If you don’t need a full-blown, FIPS 201-compliant PIV card like those being tested in Summer Breeze-like trials, the recently established Tiers of Trust Consortium may have an alternative solution. It was created to provide a lower cost smart ID card without all the bells and whistles that FIPS 201 requires.
“While this regulation (FIPS 201) serves a number of worthwhile goals, the implementations to date have created difficulties with the budgets within first responder groups, making compliance a lengthy and costly process,” said Howard A. Schmidt, former U.S. cybersecurity advisor who now heads up the consortium. “Our goal is to enable first responders to meet the federal requirements at a fraction of the cost…”
Betty Pierce, president of Colorado-based Secure Network Systems (SNS), a consortium member, cited these examples: “A plane goes down or a dam bursts. Local people are the first responders. If it starts to look bigger (than initially thought) they call in other counties or authorities. The idea is these (scaled back) systems should work within these areas. Most of these local responders will never be called to a federal emergency, so they don’t need the more expensive PIV cards but they will need secure and reliable forms of identification, just less costly.”
The Tiers of Trust Consortium, created earlier this year, can offer equipment “to legitimate first responder agencies, fire, hazmat, police, but also the private sectors, such as people who run telecommunications,” she said.
“The whole idea behind the consortium is to help these groups…to open this up at the base level and make it as affordable as possible,” said Ms. Pierce.
Other members include security organizations HID Global, PGP, OMNIKEY, Catcher, TX Systems and Clear Government Solutions. While there are no strict membership requirements, “we prefer members (with products) on the FIPS 201 approved products list,” said Ms. Pierce.
The first responder organizations can register through the Tiers of Trust web site. (www.tiersoftrust.com) “We ask for the highest ranking official to sign off,” said Ms. Pierce. “We want management commitment from the very top, then they become eligible to order the different products.” Applications are due by Dec. 31, 2007, with priority to the first 500 organizations.
“Right now, it is cheaper to rebuild everybody’s house rather than to give all first responders a PIV card,” commented Jon Callas, CTO and CSO of PGP Corporation, another consortium member, when the consortium was first announced.
Agencies can buy a reader/writer for under $75. “Both are on the FIPS 201 Approved Product List,” said Ms. Pierce. For SNS’s part, it provides the software that programs the smart card. In fact, its Write-IMPACT software program, which electronically personalizes the contactless chip with mandatory FIPS 201 information, is available free to registered first responders.
“We’ve been getting tremendous feedback. There has been some confusion because some people think we’re offering a full FIPS 201 card cheaper. That’s not the point. These are qualified approved products but we’re probably not the best choice for someone who might need a full FIPS 201 card for their entire population of first responders. Our value proposition is to these other jurisdictions who don’t need a full PIV card, maybe a blend. From what we’ve seen from these different municipalities, certain jurisdictions would need federal cards but the remaining 80 or 90 percent don’t need it so why pay for it?”
The Colorado Demonstration
SNS is no stranger to the trials being conducted in Washington DC, having participated in multiple GSA certifications and the NIST interoperability demonstration sessions. While the National Capital Region first responder trials are tied to the DC and surrounding counties in Virginia and Maryland, other piggybacked trials have taken place in different parts of the country. One was in Colorado, SNS’s home base, and was conducted at the same time as the Summer Breeze trial.
Even though Summer Breeze was looking at more handheld readers and such” SNS also wanted to test its mobile emergency access control system built around HID Global technology, said Ms. Pierce.
While not an official part of the Colorado exercise, Ms. Pierce explained that SNS was able to leverage HID iCLASS readers “to read dual interface cards from other vendors. We could limit privileges (for the card holder) and the card would either function correctly or not depending on the level and privilege,” she added.
SNS also wanted to test the capability of credentials being read by the company’s NIMS-IMPACT mobile emergency management system utilizing HID Global components. Purpose was to illustrate that interoperability encompasses a broad suite of FIPS 201 compliant technologies, including logical and physical access control systems and contactless smart cards.
Based on Summer Breeze-style exercises, SNS feels that a full-blown personal identity verification card, based on the federal FIPS 201 standards, may not be needed in many cases, particularly in state and local areas, said Ms. Pierce. That means the cheaper could be just as effective at regulating who has access to a non-Federal disaster site.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.