The introduction of the PIV card represents a major step forward in the standardization of access control within the federal government. There is now one standard identity card that is centrally issued and is recognizable and trustable by all government agencies.
According to a memo issued in 2012 by the Office of Management and Budget, called OMB M-11-11, “logical access control systems must be upgraded to use PIV credentials, in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities.” Because of this, it’s important for security professionals to truly understand how to upgrade their PACS to achieve a FIPS-201 conformant physical access control solution.
While using the PIV card in existing physical access control systems (PACS) will require some changes, it will not necessitate a wholesale rip-and-replace of existing PACS components, including door controllers and door readers. Still, conforming to FIPS-201 involves a multi-step process that goes beyond thoroughly understanding all of the components that comprise of a FIPS-201-compatible PACS to also encompass knowing how to select the right PIV enabling solution, how to get that data into the system and how to validate the credential.
By following a few steps, it is truly possible to accomplish a secure and interoperable approach with PIV identity cards that is both cost-effective and provides a strong PKI based validation at the time of access.
By upgrading existing PACS as opposed to deploying new ones, security professionals have several potential approaches to enabling the support of FIPS 201 credentials. Some of these are less costly and more secure than others. Regardless of the approach taken, a suitable approach to PIV enabling an existing PACS should meet the following criteria:
• Minimal custom modification, which is typically expensive and difficult to maintain when compared with a commercial, off-the-shelf approach.
• Don’t box yourself in: A PIV-enabling solution should not be tied to a specific make or model to ensure that future upgrades of the PACS components will be much easier to achieve.
• GSA approved: GSA’s FIPS 201 Evaluation Program provides an Approved Products List (APL) with four “Authentication System” categories: CHUID Authentication System, CAK Authentication System, PIV Authentication System and BIO Authentication System. In addition to the four “Authentication System” categories identified by the GSA APL, NIST Special Publication 800-116 identifies four authentication mechanisms suitable for controlling access to “controlled”, “limited” and “exclusion” areas. The PIV enabling solution should support all of these mechanisms and provide the capability to dynamically switch between them in response to changes in threat level.
• Support for both PIV-I and CIV cards: PIV Interoperable cards are used by federal contractors who are included in the HSPD-12 mandate and may need access to a controlled facility. This capability will enable PIV-I visitors as well as temporary PIV-I cardholding employees to use the access control system. CIV cards have the same technical format as PIV-I cards and are technically usable in a PIV-enabled access control system.
Understanding PIV Credentials and Enrollment Options
In order to use a PIV card to open a door, the system needs to be capable of reading the card. Also, a record of that PIV card must exist in the PACS cardholder database. A PIV card is as an ISO 14443 type smart card with a contactless interface that operates at 13.56 MHz. The most common identity cards in use today are contactless proximity cards, which operate at 125 kHz. This creates an incompatibility in communication protocol and in some cases to support the contact interface it may require replacement of the readers.