Much has been done but still a long way to go
It also helped cut the costs of smart cards and associated products while creating standards for interoperability. “They’re basically a commodity these days. As we look to expand the identity ecosystem, more offerings should look like the PIV, with a wide range of standards-based products readily available and supported by many companies,” Grant says.
The impact on the smart card industry has been profound. “Prior to HSPD-12, there was no standardized way to source smart card credentials from multiple manufacturers and have them be issued by multiple, trusted issuance parties that would be interoperable in access control systems for multiple security services, like door access, network log-in, and encrypted email,” Vanderhoof says.
HSPD-12 went on to enable non-federal agencies to issue PIV-I cards, which extended trusted credential use to contractors, first responders and state governments.
Grant often cites a single statistic – the 46% drop in network intrusions at the Defense Department – to show how the use of smart cards for logical access can help an agency. This statistic shows what strong authentication beyond user names and passwords can do for an enterprise, and it is a key driver behind the National Strategy for Trusted Identities in Cyberspace.
While HSPD-12 was all about securing government networks and facilities for employees, the national strategy looks to put some of that capability in the hands of consumers and relying parties. “People often ask why we don’t take this PIV smart card technology and use it everywhere. On the consumer side it’s been harder to package strong authentication in a form that a consumer, retailer or other enterprise would be willing to use,” Grant explains. “Part of our challenge is to look at those barriers and partner with the private sector to overcome them.”
Challenges and skeptics still abound
Some of these barriers still exist within federal agencies that are supposed to be using the smart cards. A decade later some agency IT officials still look at smart cards as a waste, says one government source. “There’s been incremental progress but not a wholesale embrace of PIV,” the official says. “Some agencies just don’t want to do it.”
Everyday use cases for the credentials still don’t exist for many agencies. “Building out the security infrastructure that uses the PIV for everyday transactions has proven to be the most difficult part of this transition,” Vanderhoof says. “Getting the physical and logical access control systems updated and functioning remains a work in process. It has been tough to overcome the complexity that a full PKI-based security architecture requires when budgets are restricted by ongoing spending constraints.”
This constraint exists even after a mandate from the White House Office of Management and Budget in 2011 called for all new physical and logical access control system to be FIPS 201-compliant. Skeptics suggest that though budgets have been tight, there has been a long enough time to start rolling out systems.
There’s hope that adding derived credential functionality might be able to break down the obstacles and have the credentials used more for logical access tasks. “Outside of DOD we don’t have comprehensive use of PIV for logical access and that could be the biggest disappointment,” says Neville Pattinson, vice president for of government affairs and business development at Gemalto North America.
Some agencies are using the credentials for limited logical access functionality but the majority of use, outside of the Defense Department, is for physical access, Pattinson says. “It’s a tragedy that the PIV isn’t used internally for access to their systems,” he adds.
The latest version of FIPS 201 might change this with the virtual contact interface that expands contactless functionality as well as the new support derived credentials on mobile devices. “Once we have derived credentials it will enable use of digital credentials in many different ways,” Pattinson explains. “People are moving to mobile and tablet and once we have the derived credentials there will be a huge uptake in logical access.”
Though most agree that FIPS 201 has made great technological strides toward interoperability, policy challenges across agencies has kept true interoperability elusive. If an employee goes to work at another agency, instead of having their existing PIV enrolled into the other agency’s identity management system, they are being issued another credential, Pattinson says. “The credentials are viewed as site based,” he adds.
A lot has been accomplished in 10-years and more still had yet to be completed. While the standardized smart cards don’t have the use cases everyone would like, they have instilled a new security culture for federal agencies. Hopefully in the next 10-years increased applications and security will be the norm for federal employees.