This month, the deadline arrives for government agencies to begin issuing interoperable smart cards to all government employees and contractors. In the past months, agencies have worked to meet the goal of issuing cards, and all are in different stages. The program, mandated by Homeland Security Presidential Directive 12 (HSPD-12), requires government agencies to converge physical and logical access control onto a single credential.
Converging physical access with logical access using smart card technology will be highly beneficial to the federal government, but it also raises a unique set of challenges for the agencies. In particular, agencies will need to address issues that were handled by separate functional groups in the past, and most will need to overhaul legacy physical access control systems that did not previously use smart card technology.
Perhaps the most significant new capability is that these cards can be used to secure access to government information technology systems and networks. The smart card brings government agencies and departments far beyond simple name and password logon to strong, two- or three-factor authentication. Smart cards work with many authentication techniques. Any combination of password files, public key infrastructure certificates, one-time password seed files and biometric image templates can be stored on a single card.
These cards also feature new, more secure physical access control technology. Agencies are given some time to fully implement a complete physical access control system (PACS) using the new technology. But from day one, people will need to use the new credentials to get to work. In this article, we will take a closer look at the physical access control requirements presented by HSPD-12 and the resulting standards, and examine key migration considerations for agencies implementing the program.
A Closer Look at HSPD-12 and PIV
HSPD-12 requires that the federal identity credential be secure and reliable, meaning:
• It is issued based on sound criteria for verifying an individual’s identity;
• It is strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation;
• It can be rapidly authenticated electronically; and
• It is issued only by providers whose reliability has been established by an official accreditation process.
As a result of HSPD-12, the Department of Commerce and the National Institute of Standards and Technology (NIST) developed a new standard for secure and reliable forms of identification, the Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. This standard specifies a single smart card—the PIV card—to be used for both physical and logical access, as well as other applications as determined by individual agencies. In addition, the standard provides specifications that govern the entire chain of trust of the identity system.
FIPS 201 requires that the PIV card be a smart card with both contact and contactless interfaces. While in some higher-confidence instances the contact interface will be used for physical access, the contactless interface is most useful for PACS, as it combines security with the speed needed in high-throughput facilities such as government agencies.
Why Contactless for Physical Access Control?
Most government agency facilities are presently secured using 125 kHz proximity, Wiegand, or magnetic stripe technologies. Why move to contactless smart card technology? Simply put, contactless smart card technology provides strong security features layered between cards, readers and control systems that these other technologies do not have.
Contactless smart cards, not to be confused with RFID tags, are small computers. They include microcontrollers, memory, operating software and applications. These features are used to securely manage, store and provide access to data on the card while performing complex computer-to-computer security functions.
Contactless smart cards, like the older proximity cards, work using radio frequency (RF), which means that they don’t have to be inserted or swiped in order to be read. This means they have the same advantages as proximity cards—speed and convenience for access control.
However, a PACS with smart card technology can support much stronger security features. Mature and proven, these techniques strengthen the trust relationship between an agency and the employee presenting the ID credential.
Contactless smart cards can protect the integrity, confidentiality and privacy of information stored or transmitted through such features as mutual authentication, strong information security using encryption, strong contactless device security that makes it extremely difficult to duplicate or forge, and authenticated and authorized information access.
Now that we know why the government is moving to contactless smart card technology for PACS, the next question is, how? What are the key considerations that agencies have to examine in order to move forward? To successfully implement a PACS that is compliant with FIPS 201, each agency will need to examine the migration from organizational, card and system perspectives.
In the past, logical and physical access control functions have been separate domains managed by different personnel implementing related but uncoordinated policies. As a result, the architecture, equipment, and identity verification requirements were independent and oriented toward their specific functional goals. The staff was trained and experienced in different security skills, with the PACS typically managed by security personnel and the logical access control system managed by the IT department.
FIPS 201 changes all of that. It is not just a convergence of technologies; it is a convergence of people and processes. These two previously separate groups, each with its own strengths and weaknesses, have to come together, collaborate closely, and devise strategies to link physical access with IT infrastructures and make them interoperable.
Incorporating New Cards and Readers into Legacy PACS
Because many government agencies’ existing PACS have not included contactless smart card technology, the PIV migration cannot happen overnight. A more appropriate approach for agencies is a transitional path.
“There will definitely be a transition period where some employees will have FIPS 201 compliant cards, while others will still have legacy cards,” said Lars Suneborn, a member of the Smart Card Alliance Physical Access Council Steering Committee and the director of government programs for Hirsh Electronics. “Vendors are expecting this transition period and are producing readers that can read both proximity and contactless technologies. These readers have two antennas for the differing frequencies. For those government agencies that utilize magnetic stripe or other different technologies, they will need two separate readers on each door.”
But these readers can’t be installed overnight, either. To combat this problem, agencies can issue a multi-technology card—a single card with more than one technology built into it. For example, an agency that has a legacy system that uses 125 kHz proximity technology can issue a card that has this technology plus the contact and contactless technologies required to make it FIPS 201 compliant. This way, employees are still able to enter facilities easily until all of the new readers are in place.
Building a New PACS System
Beyond the actual smart cards and readers, the biggest consideration for each agency is the existing PACS backend system. In order for the transition to smart card technology to go smoothly, each agency needs to take a close look at, and possibly revamp, the whole system.
Because the PACS system has to “talk” to the logical access system, the PACS will need to become network based. Systems need to be ready to handle larger amounts of data. There are two reasons for this. One, because of the transition period, the system needs to be ready to process data from the legacy cards as well as the new FIPS 201-compliant cards. Two, each user record for a FIPS 201-compliant card is going to be much longer.
“Smart cards and readers are just the tip of the iceberg here,” said Suneborn. “In addition to larger amounts of data required, government agencies need to consider new issuance systems, validation back-end systems and access control systems.”
Suneborn and the Smart Card Alliance Physical Access Council are currently working on a “how-to” guide to get government agencies through the first phases of the PACS migration to support PIV cards. This document, called “Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility,” includes all of the information an agency’s FIPS 201 compliance team needs to be aware of, including how to assess current systems and how to devise a plan of what needs to be purchased. Anyone who is interested in learning about and contributing to this document or other activities should join the Smart Card Alliance and its Physical Access Council. More information can be found at www.smartcardalliance.org.
“Migrating to a FIPS 201-compliant PACS is a very significant undertaking that will be a long process. With our guide, our goal is to bring agencies to square one. Square two—implementation—will vary greatly depending on the agency,” added Suneborn.
Randy Vanderhoof is executive director of the Smart Card Alliance, a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Smart Card Alliance Physical Access Council focuses on activities that are important to the physical access industry and that address key issues that organizations have in deploying new physical access system technology. For more information, please visit www.smartcardalliance.org.