Meeting Federal Card Standards
Q: How do I install access control systems to meet the new federal standards on credentials?
A: In February of 2005, the National Institute of Standards and Technology (NIST) published the Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. FIPS 201 was developed to provide guidance for implementing the Homeland Security Presidential Directive 12 (HSPD-12) requirements set by President Bush in 2004 for a common Federal identification credential that is to be used to access both physical and logical facilities and information systems.
This movement to a standard credential is not limited to the federal government alone. State and local governments are considering complying with the standard and many employees of government contractors will need to use compliant credentials. Because of this it may be advantageous for these contractors to use compliant credentials in their own facilities. As the government and private industry work to meet the October 2006 deadline, you will hear more and more about FIPS 201.
In September 2005, the Smart Card Alliance issued a white paper to provide a roadmap to the key specifications that agencies need to consider in implementing FIPS 201-compliant physical access control systems. It provides an overview of the key open questions where work is still being done on standards definition and implementation guidance.
The white paper lays out the impact of FIPS 201 on Federal physical access control systems and covers the components and operation of a compliant system and describes the requirement for a credential and how the credential should be used throughout the Federal Government.
The standard is not limited to equipment. It also lays out requirements for how identity is verified before a credential is issued. The complete white paper and other resources are available free at www.smart cardalliance.org/index.cfm. Additional information: including tutorials on smart cards, a handbook of implementations, reports on government progress and ongoing projects is available from the federal government at www.smartcard.gov.
Q: What steps can I take to protect a client's access control system from compromise?
A: If you use a computer connected to a network, you should be aware of the threats that viruses and hackers pose. Computers that are part of access control systems are just as vulnerable to attack.
In addition, remote administration tools used for centralized administration and troubleshooting can allow your system to be compromised. Commercial products and free downloaded programs can be used to provide planned or clandestine control and monitoring from a remote location. Without proper safeguards, these programs can give unauthorized personnel access to passwords and other confidential information.
Antivirus programs and firewalls provide a degree of protection, but a recent white paper by the Smart Card Alliance describes some possible attacks and how adding a physical credential, such as a smart card, can help prevent remote administration software attacks. For more information, visit www.smartcardalliance.org/alliance_activities/dsi_resources.cfm .
Brad Shipp is a former Executive Director and Training Director for the NBFAA where he authored several NTS courses, including the Access Control Certification course. His involvement in the access control industry dates back to 1974 and, in 1986, he became an instructor for the NBFAA National Training School . Shipp has served on several law enforcement, regulatory and industry association boards and has been honored for his service by the False Alarm Reduction Association and the International Association of Security and Investigative Regulators. Send in your access control questions to firstname.lastname@example.org.