FIPS tips

Multi-credential readers can help smooth the transition


To comply with the FIPS 201 Personal Identity Verification (PIV) standard, cards that are solely contact or contactless cannot be considered; in fact, there are specific standards required for the contact and contactless combination smart card. The card reader, however, is a different matter.

At a facility, the only requirement of the card reader is that it be capable of reading the FIPS card and communicating with the access control system. Facilities can install any brand of reader that is FIPS-compliant and will read either the contactless or contact portion of the FIPS card.

Here’s a startling fact — the great majority of federal employees now have FIPS 201 cards, but only a small group use the cards for physical access control. Originally, when the program was started, the government was most concerned over logical control, but those days are over. Approximately a year ago, the government issued a memorandum instructing federal agencies to “aggressively step up their efforts” to use the FIPS 201 card as “the common means of authentication for access to that agency’s facilities…”

Although the government issued a memorandum, it did not issue the additional cash required to implement this improved level of physical access control. In an era of tight budgets, both companies doing business with the government and government agencies themselves have been unwilling to scrap their current proximity card-based access control systems, which are doing the job for them, for new ones that meet FIPS 201 standards. However, they are aware that any upgrades planned for the immediate future must read their current proximity card as well as the FIPS 201 smart cards in the future. And, like so many migration initiatives, both the old and the new will have to be used concurrently for a time, meaning proximity and FIPS 201 cards will need to overlap, at least to start.

Maintaining access to a facility while operating both proximity and FIPS 201 smart cards is not a problem, thanks to multi-technology readers, which are compatible with both FIPS 201 credentials and current popular proximity and smart card technologies. These multi-technology readers will read existing proximity cards as well as the new FIPS 201 cards simultaneously.

Just remember that not all multi-technology readers are created equally. Not only do users need to verify that their proposed reader technology meets the FIPS 201 card interoperability standards, but also that their physical access control system communicates with that reader. In other words, they must be sure that the multi-technology reader reads both 13.56 MHz smart cards as well as 125 KHz proximity cards.

The problem is not all manufacturers’ readers are capable of reading the many card formats approved by the government. If the organization also uses a PIN, it will need a reader with a keypad as well. Lastly, after reading the card, the readers must also be properly configured to communicate with the access control system.

Note that installation issues can be mitigated if the readers are installed as a complete system from the factory with specific FIPS 201-compliant components, including the lock, panel interface and reader. The government typically insists that the lock meets ANSI/BHMA Grade 1 requirements. By choosing the right multi-credential reader for access control, users can flexibly plan for the future, using their present proximity cards today while migrating to the FIPS 201 smart cards when budgets allow.

With the uniqueness of each application, buyers should consult with an integrator or security consultant.

 

David Ilardi is Director of the Government Vertical Market for Ingersoll Rand Security Technologies.