A Murky Eight Years

The myths of HSPD-12 compliance

  • By Geri B. Castaldo
  • Oct 01, 2012

It has been eight years since President George W. Bush signed Homeland Security Presidential Directive 12 (HSPD-12) into law and four years since its compliance deadline. Since that time much has happened, yet one constant has remained: a lack of clarity on what true compliance with this directive requires.

HSPD-12 was issued as a call to improve physical and logical access control systems through the application of government-wide standards. Rather than employing proprietary architecture that would limit access control to an individual facility and its infrastructure, HSPD-12 called for access control interoperability among all government-run facilities, along with improved security, scalability, validity and efficiency for the system on an enterprise-wide basis.

The backbone is the personal identity verification card as outlined by Federal Information Processing Standard 201 (FIPS-201). The playbook that outlines how physical access control manufacturers can comply with HSPD-12 is found in the National Institute of Standards and Technology’s Special Publication 800-116. This is a must-read for any vendor or end user involved in complying with HSPD-12. Additionally, in early 2011, the Office of Management and Budget issued Memorandum 11-11, which created further guidelines and deadlines for agencies to reach compliance.

Compliance Myths

Eight years into the process, there is still confusion about what a federal agency needs to do to be compliant with HSPD-12. The truth is, there are many myths surrounding compliance. It behooves manufacturers, integrators and those using a physical access control system to educate themselves on what needs to be done to comply with the government-issued mandate.

One basic step toward compliance with HSPD-12 is to use a PIV card to unlock a door in a federal facility. However, in order to do that, the PIV card must be registered into the PACS that controls who can go where and when. There are several steps that should be taken prior to registering a PIV card into a PACS. First, you need to ensure that the PIV card is an authentic PIV card—not a clone or forgery. Second, you need to know that the person presenting the PIV card is truly the card owner by performing a biometric comparison. Third, check that the PIV card has not been revoked by the agency that issued it. Once these criteria have been met, registration may commence.

Thus consider Myth No. 1: It is acceptable to read the PIV card Federal Agency Smartcard Number (FASC-N) on a proximity reader and copy and paste the number into the card number field in a PACS card holder record.

This may be a “means to an end”; however, doing so gives no way of knowing if the card is authentic, whether the card actually belongs to the card holder or if the card was revoked by the agency that issued it. If any of these issues are faced, should the card be registered? Of course not!

PIV and PIV-I credentials are nothing more than expensive proximity cards if the PACS has no way to verify their authenticity, revocation status and that the person presenting the credential is the one to whom the credential was issued.

Myth No. 2: If the PIV card has been proven authentic and the cardholder is truly the card owner, there’s no need to re-check the certificate revocation list.

The certificate is defined in FIPS-201 as a data object containing a subject identifier, a public key and other information, which is digitally signed by a certification authority. Certificates convey trust in the relationship of the subject identifier and the public key. The public key is used to verify the authenticity of the credential. If the public key is not signed by a trusted issuer, then it can’t be trusted; thus, the credential cannot be trusted.

One of the biggest objections for validating a certificate is that the process more than likely requires accessing the Internet. Some end users see this as a potential security risk. But in truth, the information can’t be obtained without connectivity, so an Internet connection is just part of the compliance model. Certificate checks are important because they not only assist with validating the card but also indicate whether the card has been revoked and, if so, can initiate the proper action so the card can’t be used again. Revocations can occur at any time, so Internet access must be available at all times.

Myth No. 3: If a PACS end user purchases just one item from the GSA’s FIPS 201 Approved Products List, his or her facility automatically becomes HSPD-12 compliant. There are more than 600 products on the GSA’s FIPS-201 APL— ranging from fingerprint-capture devices and card readers to card sleeves and authentication systems. Every item used in the HSPD-12 compliance program must come from the APL, assuming there is a category for it.

But the purpose of the APL is to ensure interoperability, not necessarily compliance with a policy. If an end user purchased only one card reader that was listed on the APL but was not authenticating cards prior to PACS registration or revalidating the card’s certificates on a regular basis afterward, would that system be considered compliant? Probably not.

Myth No. 4: Visitors to federal facilities don’t have to meet the same authentication standards as the agency’s PIV card holders.

When federal employees or contractors from one agency visit another agency’s facility, they often use their PIV or PIV-I card as a flash pass. They show it to the person manning the visitors’ station but do not go through any electronic identity verification or card authentication process. Office of Management and Budget issued Memorandum 11-11 clearly states, “Agency processes must accept and electronically verify PIV credentials issued by other federal agencies.” This means that using a visitor’s PIV card as a flash pass is no longer acceptable.

Visitors’ PIV cards need to be electronically verified to ensure they are authentic, the person presenting the PIV card is the card owner by performing a biometric match and the card was not revoked by the agency that issued it. It’s unlikely that someone with a forged card would be allowed into such a facility.

Myth No. 5: Non-compliance doesn’t have any drawbacks. Nothing will happen if OMB M-11-11 is ignored because there are no funds to implement it.

OMB M-11-11 states that, effective for fiscal year 2012, “existing physical and logical access control systems must be upgraded to use PIV credentials, in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities.” Basically, that means that non-compliance can limit access to funds needed for other technology-oriented projects.

These were only five myths regarding HSPD-12 compliance, but there are many, many more. Being armed with the right tools—in this case, some necessary government documents and an understanding of what they entail—can go a long way toward ensuring compliance with HSPD-12 and preventing the headaches and expense of having to replace non-compliant equipment or make unbudgeted purchases of other tools just to meet the standard.

This article originally appeared in the October 2012 issue of Security Today.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”