The Pentagon’s road to PIV compliance
Defense Department rolling out CAC-enabled physical access
26 March, 2012
category: Biometrics, Government, Library
Enhancing security at the world’s largest flat office building is a project of immense scale, but the Pentagon Force Protection Agency’s Privilege Management Program has the Pentagon on track to become one of the world’s largest PIV implementations.
Enhancing security at the world’s largest flat office building is a project of immense scale, but the Pentagon Force Protection Agency’s Privilege Management Program has the Pentagon on track to become one of the world’s largest PIV implementations.
Four-years ago, the Pentagon Force Protection Agency initiated a system to meet HSPD-12 requirements. Because the Defense Department had a longstanding, well-established credential program, there were significant challenges to implementation. The Common Access Card, the Defense Department’s credentials, had been used more for logical access than physical access with magnetic stripe still used for the latter at most locations. “The Department of Defense is always unique in how it implements federal policies,” says Derek Nagel, access control branch chief at the Force Protection Agency.
The Force Protection Agency is also underway on the Pentagon Century project, a five-year effort to upgrade the building’s entire perimeter, says Nagel. This project was developed not only in response to the Sept. 11 attacks and other incidents including a March 2010 attack in which a gunman opened fire at the Pentagon’s entrance.
Along with pushing out the perimeter of the building, the Force Protection Agency is replacing its older turnstiles with full height models, says Nagel.
Even before the Privilege Management Program came about, the Force Protection Agency knew becoming PIV compliant would be a huge undertaking due to the Pentagon’s enormous size. It encompasses 6.7 million square feet and 17.5 miles of corridors. There are 25,000 assigned personnel, more than 1,000 visitors every day and 10,000 parking spaces.
The program will also be implemented at the Mark Center, the Pentagon’s new 6100-person office complex in Alexandria, Va., says Nagel.
To that end, the Force Protection Agency has undertaken many projects to bring PIV compliance to fruition. It is upgrading the Pentagon Physical Access Control System, which consists of more than 5,000 access control readers and 2,000 access control panels. The old panels didn’t have enough horsepower, says Nagel. “All the panels are being upgraded presently. We are more than a third of the way through,” he says.
Likewise, approximately one-third of the readers have been upgraded with the rest scheduled for completion by April. Additionally, the project involves upgrading the access control servers because they are at the end of their lifecycle, says Nagel.
The new readers will be multi-technology, replacing the current mag stripe technology. The requirement is that they be able to read mag stripes and contactless simultaneously. “All readers we’re installing now have that ability,” says Nagel, explaining that this will enable a seamless transition to using the Common Access Card for physical access.
The Force Protection Agency developed its Privilege Management Program to enable multimodal access. In early 2010, it built a prototype enrollment solution to enroll both fingerprints and iris.
The enrollment solution for ID management aims to bind users to the Common Access Card via a secure biometric indicator, says Nagel.
Testing the system
When the Force Protection Agency first built its biometric access control system and tested it in a lab atmosphere, it was capable of processing only six to seven people per minute using card plus iris or fingerprint. This was unacceptable given the amount of traffic that goes through the Pentagon and Mark Center on a daily basis, Nagel explains.
Refinements brought that number up to ten to eleven people per minute, says Nagel.
This system was delivered in early February 2012 and is being piloted at the Mark Center. The 6,100 employees were enrolled in the system and the Force Protection Agency assigned privileges and access rights. Funding for this phase came from the Biometrics Identity Management Agency, says Nagel.
Lesson learned
The failure to enroll is about one percent for both fingerprint and iris, says Nagel. If they had only used a single modality, about 250 people would be unable to use the system, explains Nagel. That led the group to use a multimodal solution that should result in just two or three failures to enroll out of the Pentagon’s 25,000 population. “Out of 6,100 people (at the Mark Center), we haven’t failed to enroll anyone in at least one biometric,” says Nagel.
Enrolling people into the system takes two to three minutes, says Nagel. The applicant first goes to a kiosk and presents their card to a contactless reader to ensure the interface is operational.
Next the user inserts the card, enters a PIN and gets a PKI validation. The enrollee moves on to face-to-face interaction with an enrollment officer where the officer captures more biographical information and enrolls the biometrics.
To use the system for entering the building, the person walks up to the perimeter turnstile, presents the card and has the option to do either a fingerprint or iris scan, says Nagel. To leave the building, the person will just have to use their card.
Because the Mark Center was a new building, it was simple to make it PIV compliant because they had to order all new equipment, says Nagel.
Phase 2 will use FICAM to automate processes that are manual and tie together disparate systems, like visitor control and parking management, says Nagel. The privilege management program will act as the middleware. “It binds everything back to the Common Access Card,” says Nagel.
Nagel says the Force Protection Agency’s next big project is to roll out the program at the Pentagon. “The Mark Center proved it could be done,” says Nagel. But he explains the Pentagon works on a much larger scale, processing 16,000 to 17,000 employees a day.
This process is expected to start this summer
The agency still has work to do to incorporate acceptance of PIV credentials from other agencies, says Nagel. “PIV-I we’ve already got,” he adds.
One other challenge comes in dealing with the agency’s vendor and concession population. Because these groups are non-CAC/PIV eligible, the Force Protection Agency had to come up with another solution for them. These groups will use a contactless only credential that follows the same model as PIV, says Nagel.
The card will have a contactless chip and the same mandatory features as the PIV card, including laser engraving and holograms. But it will only work at perimeter PIV readers, he says.
Full implementation of the Pentagon system is expected to take two to three years.