Dont Let FIPS Give You Fits

Don't Let FIPS Give You Fits

As a result of Homeland Security Presidential Directive 12 (HSPD- 12), smart cards are spreading rapidly through government agencies and many large organizations. The directive’s purpose is to ensure secure and reliable identification for every federal employee and government contractor. In addition to federal government agencies, state and local governments, first responders and government contractors will become major users of compliant cards and readers. The trickle-down effect of this mandate makes it important for security professionals to be familiar with it.

What Is FIPS 201?

In 2004, to meet the requirements of HSPD- 12, the National Institute of Standards and Technology (NIST) published a standard for secure and reliable forms of identification, Federal Information Processing Standard (FIPS) 201. The FIPS-201 Personal Identity Verification (PIV II) card standard specifies contact and contactless smart card technologies and biometrics. It also provides specific standards for issuing and using the PIV II card. The card combines both contact and contactless technologies, and thus, contactless-only or contact-only cards do not qualify to be used on military bases, in Veterans Administration hospitals or in any other government facility, from NASA to HUD. Only those cards certified to meet FIPS-201 can be used. And, for some time now, those cards have been issued to government employees, among others.

It is extremely important that access control managers and integrators recognize that though facilities may have issued FIPS-201- certifed cards to their employees, many are not using that card for physical access control. That’s because, when determining the need for the HSPD-12 directive, the government was concentrating on logical access control rather than on how people were physically accessing its buildings and grounds.

As a result, many doors in government facilities continue to require proximity cards for physical access control. It doesn’t take a rocket scientist to deduce that access control on these doors, at some point, will switch over to FIPS 201 smart cards. Indeed, the day of reckoning is here: Just this past February, a memo titled “Continued Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors” went out to all government offices. In a key paragraph, the director states:

“...the majority of the federal workforce is now in possession of the credentials, and therefore agencies are in a position to aggressively step up their efforts to use the electronic capabilities of the credentials. To that end, and as the DHS memorandum further explains, each agency is to develop and issue an implementation policy, by March 31, 2011, through which the agency will require the use of the PIV II credentials as the common means of authentication for access to that agency’s facilities, networks and information systems.”

The key phrase and word here is in the last line—“the agency will require the use of the PIV II credentials as the common means of authentication for access to that agency’s facilities....”

Clearing Up the Semantics

So much has been written and discussed about FIPS-201 that some major misunderstandings have arisen. Sometimes, you must slowly read the sentence word by word to capture what the directive calls for.

Many do not realize that FIPS-201 sets specific technology standards but does not specify the physical access control system. The card and biometric standards addressed in FIPS-201 deal solely with the technologies used to authenticate individuals at the credentialing offices or visitor centers so credentials produced work on a wide variety of readers. For those purchasing cards and biometric readers at a government card credentialing office, the rules are strict.

However, the requirements do not address the actual physical access control system to be installed on facility doors. Obviously, it must be able to read the FIPS- 201 credential, the contactless or contact version of the FIPS-201 smart card. Because virtually nobody would use a contact card in a physical access control implementation, the implemented reader must read the contactless version. That’s the total extent of the requirement as of now.

Be aware that not all FIPS-201 cards are referenced as FIPS-201. The military has the CAC card—except that it really is the FIPS- 201 card under a different name.

VA hospitals have brought a real challenge to government administrators. The VA, as one might guess, had an immense card population with many different card types, largely proximity cards from different manufacturers. Of course, these cards didn’t travel well: The card used at one hospital wouldn’t work on the doors of other VA hospitals down the road or across the country.

To assign employees access consistent with the directive and to get away from legacy technologies, the VA issued a new PIV II smart card that complies with HSPD- 12 and FIPS-201.

At present, HP (formally EDS) has a contract with the VA to provide all the infrastructure hardware/software to produce the new PIV II cards for all VA facilities nationwide. But, remember, this is only at the credentialing offices. All VA locations will need FIPS-compliant readers/ systems, and that business is not restricted to any one firm.

A Reality Check

So why haven’t all government facilities decided to switch out all their card-based physical access control systems to the new mandated FIPS-201 card? Budgets. The cost of upgrading to FIPS-201 cards has presented the biggest roadblock to largescale implementation of the standard.

In these times of tight budgets, it’s difficult for government facilities to throw out a system that works. It is obvious that any retrofits need to read the cards being used presently, but facility managers and financial officers question whether it makes sense to install proximity readers when, down the line, they will need different readers that read the FIPS-201 smart cards.

The bottom line is that a mixed population of old proximity credentials and new PIV II credentials will be unavoidable during the upgrade to FIPS- 201 compliance—and no customer wants to install two different readers.

However, there is an easy solution: multitechnology readers, compatible with both FIPS-201 PIV II credentials and popular proximity and smart card technologies. The ability to read multiple existing proximity card types and PIV II cards simultaneously becomes a tremendous benefit to those agencies looking for a painless transition.

Here is what government agencies, their customers and security professionals that sell to them need to do: Verify that the proposed reader technology meets the PIV II card interoperability standards, and verify that the physical access system under consideration communicates with that reader. Besides aiding implementation, multi-technology readers allow a flexible transition by enabling these facilities to continue to use the thousands of proximity cards already in their employees’ pockets, now and during the rollout to the new FIPS-201 cards.

With a multi-credential reader installed at every door, these facilities can flexibly plan for the future, using their proximity cards today and migrating to the FIPS-201 smart cards when budgets and time reach their nexus.

Government agencies will be able to upgrade on their timelines, not on the whim of a technology mandate that forces a “now or never” alternative. Implementation and integration resulting from multi-credential readers is non-disruptive. Lastly, but most importantly, the government’s future needs demand them.

This article originally appeared in the October 2011 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3