"Most agencies do not know how many systems they've got, because they were all locally acquired and there's no central inventory," Bishoff said. "The most bizarre case we saw was a building with five physical access control systems. Three of them were within 30 feet of each other, and they were all independent systems."
Integrators also will have to help formulate a migration plan. Because of the large numbers of readers and possibly control panels at many different buildings, project teams will need a strategy for cutting over to a new system while allowing unfettered access through the old.
"You can't replace all your existing readers in one shot," Regelski said. "You need a strategy. It could be multiple cards or new cards with old tokens embedded."
Last December, SmartNet Inc. of Frederick, Md., finished transitioning the Air Force Institute of Technology at Wright-Patterson Air Force Base to a new physical security system designed to support both the current Defense Department Common Access Card and the future contactless personal identity verification card. Keith Wilson, SmartNets vice president of operations, said the company did the work in phases.
"We did new buildings first because we didn't have to transition the security systems," Wilson said. "Once the new buildings proved out, were connected and everything was working, we transitioned or replaced the components of the system."
The SmartNet deployment covers 148 doors in five buildings. The company expects to start integrating FIPS 201-prescribed fingerprint biometrics in April.
The good news for government is that despite all the effort that must go into upgrading systems to meet HSPD-12 mandates, the move to an integrated security infrastructure could save money. Authsec did an analysis for a large agency and found that if the agency had gone with a FIPS 201 security strategy, it would have saved $32 million in 2005.
"FIPS 201 and HSPD-12 create the opportunity for savings," Bishoff said, "but its going to be real expensive to get there."
And that could be the rub.
Congress is being pretty stingy, Webber said. A lot of people can't see through the trees to how they're going to be able to pay for this. ... This has the potential to be a huge mess.
Now that agencies have hopefully met requirements for part one of the Personal Identity Verification program, the clock is ticking to the Oct. 27 deadline for part-two compliance.
Agencies must have systems in place by then to begin issuing the interoperable smart ID cards mandated by Homeland Security Presidential Directive-12. Technical specifications for the cards and the data they will contain are being developed, and products are only beginning to be certified against Federal Information Processing Standard 201.
In the meantime, here are some things agencies can consider as they plan for the second phase of PIV:Â Enrolling thousands of workers, many of them scattered across the country, is not a trivial issue. Thought must be given to getting these employees to the enrollment system or getting a system to remote workers.Â Back-end systems will have to be in place to hold the data being gathered for use with PIV cards. These systems need to be interoperable with other systems so the data can be used.Â HSPD-12 does not specify how the new cards are to be used, but leveraging the technology will require enabling IT applications and physical access control systems. Without this, PIV will be just another photo ID.Â PIV cards are all about security; they must be tamper-resistant and difficult to counterfeit. Security features that go beyond basic requirements for the cards are available, and could be considered to meet an agencys specific needs.
"There is a lot of technology behind these cards that you can employ that is not incorporated in the standards," said Mike Gibbons, lead of Unisys Corp.s enterprise security practice.Â A biometric specification calls for including two index fingerprints on the card. What about those without two index fingers? Provisions should be made for alternate biometric features and systems to authenticate them.Â Decide which facilities pose the highest risk and plan to secure them first.Â Plan to implement the system modularly, so pieces can be added or upgraded when needed.
Reported by Washington Technology