At the reader: Replacement readers could include the validation functionality; however, the new readers would require more powerful (and costly) processors to perform the cryptographic processes associated with PKI validation. This approach also requires two-way communications with external networks or the head-end in order to receive periodic downloads of certificate status data, trust anchors for signature verification and to service path discovery requests for any visitors with PIV or PIV-I cards.
At the panel/door controller: Putting the time-of-access validation into the panel or door controller components is a more attractive approach in that it addresses most of the deficiencies and security issues associated with the first two strategies. This is because
security-related processing is performed on the secured side of the PACS boundary. This approach also supports the potential for less rewiring; and the system would continue to operate in the event of power loss due to a battery backup.
A separate module: An alternative to upgrading or replacing all the panels and/or door controllers is to augment the existing system functionality with the addition of a new “plug-in” module. To be successful, this new module must work with existing PACS panels and door controllers as they are, without any changes. This approach is the most cost-effective way to enable PIV.
Regardless of the approach taken to upgrade the PACS to achieve a FIPS-201-compliant solution, keep mind that changes touch a few key areas. Make sure that any new card readers installed are technically compatible with the physical characteristics of the PIV card and add the ability to read and interpret the data on the PIV card. And, using strong PKI based validation at enrollment and time-of access will guard against cloned, forged or revoked credentials.