GSA: Out with individual product approvals, in with ‘system’ approvals
HSPD-12 was first signed more than eight years ago and since then some 5 million credentials have been issued to federal employees and contractors. Few would argue that the credentials are prevalent, but many bemoan the level of utilization.
Two years ago, the White House Office of Management and Budget – the agency tasked with policing HSPD-12 progress – issued a memorandum mandating use of systems that comply with the credentials. Known simply as M-11-11, the memorandum stated that any new systems used for logical or physical access must use the PIV credential.
2012 saw federal agencies begin to deploy physical access control systems that use the PIV credential, however, the implementations have not been without problems. The deployed physical access control systems don’t always work with the credentials and this has lead to finger pointing between card manufacturers and physical access providers.
While the fault can be shared by all parties including the agencies that deployed the credentials, the larger issue lies with the General Services Administration’s Approved Products List for FIPS 201.
It seems that while individual products may be compliant in a standalone environment, some cease to function when implemented alongside other components. This has forced the GSA to rethink the way it evaluated products for the list. Instead of testing individual components for compliance, in the future the GSA plans to instead test the interoperability of entire systems.
Defining the terms
The Homeland Security Presidential Directive signed by President George W. Bush in August 2004 that called for a common identification standard for all executive branch employees. The common credentials are to be used for access to physical facilities and computer networks to thwart terrorist attacks and prevent identity theft.
The National Institute of Standards and Technology created the FIPS 201 standard to help agencies meet HSPD-12. It is the technical specification for credentials used by executive branch employees and is accompanied by numerous special publications that define different parts of the credential.
Personal Identity Verification – or PIV – is the name FIPS 201 gave to the specific credentials issued by federal agencies to employees. PIV and PIV cards adhere to and rely upon the FIPS 201 standard in order meet the mission laid out by HSPD-12.
The GSA FIPS 201 Evaluation Program is being migrated to the Federal Identity, Credential, and Access Management (FICAM) Testing Program with a “spiraled” approach, according to a statement from GSA.
The first spiral will focus on enhancing the physical access control system categories. Four new categories will be added to the program: Transitional Reader, FICAM Reader, Head-end and Validation System. The Testing and Approval procedures for the four categories are under a review and evaluation process by federal agencies, vendors that belong to the Smart Card Alliance Access Control Council and the Security Industry Association.
The Identity Credential and Access Management Steering Committee is working on a document called PIV in E-PACS that will provide a set of security controls that the GSA FICAM Testing Program will use as their security baseline for Federal physical access systems.
The goal of the FICAM testing program is to provide an all-encompassing evaluation capability so that agencies can select products for a federated and interoperable architecture.
The objectives of the FICAM testing program are to:
- Provide a common government-wide testing capability for ICAM products and services
- Provide compliance, consistency and alignment of commercially available products and services with the requirements and needs of government implementers
- Ensure availability and choice among vendor products to support different ICAM components
- Coordinate interaction and coordination with the vendor community to improve the inclusion of ICAM requirements into product offerings
- Promote cost effective ICAM implementation with qualified products and services that perform successfully.
A timeline on when the Identity Credential and Access Management Steering Committee will release the guidance and when the new testing protocols will go into effect has not been released by the GSA.
These changes are going to help but it will be a while before the full effect is noticed. It will most likely be 2014 before the new FICAM testing protocols are completed and only then can vendors begin the process of testing systems.
Throwing another wrench into the works is that a finalized draft of the revised FIPS 201 standard is also due in 2013, sources say. The first FIPS 201-2 draft was released in 2012. It proposes significant changes for physical access that include deprecating the cardholder unique identifier – which has been the primary identifier for physical access – and requiring additional digital certificates to be verified. A new draft of FIPS 201-2 is expected to be released in early 2013.