A Murky Eight Years
The myths of HSPD-12 compliance
- By Geri B. Castaldo
- Oct 01, 2012
It has been eight years since President George W. Bush signed
Homeland Security Presidential Directive 12 (HSPD-12) into
law and four years since its compliance deadline. Since that
time much has happened, yet one constant has remained: a lack
of clarity on what true compliance with this directive requires.
HSPD-12 was issued as a call to improve physical and logical access
control systems through the application of government-wide
standards. Rather than employing proprietary architecture that
would limit access control to an individual facility and its infrastructure,
HSPD-12 called for access control interoperability among all
government-run facilities, along with improved security, scalability,
validity and efficiency for the system on an enterprise-wide basis.
The backbone is the personal identity verification card as outlined
by Federal Information Processing Standard 201 (FIPS-201).
The playbook that outlines how physical access control manufacturers
can comply with HSPD-12 is found in the National Institute of
Standards and Technology’s Special Publication 800-116. This is a
must-read for any vendor or end user involved in complying with
HSPD-12. Additionally, in early 2011, the Office of Management and
Budget issued Memorandum 11-11, which created further guidelines
and deadlines for agencies to reach compliance.
Compliance Myths
Eight years into the process, there is still confusion about what a federal
agency needs to do to be compliant with HSPD-12. The truth is,
there are many myths surrounding compliance. It behooves manufacturers,
integrators and those using a physical access control system
to educate themselves on what needs to be done to comply with the
government-issued mandate.
One basic step toward compliance with HSPD-12 is to use a PIV
card to unlock a door in a federal facility. However, in order to do
that, the PIV card must be registered into the PACS that controls
who can go where and when. There are several steps that should be
taken prior to registering a PIV card into a PACS. First, you need to ensure that the PIV card is an authentic PIV card—not a clone or
forgery. Second, you need to know that the person presenting the
PIV card is truly the card owner by performing a biometric comparison.
Third, check that the PIV card has not been revoked by the
agency that issued it. Once these criteria have been met, registration
may commence.
Thus consider Myth No. 1: It is acceptable to read the PIV card
Federal Agency Smartcard Number (FASC-N) on a proximity reader
and copy and paste the number into the card number field in a PACS
card holder record.
This may be a “means to an end”; however, doing so gives no way
of knowing if the card is authentic, whether the card actually belongs
to the card holder or if the card was revoked by the agency that issued
it. If any of these issues are faced, should the card be registered? Of
course not!
PIV and PIV-I credentials are nothing more than expensive proximity
cards if the PACS has no way to verify their authenticity, revocation
status and that the person presenting the credential is the one
to whom the credential was issued.
Myth No. 2: If the PIV card has been proven authentic and the
cardholder is truly the card owner, there’s no need to re-check the
certificate revocation list.
The certificate is defined in FIPS-201 as a data object containing a
subject identifier, a public key and other information, which is digitally
signed by a certification authority. Certificates convey trust in
the relationship of the subject identifier and the public key. The public
key is used to verify the authenticity of the credential. If the public
key is not signed by a trusted issuer, then it can’t be trusted; thus, the
credential cannot be trusted.
One of the biggest objections for validating a certificate is that the
process more than likely requires accessing the Internet. Some end
users see this as a potential security risk. But in truth, the information
can’t be obtained without connectivity, so an Internet connection is
just part of the compliance model. Certificate checks are important
because they not only assist with validating the card but also indicate
whether the card has been revoked and, if so, can initiate the proper
action so the card can’t be used again. Revocations can occur at any
time, so Internet access must be available at all times.
Myth No. 3: If a PACS end user purchases just one item from the
GSA’s FIPS 201 Approved Products List, his or her facility automatically
becomes HSPD-12 compliant.
There are more than 600 products on the GSA’s FIPS-201 APL—
ranging from fingerprint-capture devices and card readers to card
sleeves and authentication systems. Every item used in the HSPD-12
compliance program must come from the APL, assuming there is a
category for it.
But the purpose of the APL is to ensure interoperability, not necessarily
compliance with a policy. If an end user purchased only one
card reader that was listed on the APL but was not authenticating
cards prior to PACS registration or revalidating the card’s certificates
on a regular basis afterward, would that system be considered compliant?
Probably not.
Myth No. 4: Visitors to federal facilities don’t have to meet the
same authentication standards as the agency’s PIV card holders.
When federal employees or contractors from one agency visit another
agency’s facility, they often use their PIV or PIV-I card as a flash
pass. They show it to the person manning the visitors’ station but do
not go through any electronic identity verification or card authentication
process. Office of Management and Budget issued Memorandum
11-11 clearly states, “Agency processes must accept and electronically
verify PIV credentials issued by other federal agencies.” This means
that using a visitor’s PIV card as a flash pass is no longer acceptable.
Visitors’ PIV cards need to be electronically verified to ensure they
are authentic, the person presenting the PIV card is the card owner
by performing a biometric match and the card was not revoked by
the agency that issued it. It’s unlikely that someone with a forged card
would be allowed into such a facility.
Myth No. 5: Non-compliance doesn’t have any drawbacks. Nothing
will happen if OMB M-11-11 is ignored because there are no
funds to implement it.
OMB M-11-11 states that, effective for fiscal year 2012, “existing
physical and logical access control systems must be upgraded to use
PIV credentials, in accordance with NIST guidelines, prior to the
agency using development and technology refresh funds to complete
other activities.” Basically, that means that non-compliance can limit
access to funds needed for other technology-oriented projects.
These were only five myths regarding HSPD-12 compliance, but
there are many, many more. Being armed with the right tools—in this
case, some necessary government documents and an understanding
of what they entail—can go a long way toward ensuring compliance
with HSPD-12 and preventing the headaches and expense of having
to replace non-compliant equipment or make unbudgeted purchases
of other tools just to meet the standard.
This article originally appeared in the October 2012 issue of Security Today.