Are You Ready for HSPD-12/FIPS 201 Access Control?

Open Security Exchange's President Gary Klinefelter says that physical security is not getting as much attention from government agencies as logical access and interoperability standards. His advice: Formulate your physical acess control plans now to make sure that phsyical security isn't an afterthought in FIPS 201 implementation.

While NIST and GSA struggle to make headway on testing the equipment for FIPS 201 -– cards, readers, interoperability -- it is very clear that physical access is not getting as much government attention as logical access and the issuance of interoperable cards. Interoperable logical access has the advantage of standard readers and fewer vendors.

Homeland Security Presidential Directive 12 (HSPD-12) addresses the security threat of physical access. FIPS 201, an NIST publication which embodies HSPD-12, also recommends physical building access changes. Last month, the Security Industry Association and Smart Card Alliance held a forum in Washington on Physical Access Control to discuss these changes.

To have interoperable cards, the GSA -- with the help of the NIST -- has to ensure that multiple vendors have implemented Federal Information Processing Standard (FIPS) 201 and its myriad of special publications in a way that makes it possible to use a given card on multiple systems between agencies. This is a large task all by itself. In the logical computer environment, once the readers and cards are interoperable, the credentials (cards) can be issued. There may be some software needs related to interoperability to be resolved.

In the physical access world, it's a different story. Some physical access systems don't talk to IT systems at all. The newer systems that do talk to IT aren't compatible with the credential information required for FIPS 201. Some agencies don't have physical access systems at all and other have systems that are owned by their building operators. To make it all worse, the funding for physical access in many cases is not available.

One approach to this dilemma is to maintain the ability to use older technology. In October 2006, agencies need to start issuing FIPS 201 cards that meet electronic interoperability requirements. For a few extra dollars per card, older technology solutions for physical access like magnetic stripes and proximity chips can be added to the card. This provides a migration path to the smart contactless technology that is part of the FIPS 201 requirement. Agencies that have legacy equipment or are tenants in buildings can then extend their timeframe for changing the physical access system.

In the meantime, there are important considerations that will get an agency ready for improved physical access control. First, security administrators must look at the policies and procedures for logical and physical access. Can administrators provide personnel with one method of enrollment to enable physical and logical access?

Can they improve their logical connection to the existing access control system so that privileges for physical access are more automated? Is there a single logical repository for physical and IT access so that these privileges don't get out sync? In other words have they taken away an employee's computer access, but not removed his ability to do physical harm?