Dont Let FIPS Give You Fits

Don't Let FIPS Give You Fits

As a result of Homeland Security Presidential Directive 12 (HSPD- 12), smart cards are spreading rapidly through government agencies and many large organizations. The directive’s purpose is to ensure secure and reliable identification for every federal employee and government contractor. In addition to federal government agencies, state and local governments, first responders and government contractors will become major users of compliant cards and readers. The trickle-down effect of this mandate makes it important for security professionals to be familiar with it.

What Is FIPS 201?

In 2004, to meet the requirements of HSPD- 12, the National Institute of Standards and Technology (NIST) published a standard for secure and reliable forms of identification, Federal Information Processing Standard (FIPS) 201. The FIPS-201 Personal Identity Verification (PIV II) card standard specifies contact and contactless smart card technologies and biometrics. It also provides specific standards for issuing and using the PIV II card. The card combines both contact and contactless technologies, and thus, contactless-only or contact-only cards do not qualify to be used on military bases, in Veterans Administration hospitals or in any other government facility, from NASA to HUD. Only those cards certified to meet FIPS-201 can be used. And, for some time now, those cards have been issued to government employees, among others.

It is extremely important that access control managers and integrators recognize that though facilities may have issued FIPS-201- certifed cards to their employees, many are not using that card for physical access control. That’s because, when determining the need for the HSPD-12 directive, the government was concentrating on logical access control rather than on how people were physically accessing its buildings and grounds.

As a result, many doors in government facilities continue to require proximity cards for physical access control. It doesn’t take a rocket scientist to deduce that access control on these doors, at some point, will switch over to FIPS 201 smart cards. Indeed, the day of reckoning is here: Just this past February, a memo titled “Continued Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors” went out to all government offices. In a key paragraph, the director states:

“...the majority of the federal workforce is now in possession of the credentials, and therefore agencies are in a position to aggressively step up their efforts to use the electronic capabilities of the credentials. To that end, and as the DHS memorandum further explains, each agency is to develop and issue an implementation policy, by March 31, 2011, through which the agency will require the use of the PIV II credentials as the common means of authentication for access to that agency’s facilities, networks and information systems.”

The key phrase and word here is in the last line—“the agency will require the use of the PIV II credentials as the common means of authentication for access to that agency’s facilities....”

Clearing Up the Semantics

So much has been written and discussed about FIPS-201 that some major misunderstandings have arisen. Sometimes, you must slowly read the sentence word by word to capture what the directive calls for.

Many do not realize that FIPS-201 sets specific technology standards but does not specify the physical access control system. The card and biometric standards addressed in FIPS-201 deal solely with the technologies used to authenticate individuals at the credentialing offices or visitor centers so credentials produced work on a wide variety of readers. For those purchasing cards and biometric readers at a government card credentialing office, the rules are strict.

However, the requirements do not address the actual physical access control system to be installed on facility doors. Obviously, it must be able to read the FIPS- 201 credential, the contactless or contact version of the FIPS-201 smart card. Because virtually nobody would use a contact card in a physical access control implementation, the implemented reader must read the contactless version. That’s the total extent of the requirement as of now.

Be aware that not all FIPS-201 cards are referenced as FIPS-201. The military has the CAC card—except that it really is the FIPS- 201 card under a different name.

VA hospitals have brought a real challenge to government administrators. The VA, as one might guess, had an immense card population with many different card types, largely proximity cards from different manufacturers. Of course, these cards didn’t travel well: The card used at one hospital wouldn’t work on the doors of other VA hospitals down the road or across the country.

To assign employees access consistent with the directive and to get away from legacy technologies, the VA issued a new PIV II smart card that complies with HSPD- 12 and FIPS-201.

At present, HP (formally EDS) has a contract with the VA to provide all the infrastructure hardware/software to produce the new PIV II cards for all VA facilities nationwide. But, remember, this is only at the credentialing offices. All VA locations will need FIPS-compliant readers/ systems, and that business is not restricted to any one firm.

A Reality Check

So why haven’t all government facilities decided to switch out all their card-based physical access control systems to the new mandated FIPS-201 card? Budgets. The cost of upgrading to FIPS-201 cards has presented the biggest roadblock to largescale implementation of the standard.

In these times of tight budgets, it’s difficult for government facilities to throw out a system that works. It is obvious that any retrofits need to read the cards being used presently, but facility managers and financial officers question whether it makes sense to install proximity readers when, down the line, they will need different readers that read the FIPS-201 smart cards.

The bottom line is that a mixed population of old proximity credentials and new PIV II credentials will be unavoidable during the upgrade to FIPS- 201 compliance—and no customer wants to install two different readers.

However, there is an easy solution: multitechnology readers, compatible with both FIPS-201 PIV II credentials and popular proximity and smart card technologies. The ability to read multiple existing proximity card types and PIV II cards simultaneously becomes a tremendous benefit to those agencies looking for a painless transition.

Here is what government agencies, their customers and security professionals that sell to them need to do: Verify that the proposed reader technology meets the PIV II card interoperability standards, and verify that the physical access system under consideration communicates with that reader. Besides aiding implementation, multi-technology readers allow a flexible transition by enabling these facilities to continue to use the thousands of proximity cards already in their employees’ pockets, now and during the rollout to the new FIPS-201 cards.

With a multi-credential reader installed at every door, these facilities can flexibly plan for the future, using their proximity cards today and migrating to the FIPS-201 smart cards when budgets and time reach their nexus.

Government agencies will be able to upgrade on their timelines, not on the whim of a technology mandate that forces a “now or never” alternative. Implementation and integration resulting from multi-credential readers is non-disruptive. Lastly, but most importantly, the government’s future needs demand them.

This article originally appeared in the October 2011 issue of Security Today.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3