What FIPS Means for the Security Industry

May 31, 2005
A look at the far-reaching impact of the new federal personal identification verification project

With ambitious objectives for enhancing security, preventing terrorism and increasing efficiencies, Homeland Security Presidential Directive (HSPD) 12 has changed the landscape of identification within the federal government.

The directive mandates a common identification credential for physical and IT access for employees of all federal agencies as well as employees of government contractors. For the first time, a common credential will be required for access to federal buildings and computer systems. The same credential will operate across agencies when desired.

The details of implementation of the directive are laid out in the Personal Identification Verification (PIV) project. PIV has 2 stages of deployment. The first stage, PIV I, deals with identity-proofing, registration, and related issuance processes. It must be in place by Oct. 27, 2005. The second phase includes detailed specifications for personal authentication, access control and technical interoperability of PIV cards across the federal government. Although the date for final implementation is flexible, it is widely understood to be Oct. 27, 2006. This date will be finalized after the June 27, 2005 deadline for federal agencies to submit implementation plans for PIV I and II.

As the deadlines for implementation approach, this directive will have far-reaching impacts on manufacturers, government integrators and end users.

Manufacturers

The impact on manufacturers of smart cards, physical access readers, biometric systems, software systems and card printers is significant. Smart card manufacturers that provide the electronics and software needed for PIV II are rushing to make sure their solutions are ready. Many federal agencies are discussing implementing PIV II-compatible smart cards for PIV I in order to make the transition to PIV II smoother. Fortunately, there is a migration path for existing smart card implementations in the Department of Defense and other agencies that were started ahead of HSPD-12. These agencies will eventually reissue cards in order to fully meet the PIV II implementation.

Because PIV II requirements are based on existing government and international standards, physical access reader manufacturers are well positioned to address the federal need. Federal agencies with existing physical access implementations will need to replace or update physical access readers to fully meet PIV II.

The requirements for biometrics are still in draft form. Enrolling fingerprints for PIV cardholders should be straightforward, but how those fingerprints are used for PIV access and how they are protected for privacy are not in full agreement.

Software systems architecture for PIV II is somewhat different from existing implementations. Interoperability requirements are aligned to international standards and therefore will also require changes from the systems already in place today. Most government integrators are in a position to support these changes.

Card printer manufacturers will see new challenges. Because the cards for the PIV II implementation include smart chips, contactless antennas and visual security requirements, printing PIV cards will not be as easy as in the past. Reverse transfer printing technology will provide the optimal printing solution for full coverage of the PIV card. The many irregularities that arise from putting electronic technology in a card will make direct printing on PIV cards difficult.

Distribution of printed cards should also be considered carefully. Using a central bureau may be an easy choice for a large integration, but it lacks the flexibility and security of printing on site. With on-site printing, an agency can better secure the precious electronic cards and security overlaminates. On-site printing can also remove security holes in shipping cards and having employees wait for cards.

Integrators

As all of the technology pieces fall into place, the PIV project will positively impact government integrators in the identification industry. A lot of new and replacement business will arise from this project over the next two years. Federal agencies will need software integration, readers and printers, secure materials like smart cards and security overlaminates, and the service and support that goes with them. Not all locations implementing PIV are large government facilities. Many are smaller satellite offices supporting larger government agencies, which leaves plenty of room for small and large integrators.

End Users

The recipients of the PIV cards are in a good position to realize the added security and efficiency that the presidential directive mandates. The previously inconsistent and potentially insecure forms of identification that have been used to access federal buildings and information systems will be eliminated as the PIV project is implemented. One of the large security gaps that the PIV program bridges is credential interoperability between agencies. This is a significant step forward in leveraging the right technology at the right time.

Industry groups like the Smart Card Alliance, the Open Security Exchange (OSE) and the Security Industry Association are now examining how PIV can be leveraged in private industry. The lack of standardized smart card implementations has stalled the growth of combined credentials for physical and IT security. PIV paves the way for off-the-shelf solutions that close security gaps between physical and IT security. At the heart of it all is a smart card combined credential. With combined credentials as the basis for enterprise security, employee provisioning and systems integration can be developed for interoperable systems that securely share data and can verify credentials. At a recent meeting of the OSE Convergence Council, enterprise security officers indicated that one of their highest priorities was to have simplified identification credentials for combined physical and IT security. With emerging regulations like Sarbanes-Oxley and Gramm-Leach-Bliley regulating accountability in the enterprise, the ability to know not only who has access to computers, but also who has access to property and facilities is becoming paramount. The foundation that the federal government has laid will enable safer and more accountable work environments. Once combined credentialing is ubiquitous across the enterprise, business rules that define intelligent security become possible because of the interoperability between physical and IT systems based on smart credentials.

About the author: Gary Klinefelter is the chief technology officer (CTO) for Eden Prairie, Minn.-based Fargo Electronics, a provider of ID/access control card printing solutions, and chairperson of the OSE (Open Security Exchange), an industry organization working to create convergence and interoperability for physical and logical access control.