Over the past 18 months, there has been tremendous change in the federal government's approach to managing physical access control and information security. On August 12, 2004, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12), which mandated the establishment of a standard for identification of federal government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to federally controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.
Requirements, Short and Sweet
HSPD-12 requires that the federal identity credential be secure and reliable. This means the credential:
• Must be issued based on sound criteria for verifying an individual's identity;
• Must be strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
• Must be able to be rapidly authenticated electronically; and
• May be issued only by providers whose reliability has been established by an official accreditation process.
As a result of HSPD-12, the Department of Commerce and National Institute of Standards and Technology (NIST) developed a new standard for secure and reliable forms of identification, the Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. This standard provides specifications that govern the entire chain of trust of the identity system and specifies a single smart card—the PIV card—for both physical and logical access, as well as other applications as determined by the individual agencies.
This article summarizes some of the key aspects of FIPS 201, its impact on physical access control systems, and future impact on both government and commercial secure identification implementations.
Identity Proofing Requirements
Federal agencies must follow the standard FIPS 201 identity proofing process when they provide official government identification to new or current employees, contractors and affiliates. Adherence to a uniform identity proofing process that includes a threat/risk assessment for all employees and contractors across the federal government provides a basis for trust among agencies and helps ensure that cardholders are who they claim to be.
FIPS 201 also applies to citizens of foreign countries who are working for the federal government overseas, although there are special registration considerations and procedures for these workers.
Verifying the individual's identity is the first step. FIPS 201 mandates processes and provides guidance on both the source documents required to validate an individual's identity and the process for issuing a PIV card. Below are the general requirements for PIV identity proofing and registration:
• The process must begin with a background check of the individual applying for a card, and the check must be completed before a card is issued.
• The applicant must appear at least once in person in front of a PIV official before a credential can be issued.
• The applicant must provide two identity source documents in original form from a published list of acceptable documents. One of the documents must be a valid (unexpired) picture ID issued by a state government or the federal government.
• The process must adhere to the principle of separation of roles. No single individual has the power to issue a PIV card without the cooperation of another authorized person.
The Elements of the Smart Card
FIPS 201 requires that the PIV card be a smart card. The card body is similar to a credit card and conforms to the ISO/IEC 7810 specification. The card contains both contact and contactless interfaces, which can be provided by two separate integrated circuit chips (ICC) or by one dual-interface ICC.
The contact interface must conform to the ISO/IEC 7816 specification, and the contactless interface must conform to the ISO/IEC 14443 specification. In most cases, physical access applications will use the contactless interface, although there are special cases in which the contact interface will be used.
The PIV card contains multiple data elements that are used to verify the cardholder's identity at graduated assurance levels. The required data include a personal identification number (PIN), the cardholder unique identifier (CHUID), PIV card authentication data (one asymmetric key pair and corresponding certificate) and two fingerprint biometric minutiae templates.
The CHUID contains a federal agency smart credential number (the FASC-N) that identifies each card uniquely within the federal government and can be used in the physical access control system (PACS). It is written to the FIPS 201-compliant card chip or chips and is available from both the contact and contactless interfaces.
In a FIPS 201 implementation, the organization must be able to enroll individuals' PIV cards into the local PACS, be able to access PIV card status information to determine if the card has been revoked (e.g., if an employee was terminated) and use the new PIV card data elements (e.g., the CHUID or portions thereof) to make access control decisions.
Agencies and departments will have different approaches to PIV card enrollment, depending on their security requirements, their PACS, and their use of credential data. For example, some organizations may require data to be “pushed down” from the central identity management system (IDMS) to the PACS server's user database, with pre-registration for physical access privileges. Others may simply need to know that the new PIV card will work in the current system.
In general, enrollment of a PIV card into a PACS requires that cardholder demographic data and CHUID data be entered into the PACS, the PIV chain of trust be validated to the level required by the federal agency accepting the card, and access privileges be assigned.
Once a PIV card has been enrolled and is being used, FIPS 201 requires that all implementations include the capability to remove and revoke registered access privileges centrally, should a person move or leave the organization. This can be accomplished in a number of ways.
The PACS server database can be updated periodically from the central identity management system or card management system. When a credential is revoked, the expiration date could be changed and downloaded to the PACS server. The PACS server receives the expiration date and distributes this to the user record in the relevant controllers that will then make an access/deny decision for that employee's credential. Alternatively, the PACS enrollment officer may manually revoke or change access privileges for an employee, using a real-time process with instant change to the access privileges for the card.
While FIPS 201 defines many aspects for an interoperable federal identity card, the standard also provides a variety of options for implementation and permits individual agencies to define their own approaches to meeting agency-specific access requirements.
What Does FIPS 201 Mean for Other Organizations?
The impact of FIPS 201 is not restricted to the federal government. State and local governments are being encouraged to adopt the provisions of FIPS 201, and businesses that provide goods and services to the federal government will find that a substantial segment of their workforce will need to be credentialed. Security systems manufacturers are actively engaged with the government to assist in defining the details of how FIPS 201 will be implemented and are developing products to meet the standard.
To ensure that standard-compliant products and services are available, NIST has established the NIST Personal Identity Verification Program (NPIVP) to validate PIV components and sub-systems required by FIPS 201. The NPIVP currently includes FIPS 201 interface validation of PIV card applications and PIV middleware for conformance to the SP 800-73 specification. Additional validation programs will be added as the PIV program evolves. Providers of products and services that are determined to conform to the standard will be eligible to offer approved products and services on a new General Services Administration procurement vehicle, which will be established to align all agency acquisitions with FIPS 201 policy.
The private sector is heading toward the use of similar technologies and controls. Over the past two years, large leading-edge enterprises such as Boeing, Microsoft, Sun Microsystems and Johnson & Johnson have started to use smart cards for both physical and logical access control authentication. Other enterprises have watched their progress carefully and are now planning their own implementations.
Pushing Convergence into the Mainstream
FIPS 201 and other initiatives that are being implemented to improve identity authentication are driving a paradigm shift for government agencies, businesses and security and identity product and service providers. This shift is forcing a convergence of physical and logical access, requiring the adoption of new processes and technologies and forcing organizations to rethink their approach to managing access and authentication. FIPS 201 has catalyzed the industry and government to work together to develop and implement standards-based solutions that address the new market realities and facilitate this transition.
The migration of the federal government to FIPS 201-compliant PACS, the move by industry to combine physical and logical access systems, and the work on supporting standards are all ongoing efforts. It is critical for all organizations—government and commercial—to closely follow the industry activities and the evolving standards. Extensive information about the status of the standards can be found on the Smart Card Alliance Web site ( www.smartcardalliance.org ) and on the NIST PIV Program Web site ( http://csrc.nist.gov/piv-program/index.htm l).
With government deadlines for FIPS 201 compliance quickly approaching, the government is leading the way to implementing interoperable, standards-based approaches and technologies for secure identification for physical and logical access.
Randy Vanderhoof is executive director of the Smart Card Alliance, a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Smart Card Alliance Physical Access Council focuses on activities that are important to the physical access industry and that address key issues that organizations have in deploying new physical access system technology. For more information, please visit www.smartcardalliance.org.