Problems plague government physical access deployments
GSA: Out with individual product approvals, in with ‘system’ approvals
11 June, 2013
category: Digital ID, Government
Too little too late?
The changes being considered aren’t going to alleviate the problems with existing systems. With the OMB mandate many agencies upgraded physical access systems and many experienced problems rooted both in how they selected systems and how they used the existing approved products list.
“People need to be educated on what the approved products list means,” says Geri B. Castaldo, vice president of business development for Federal Identity at Codebench Inc., an HID Global Company. You can’t just buy one piece off that list; it doesn’t get you compliant with HSPD-12. “It leads you down the path but doesn’t mean your system is compliant.”
Agencies need to look at the physical access control system deployed and then go to the manufacturer or systems integrator to find out what they need to do to make the system compliant, Castaldo explains. While integrators in the DC area are familiar with FIPS 201, she says problems often arise when dealing with those outside of the beltway who are not as familiar with the specification.
Problems can also arise with the credentials themselves. The cards might be expired, on the revocation list for some reason or not encoded properly, Castaldo says. “In many cases these cards have been out there for awhile but are being checked (or used) for the first time,” she says.
Gemalto has been dealing with a myriad of complaints about cards not working when physical access systems are upgraded, says Neville Pattinson, senior vice president for government programs at Gemalto. There are numerous reasons the systems might not be working but often the first call is to the card vendor. Gemalto has a list it sends to agencies when these problems arise to determine whether it’s the card or the physical access system.
One problem is that agencies assume they can just swap out the reader and be ready to go, but this is not always the case. “The entire system might have to be upgraded – software, card readers and firmware,” Pattinson says.
There’s always a possibility that the entire system won’t have to be upgraded, but a site survey is necessary to find out what needs to be done.
The physical access controllers could pose another problem. If the agency is migrating from prox to contactless smart cards the amount of data these controllers have to handle is much greater, Pattinson explains. The system may work fine for a while but as more employees are enrolled they could be dropped off the list as the controller’s library fills.
In response to the issues arising from physical access systems and credentials, the Smart Card Alliance released a white paper with tips on how to troubleshoot such problems. “This document categorizes observed symptoms, lists some probable causes, and suggests corrective actions as well as some basic troubleshooting techniques that may easily be performed on site,” the paper states. “This white paper is intended to help users diagnose the cause of the different issues and quickly identify corrective actions. The goals of the recommended procedures are to minimize interruption of daily operations and reduce the need to replace system components such as cards and/or readers.”
The reported usage difficulties with PIV cards and contactless readers covered in this white paper include:
- Intermittent operation, such as the reader not reading the PIV card or only sometimes reading the card
- The card and card reader interaction producing inconsistent numbers or a non-compliant data stream
- The reader shutting down after unsuccessful attempts to read the card
- The physical access systems failing to register some cards
The possible errors and issues associated with the systems reading of the credentials can be numerous and obscure. There can be card reader installation issues where the card reader is installed too close to metal beams or on other metallic objects. Metallic objects may cause radio frequency reflections and distortions that have a greater impact on PIV cards due to their use of the 13.56 MHz frequency than on legacy proximity cards that operate at the 125 KHz frequency.
There are also training issues for cardholders. A frequent complaint is that a card is not working when in reality it is simply not being used properly. Prox technology typically works quickly when the card is placed near the reader, but contactless smart cards may require a bit more time and proper alignment in the reader’s field to complete the transaction.
With changes coming to the approved product list and a new FIPS 201 specification expected in 2013, it’s going to be interesting to see how agencies negotiate these issues.
“This has to be managed carefully,” Pattinson says. “We don’t want to see another round of frustration when cards are working one day but not the next because of a system upgrade.”