Becoming FIPS 201 compliant is a challenge

The US Department of Defense (DoD) issues Common Access Cards (CAC) to over 4 million military, retried military and contractors throughout the world. DoD was tasked with complying with the Federal Information Processing Standards (FIPS) Publication 201. FIPS 201 is a federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

AMAG Technology partnered with the DoD to upgrade an existing smartcard based access control system. AMAG Technology manufactures intelligent networked solutions scaled to manage security management challenges from small, remote facilities to multi-national organizations. Various groups within the DoD have AMAG Technology's existing Symmetry Security Management Systems that have been in place for as long as 10 years. The fully upgraded integrated system would address physical access control system (PACS) considerations in the DoD's mission to become Homeland Security Presidential Directive (HSPD) -12 compliant and utilize the next generation FIPS-201 compliant, DoD Common Access Cards.

The Symmetry Security Management System had to support the existing and the next generation FIPS 201 complaint Common Access Cards. Users would be issued their next generation Common Access Card when their older card expired, therefore there would be a number of years over which both versions of the card would be active.

AMAG Technology's Symmetry Common Access Card Reader with Symmetry Homeland Security Management System was chosen to implement the transition. The dual technology reader allowed the DoD to continue using their current access card (a contact chip smartcard with no contactless component) while upgrading to the FIPS compliant card that contains both contact and contactless interfaces.

"The system was originally designed before HSPD-12 using the SEWIG-012 Data Model, and it needed to move to the FIPS model," said AMAG Technology, Mid-Atlantic and Federal Regional Sales Manager, Walter Coady. "AMAG committed to the DoD that we would follow the evolution of FIPS 201 and manufacture a fully compliant reader."

Readers designed and manufactured prior to FIPS 201 were flashed to work. Using the Symmetry Common Access Card reader provided a cost effective solution due to its ability to be flash upgraded in the field. The reader offered the unique ability to read multiple smartcard technologies eliminating the need for an expensive hardware upgrade once all cards were FIPS-201/HSPD-12 compliant, and thus future-proofing the product.

Challenges

The DoD was an early adopter of using smartcards for physical access control. However, staying on top of ever-changing standards remained a challenge. AMAG has worked with the DoD and other Federal Government customers to support developing smartcard implementation guidance. In the Federal Government, standards often precede product availability. AMAG developed the Symmetry smartcard reader to meet customer demand.

Working through the process of developing a dual technology reader supporting both the earlier Common Access Card and the FIPS 201 compliant version was difficult. AMAG was developing the Symmetry reader at the same time the new cards were being developed, therefore there were no sample cards to work from. Understanding how the card was going to operate and how it would look was learned through trial and error.

The current security system needed to remain compliant and operational throughout the entire transition. Every time a card was swiped, the system had to work. Downtime was not an option. AMAG's engineering and product development team provided the migration path to full compliance with all of the specifications met.

While the original system used the SEIWG-012 data model, the actual card number was pulled from the Social Security Number field. The Social Security Number was subsequently classified as Personal Privacy Information, and could not be used in the system in that manner. Therefore, AMAG turned to the Electronic Data Interchange Person Identifier (EDI-PI) as the number on the card they would authenticate. In the FIPS-201 solution, the new data model includes the Federal Agency Smart Credential Number (FASC-N) within the Cardholder Unique Identifier (CHUID). The new reader firmware had to read the Federal Agency Smart Credential Number through the contactless interface, but the Electronic Data Interchange Person Identifier data off the contact interface of the older card.

"It was AMAG's vision to provide the highest level of interoperability for Personal Identity Verification cards from all agencies by following the intent of FIPS 201 by reading the Federal Agency Smart Credential Number from the Cardholder Unique Identifier," said Coady. "Access control requires fast throughput, and this new card provided real challenges in that area."

Significant effort by AMAG's product development team was put in on the project upfront to ensure the new FIPS compliant system will save time in the future and be more cost effective. Due to Symmetry's intuitive design, future upgrades will occur via the software, which is the least expensive to change. Expensive hardware upgrades will not be needed because of the dual technology Symmetry smartcard reader.

Lessons Learned

A close partnership among all entities involved was critical to the success of this project. Getting a commitment from the manufacturer, not just the integrator was pivotal. AMAG was involved in every aspect of the installation because migrating to FIPS 201 compliancy was new to everyone. AMAG's engineering and product development team tackled the challenges involved, eventually becoming the expert. At the time, this was so new, integrators were looking for guidance as much as the end users. AMAG was willing to dedicate the time, resources and effort to learn what was needed for the DoD to successfully upgrade to FIPS 201 compliancy.

AMAG Technology is a dedicated partner and has a long history supporting the US Government on smartcard programs, and has learned more from implementing standards compliant solutions than can be gleaned from reading documents. AMAG´s reputation as an innovator of sophisticated government security systems such as the Symmetry Homeland product portfolio has garnered respect in the government sector.

In many FIPS 201 solutions, the Federal Agency Smart Credential Number data isn't available to the security operator – it is not printed on the card or available on a cross-reference list. The system should have a means of reading the Federal Agency Smart Credential Number, and populate the card holder record within the SMS. That will speed up the process of enrollment.

Two-factor authentication was needed. The Symmetry Common Access Card Reader reads the Electronic Data Interchange Person Identifier number on the contact chip, but cannot get to the chip until it unlocks the Common Access Card with the card's PIN. Every time the card is used, the person must enter a PIN. This provides a two factor authentication. The challenge is that the FIPS compliant credential didn't require a PIN for contactless access to the data. The Symmetry application has the ability to require a PIN when using the card. During the transition time period to the contactless card, those with the older cards enter two PINs (the CAC PIN to unlock the card data and the SMS PIN). Contactless card users simply enter the SMS PIN.

The Symmetry Common Access Card Reader includes contact smartcard interface, contactless smartcard interface, keypad and LCD display. The reader is flash ROM programmable, which proved to be a huge cost savings since multiple firmware versions have been provided over the years to meet changing requirements. If not for this feature, various versions of the hardware would have to have been provided, increasing costs to all involved. AMAG's engineering efforts helped the DoD save a considerable amount of money.

The Symmetry Common Access Card Reader supports multiple card data formats. The ability of the reader to know what type of card was being presented and how to read that specific card enabled much of the functionality that was required to achieve compliance.

Future

AMAG Technology's Symmetry smartcard reader made the transition possible and saved money in the process.

Symmetry has given the DoD a migration path from the Common Access Card to the CAC-NG (next generation) without replacing any readers. AMAG is committed to supporting FIPS 201 and will continue working with customers on future changes that are made.

The Physical Access Control System is only a part of the overall picture of FIPS 201 compliance. While not specifically required by the standard, business process rules can be handled in a more automated fashion when the PACS is integrated with the Identity Management System (IDMS). The Symmetry system from AMAG Technology has the integration capability to allow such a solution as the requirements of the DoD may demand. Since then, Symmetry Security Management Solutions have been selected by a multitude of federal, state and local governments because it cost-effectively delivers the most reliable, flexible and technologically advanced converged security solution available. AMAG Technology will continue to dedicate time and resources to the DoD as standards change and upgrade over time. AMAG is proud to be a committed partner to the U.S. Federal Government in assisting them to become FIPS 201 compliant now and into the future.

Loading