HID wants to help with new gov’t deadline

Federal agencies must be fully FIPS 201 compliant by October
Tuesday, May 10, 2011

IRVINE, Calif.—HID is spreading the word to government agencies and the integrators that serve them that it wants to help them comply with a new deadline for FIPS 201.

The deadline, issued in February by the Office of Management and Budget, said that federal agencies that are not fully compliant with FIPS 201 by Oct. 31, 2011 would have other technology and refresh funds withheld.

“HID can help them get where they need to be,” Kathleen Carroll, director of government relations for HID, which is based here, told Security Systems News. HID can help non-legacy as well as legacy customers, she said. “About 70 percent of federal buildings in Washington have HID access control technology. When you talk about migration, we can help make the transition easier.”

HID came out with a Federal Identity Compliance Initiative at ISC West this year, essentially a package of products and a migration plan for end users and integrators to use to comply with FIPS 201.

A review of terms here: FIPS 201 is a document entitled “Personal Identity Verification (PIV) of Federal Employees and Contractors.” That document describes the characteristics and authentication of PIV smart card credentials. HSPD-12 is the 2004 presidential directive that initiated the mandate that said all federal employees and contractors should have a common, secure credential for access to federal buildings.

So what exactly are the agencies not doing? Somewhere around 90 percent of federal workers have the common secure credentials they need (PIV cards) or they’ve completed background checks to issue the credentials. The problem is that most cards are not being read electronically.

There are notable exceptions, such as DOD, the U.S. Department of Agriculture, NASA, and others, Carroll said, but that’s not the norm.

“The main requirement of HSPD-12 is not to get an ID card, the main requirement is to read the credential electronically from a physical and logical perspective,” she said.

Of course, whether the non-compliant federal agencies have the funds to meet the mandate is another issue, but Carroll said there are indications that the deadline is already driving further compliance.

It’s been a long, slow road since HSPD-12 was issued nearly seven years ago, but Carroll said the use of PIV and PIV-like cards and readers is spreading. Integrators who serve federal government, state governments and private industry should be paying attention, she said.

“We’re already starting to see it move into the private sector,” Carroll said, “because government contractors are part of private industry.” Likewise, state governments are moving ahead with State Identity Credential Access Management plan (SICAM), which is based on HSPD-12 and FIPS 201, and “another area is first responders who use a FRAC credential, which is PIV-compatible.”

One key thing that came out of HSPD-12 and FIPS 201 and FIPS 201.2 is that it has created a standard, Carroll said. “In the past, access control has always been proprietary,” she said. “From a government perspective and private industry perspective this is a good thing.”




What is important here is how the cards are read electronically. Many of these credentials and access control systems have implemented the minimum electronic capabilities. End-users, integrators and suppliers need to understand that the method of authenticating the credential needs to map to a threat assessment and Federal Security Levels.

Many readers installed today will have to be replaced or upgraded since the technique referred to as "free read of the FASC-N" provides no assurance and in fact is not even considered a valid authentication factor. It is interesting to note that many vendors circumvented the standards and continued to promote their readers at this low assurance level.

Further you need to look at the authentication system, depending on the architecture the reader may do little or no cryptographic processing, as an example in the case where the a controller handles this load.

A number of publications by the Smart Card Alliance Physical Access Council http://www.smartcardalliance.org/pages/councils-pac can help provide further background.

Of course interested parties can also contact me at IDmachines -> sal at idmachines dot com or go to our blog where there are multiple articles on the topic including: http://idmachines.blogspot.com/2011/04/draft-fips-201-2-workshop-persona...

Hope this helps. Best Sal