards for both physical and logical access control authentication. Other enterprises have watched their progress carefully and are now planning their own implementations.
” In other words, this shift towards identity authentication “is forcing a convergence of physical and logical access, requiring the adoption of new processes and technologies and forcing organizations to rethink their approach to managing access and authentication,” the SCA white paper says. “It is critically important for industry and customers to work together to develop and implement standards-based solutions that address the new market realities and facilitate this transition.”
The SCA’s Physical Access Council, which is responsible for the FIPS 201 white paper, has created a resource on SCA’s web site that will provide up-to-date information about FIPS 201.
Security Industry Association creates working group to address HSPD12
The influential Security Industry Association launched its PIV Working Group in effort to educate security manufacturers and others to the impacts and opportunities of HSPD12 and FIPS 201.
The group will “provide a resource body of Security Industry man-ufacturers to Federal Government agencies and departments to expedite and influence the availability of Commercial Off the Shelf (COTS) products. Additionally, this liaison will provide timely com-munications and insight for SIA members so they can quickly de-sign and produce COTS products that meet or exceed the relevant standards.”
The working group’s chair, Rob Zivney, Hirsch Electronics, com-mented that “as IT and the physical access communities become more and more intertwined, the PIV Working Group (will provide) a voice within the federal government on a very important issue.”
The initial goals of the group include the following:
- Establish task forces within the working group to provide focus on specific areas of technology, such as Biometrics; Contact and Contactless readers and cards; Access Control Panel databases and interfaces; Standards for data exchange between PACS and IDMS.
- Ensure GSA procurement channels are in place so that SIA manu-facturers with Schedule 84 contracts can participate with the PIV opportunities now assigned to Schedule 70.
- Engage SIA membership, Federal Government agency and depart-ments, and contractors to the federal government as members of the SIA PIV working group.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.