FIPS 201 approved products list revamped by GSA
Focus moves from component testing to system interoperability
30 August, 2016
category: Corporate, Government, Smart Cards
Mention certification, product testing and the approved products list to those in the smart card and physical security markets and executives will likely bristle. Time consuming and expensive comprise the common refrain when it comes to the product testing needed in order to be placed on approved product lists from the federal government.
The new requirements seem to be a proverbial mixed bag. On the plus side, the systems agencies are deploying are operating properly and securely, but it’s taking significant time for vendors to have their systems tested and placed on the list, costing them sales
Vendors have had to go through these steps since FIPS 201 was released almost a decade ago. Agencies wanted assurances that the products they purchased from different vendors would work together and throughout the enterprise. For example, a credential issued at a GSA office in Chicago should be able to work at a GSA facility in Washington. This testing required vendors to hire an independent lab to test the products against the specification. This cost thousands of dollars and took a considerable amount of time.
Originally, the approved products list tested each component to see if it met the specification. This led to problems when different pieces were put together, says Rob Zivney, senior consultant at Identification Technology Partners. “People would buy the components, put them together and they wouldn’t work,” he explains.
In response to the problem the General Services Administration, which managed the approved products list, changed how testing is done for FIPS 201. Now, instead of testing individual components, testing is done to make sure parts work within an entire system. The GSA also mandated that physical access system installers become certified to reduce problems when systems are deployed.
Will GSA’s new approval process push PIV-I in the enterprise?
More than a decade ago it was a commonly held belief that the smart cards and systems deployed by the federal government would be used in private enterprises across the country. For the most part the crossover hasn’t happened.
PIV-I – the standard for non-federal employees – is being used by some of the largest government contractors, but the use of FIPS 201 systems outside of federal agencies and contractors hasn’t gained widespread traction.
Enterprises already have physical access control systems in place, they work well and most don’t see a need to rip and replace with a more expensive, complex system, says Rob Zivney, a senior consultant at Identification Technology Partners.
Zivney and other industry insiders were less than optimistic that these changes to FIPS 201 and the approved products list will have much impact. In general, most agree that the approval effort is crucial for federal agency business but is unlikely to show large rewards outside government.
This type of certification for PACS vendors was established due to federal agencies providing us feedback that installers didn’t know how to configure the PKI correctly in PACS systems when doing the installation, says Chi Hickey, director of Testing and Procurement of the Identity Assurance and Trusted Access Division in GSA’s Office of Government Wide Policy. The certification covers OMB policies, FICAM roadmap and guidance, PKI, certificate validation and other information.
Changes were overdue
The updates to the FIPS 201 Evaluation Program began in 2012 in response to the publication of the Office of Management and Budget Memorandum M-11-11, Hickey explains. The new program not only tests products and services for conformance with FIPS 201 requirements, but also tests products for alignment with the Federal Identity Credential and Access Management (FICAM) roadmap and guidance.
Prior to 2012, the FIPS 201 Evaluation Program relied heavily on self-assertion with checks by vendors and independent labs rather than functional security and penetration testing conducted on the systems. No interoperability testing was conducted between products, so there was no indication of which listed products worked with each other. There were also limited functional requirements, outdated testing standards and insufficient categories.
The revamped Evaluation Program tests products related to physical and logical access control systems that interact with the PIV, the Defense Department’s Common Access Card and PIV-I cards to determine whether the products are conformant with the FIPS 201 standard.
The Approved Product List (APL) is the official list of products that have passed testing and have been approved by the Evaluation Program. The Evaluation Program and the APL are designed to help vendors, as well as industry, federal, state and local stakeholders as it is GSA’s goal to help the industry as a whole understand requirements and help federal agencies find conformant, secure, and interoperable products.
The GSA has made efforts to streamline the process to have products approved for the APL, Hickey says. Applicants who want to have their product or service evaluated go to the GSA web site, register and obtain information regarding the evaluation process.
The applicant fills out forms and submits an application package to the evaluation program. The program then schedules testing and, when possible, the office works with the applicant to resolve issues identified during testing. Upon passing the testing process, the product or service is listed on the APL.
The GSA started communicating with vendors about the changes in 2012 and early 2013, Hickey says. “The vendors were significantly impacted and GSA recognized that, therefore the GSA Office of Government Wide Policy is currently funding the testing for PACS systems,” she explains. “Usually, when a vendor applies to get a product certified for FIPS 201 testing, they pay for it out of their own pocket. Since GSA recognized the impact it would have to the vendor community we are paying for the testing instead.”
The GSA also created a communication strategy and received buy in from all stakeholders – vendors, industry and federal agencies – about implementing this new end-to-end system testing. Drafts of the functional requirements and test case documents were distributed to the stakeholder community and vendors and industry weighed in. “We incorporated a lot of their comments to include different topologies for PACS to not stifle vendor creativity, but ensure that as long as the PACS met the functional requirements and test cases it passed,” Hickey adds.