Are You Ready for HSPD-12/FIPS 201 Access Control?

The migration path to federal ID card standards requires IT coordination with physical access

While NIST and GSA struggle to make headway on testing the equipment for FIPS 201 -– cards, readers, interoperability -- it is very clear that physical access is not getting as much government attention as logical access and the issuance of interoperable cards. Interoperable logical access has the advantage of standard readers and fewer vendors.

Homeland Security Presidential Directive 12 (HSPD-12) addresses the security threat of physical access. FIPS 201, an NIST publication which embodies HSPD-12, also recommends physical building access changes. Last month, the Security Industry Association and Smart Card Alliance held a forum in Washington on Physical Access Control to discuss these changes.

To have interoperable cards, the GSA -- with the help of the NIST -- has to ensure that multiple vendors have implemented Federal Information Processing Standard (FIPS) 201 and its myriad of special publications in a way that makes it possible to use a given card on multiple systems between agencies. This is a large task all by itself. In the logical computer environment, once the readers and cards are interoperable, the credentials (cards) can be issued. There may be some software needs related to interoperability to be resolved.

In the physical access world, it's a different story. Some physical access systems don't talk to IT systems at all. The newer systems that do talk to IT aren't compatible with the credential information required for FIPS 201. Some agencies don't have physical access systems at all and other have systems that are owned by their building operators. To make it all worse, the funding for physical access in many cases is not available.

One approach to this dilemma is to maintain the ability to use older technology. In October 2006, agencies need to start issuing FIPS 201 cards that meet electronic interoperability requirements. For a few extra dollars per card, older technology solutions for physical access like magnetic stripes and proximity chips can be added to the card. This provides a migration path to the smart contactless technology that is part of the FIPS 201 requirement. Agencies that have legacy equipment or are tenants in buildings can then extend their timeframe for changing the physical access system.

In the meantime, there are important considerations that will get an agency ready for improved physical access control. First, security administrators must look at the policies and procedures for logical and physical access. Can administrators provide personnel with one method of enrollment to enable physical and logical access?

Can they improve their logical connection to the existing access control system so that privileges for physical access are more automated? Is there a single logical repository for physical and IT access so that these privileges don't get out sync? In other words have they taken away an employee's computer access, but not removed his ability to do physical harm?

Agencies should review their plans for non-electronic physical access by using photos that have overlaid security features per FIPS 201. Will building guards know how to distinguish a phony badge?

Eventually the smart contactless upgrade recommended by FIPS 201 will make physical security be more automated and interoperable much the way PKI facilitates this on the IT side today. Having a physical migration path while agencies get their IT policies and procedure in place may be the best bet.

About the author: Gary Klinefelter is chairman of the Open Security Exchange of Piscataway, N.J., an industry organization working to create convergence and interoperability for physical and logical access control, and vice president of technology for Fargo Electronics Inc. of Minneapolis, Minn.