Don't Let FIPS Give You Fits
As a result of Homeland Security
Presidential Directive 12 (HSPD-
12), smart cards are spreading
rapidly through government
agencies and many large organizations.
The directive’s purpose is to ensure secure
and reliable identification for every federal
employee and government contractor. In
addition to federal government agencies,
state and local governments, first responders
and government contractors will become
major users of compliant cards and readers.
The trickle-down effect of this mandate
makes it important for security professionals
to be familiar with it.
What Is FIPS 201?
In 2004, to meet the requirements of HSPD-
12, the National Institute of Standards and
Technology (NIST) published a standard for
secure and reliable forms of identification,
Federal Information Processing Standard
(FIPS) 201. The FIPS-201 Personal
Identity Verification (PIV II) card standard
specifies contact and contactless smart
card technologies and biometrics. It also
provides specific standards for issuing and
using the PIV II card. The card combines
both contact and contactless technologies,
and thus, contactless-only or contact-only
cards do not qualify to be used on military
bases, in Veterans Administration hospitals
or in any other government facility, from
NASA to HUD. Only those cards certified to
meet FIPS-201 can be used. And, for some
time now, those cards have been issued to
government employees, among others.
It is extremely important that access control
managers and integrators recognize that
though facilities may have issued FIPS-201-
certifed cards to their employees, many are
not using that card for physical access control.
That’s because, when determining the need for
the HSPD-12 directive, the government was
concentrating on logical access control rather
than on how people were physically accessing
its buildings and grounds.
As a result, many doors in government
facilities continue to require proximity cards
for physical access control. It doesn’t take a
rocket scientist to deduce that access control
on these doors, at some point, will switch
over to FIPS 201 smart cards. Indeed, the day
of reckoning is here: Just this past February,
a memo titled “Continued Implementation
of Homeland Security Presidential Directive
(HSPD) 12—Policy for a Common
Identification Standard for Federal Employees
and Contractors” went out to all government
offices. In a key paragraph, the director states:
“...the majority of the federal workforce
is now in possession of the credentials,
and therefore agencies are in a position to
aggressively step up their efforts to use the
electronic capabilities of the credentials.
To that end, and as the DHS memorandum
further explains, each agency is to develop
and issue an implementation policy, by
March 31, 2011, through which the agency
will require the use of the PIV II credentials
as the common means of authentication for
access to that agency’s facilities, networks
and information systems.”
The key phrase and word here is in the
last line—“the agency will require the use of
the PIV II credentials as the common means
of authentication for access to that agency’s
facilities....”
Clearing Up the Semantics
So much has been written and discussed about FIPS-201 that some major misunderstandings
have arisen. Sometimes, you must slowly read
the sentence word by word to capture what
the directive calls for.
Many do not realize that FIPS-201 sets
specific technology standards but does not
specify the physical access control system.
The card and biometric standards addressed
in FIPS-201 deal solely with the technologies
used to authenticate individuals at the
credentialing offices or visitor centers so
credentials produced work on a wide variety
of readers. For those purchasing cards and
biometric readers at a government card
credentialing office, the rules are strict.
However, the requirements do not
address the actual physical access control
system to be installed on facility doors.
Obviously, it must be able to read the FIPS-
201 credential, the contactless or contact
version of the FIPS-201 smart card. Because
virtually nobody would use a contact card
in a physical access control implementation,
the implemented reader must read the
contactless version. That’s the total extent of
the requirement as of now.
Be aware that not all FIPS-201 cards are
referenced as FIPS-201. The military has the
CAC card—except that it really is the FIPS-
201 card under a different name.
VA hospitals have brought a real challenge
to government administrators. The VA, as one
might guess, had an immense card population
with many different card types, largely
proximity cards from different manufacturers.
Of course, these cards didn’t travel well: The
card used at one hospital wouldn’t work on
the doors of other VA hospitals down the road
or across the country.
To assign employees access consistent
with the directive and to get away from
legacy technologies, the VA issued a new
PIV II smart card that complies with HSPD-
12 and FIPS-201.
At present, HP (formally EDS) has
a contract with the VA to provide all
the infrastructure hardware/software to
produce the new PIV II cards for all VA
facilities nationwide. But, remember, this
is only at the credentialing offices. All VA
locations will need FIPS-compliant readers/
systems, and that business is not restricted
to any one firm.
A Reality Check
So why haven’t all government facilities
decided to switch out all their card-based
physical access control systems to the new
mandated FIPS-201 card? Budgets. The
cost of upgrading to FIPS-201 cards has
presented the biggest roadblock to largescale
implementation of the standard.
In these times of tight budgets, it’s
difficult for government facilities to throw
out a system that works. It is obvious that any
retrofits need to read the cards being used
presently, but facility managers and financial
officers question whether it makes sense to
install proximity readers when, down the
line, they will need different readers that read
the FIPS-201 smart cards.
The bottom line is that a mixed
population of old proximity credentials
and new PIV II credentials will be
unavoidable during the upgrade to FIPS-
201 compliance—and no customer wants to
install two different readers.
However, there is an easy solution: multitechnology
readers, compatible with both
FIPS-201 PIV II credentials and popular
proximity and smart card technologies. The
ability to read multiple existing proximity
card types and PIV II cards simultaneously
becomes a tremendous benefit to those
agencies looking for a painless transition.
Here is what government agencies,
their customers and security professionals
that sell to them need to do: Verify that
the proposed reader technology meets
the PIV II card interoperability standards,
and verify that the physical access system
under consideration communicates with
that reader. Besides aiding implementation,
multi-technology readers allow a flexible
transition by enabling these facilities to
continue to use the thousands of proximity
cards already in their employees’ pockets,
now and during the rollout to the new
FIPS-201 cards.
With a multi-credential reader installed
at every door, these facilities can flexibly
plan for the future, using their proximity
cards today and migrating to the FIPS-201
smart cards when budgets and time reach
their nexus.
Government agencies will be able to
upgrade on their timelines, not on the whim
of a technology mandate that forces a “now
or never” alternative. Implementation and
integration resulting from multi-credential
readers is non-disruptive. Lastly, but most
importantly, the government’s future needs
demand them.
This article originally appeared in the October 2011 issue of Security Today.