FIPS 201 approved products list revamped by GSA
Focus moves from component testing to system interoperability
30 August, 2016
category: Corporate, Government, Smart Cards
Mixed reaction from stakeholders
The new requirements seem to be a proverbial mixed bag. On the plus side, the systems agencies are deploying are operating properly and securely, but it’s taking significant time for vendors to have their systems tested and placed on the list, costing them sales.
Pentagon getting rid of Common Access Card?
The U.S. Defense Department has been a pioneer when it comes to smart cards in the federal government, first issuing the cards in the 90s. So when the agency’s CIO mentioned eliminating the cards in the next two years, it caught many by surprise.
Pentagon CIO Terry Halvorsen told the 2016 Federal Forum that the agency plans to get rid of the Common Access Card in the next two years and replace it with an “agile,” multi-factor authentication system. The cards would be replaced by “some combination of behavioral, probably biometric and maybe some personal data information that’s set from individual to individual.”
The smart card credential may still be used for physical access, but that would be its sole function. Another reason for the move is so the U.S. can share information with its allies. The Pentagon is working on an identity standard and methodology with Australia, Britain, Canada and New Zealand that would not include the Common Access Card.
A number of smart card industry executives and government officials were caught off guard by Halvorsen’s comments.
Additionally, it would seem to contradict HSPD-12. The directive, signed by President George W. Bush, called for a standard, interoperable credential across all agencies that would be used for physical access to facilities and logical access to computer resources.
The other problem is timing. A behavioral, continuous biometric systems, such as the one Halvorsen mentions, would have to go through testing and certification before it could be used by any agency. Development, selection, testing and rollout for such a solution would be a time-intensive process.
Allegion manufactures wall mounted smart card readers and wireless reader and lock peripherals for physical access control systems that were certified under the first FIPS 201 Approved Products List. When the government progressed to FIPS 201-2 they removed the APL and replaced it with a current approved products list based on FIPS 201-2 and placed all the legacy products on the removed product list. This impeded Allegion’s ability to sell these products on federal projects, says Terry Collins, director of government sales at Allegion.
Since Allegion only provides one component of an overall physical access control system, the company must find partners with the other components to test under the new FIPS 201-2 requirements, Collins says. Allegion is still waiting for its first overall system to be approved – the first of which should be submitted to the GSA later this year.
Vendors must first have a full system available in order for testing to take place. If that full system passes, then Allegion would go on the APL with that specific system. Allegion must have their components tested with other PACS providers as well, which will mean many more testing cycles, explains Collins.
While procurement officers would previously go down the approved products list and pick and choose components, now they have to choose systems and certified installers
While vendors seemingly have to jump through more hoops, the end result will be systems that work and are more secure, says Lars Suneborn, director of training programs at the Smart Card Alliance. The organization runs the training program to certify physical access control system installers as required by the GSA.
The changes were designed to make sure that the system worked with all the components and are truly secure, Suneborn says. The changes brought on by FIPS 201 and the more recent changes from the GSA bring about a shift in how physical access control systems are built and deployed, he says. While procurement officers would previously go down the approved products list and pick and choose components, now they have to choose systems and certified installers.
Progress to date
The Smart Card Alliance has been running training classes for more than a year, Suneborn says. More than 120 individuals have been certified. As for the APL there are 25 vendors with 27 solutions available for agencies to purchase.
Even though there are certified technicians to install the systems, along with entire systems now available, they still aren’t necessarily being deployed. Educating federal procurement officers on these requirements is the last step, Zivney says. Those in the DC Beltway know about the requirements, but those at smaller facilities outside have no idea. “Unless we train the procurement officers it’s still going to be a problem,” he says.