Feds Roll Out Single-Card Solution

  [IMAGE]Feds-Roll-Out-Single-Card-Solution.jpg[/IMAGE]

Once there was a very large corporation with hundreds of divisions and subsidiaries operating all over the world. Each division had its own method for identifying employees. Through the years, this corporation had installed many different types of systems to control access to the individual parts of the organization; many of which could not effectively communicate with one another. 

When employees had to work with other divisions, such as in a time of corporate crisis, additional ID and access credentials had to be issued because one division did not trust the identity verification process of another division.

Finally, the leaders of the many divisions realized this situation must be resolved. They convinced the CEO to write a one-page memo setting a new strategy for identifying individuals throughout all divisions and requiring this new method to be used when accessing all of the corporation’s high risk assets; be they physical facilities or computer systems. 

Of course, the corporation in this story is actually the United States Federal Government and the CEO’s one-page memo (written by President Bush) is better known as Homeland Security Presidential Directive 12 (HSPD-12). 

Even systems integrators only vaguely familiar with the new standards resulting from this memo can recognize what the federal government is now implementing as nothing more than what many large, multiple-facility or divisional organizations have been doing for many years. That is, attempting to merge diverse systems for ID and access control into a “one-card” solution. 

In order for the typical integrator to further pursue the business opportunities available with the many departments, agencies and government contractors that must comply with HSPD-12, it is necessary to gain a firm grasp of these new requirements. Systems integrators should also realize the potential for using the framework of these standards to assist other private and public sector organizations in pursuing a similar path of interoperability. 

HSPD-12 Defines ‘Secure and Reliable Forms of Identification’
Like most directives from organizational leaders, HSPD-12 stated (and mandated) “what” was to be implemented, not “how” it would be accomplished. 

Well before HSPD-12’s publication on Aug. 27, 2004, efforts were underway to develop interoperable access systems to both physical (doors) and logical (computer) assets of the federal government. In fact, major initiatives had begun rollout using integrated circuit card (ICC) or “smart card” platforms. 

However, early work by the Federal Identity Credentialing Committee (FICC) revealed that even if interoperable smart card-based ID badges were successfully deployed, individual federal organizations would not trust cards issued by other agencies. 

The basis for this mistrust was a wide variance in the identity assurance practices of other agencies. Put simply, it was believed an individual could obtain an ID credential at a low-risk federal department using a false identity. Then that person could gain access to a higher risk agency’s facility or computer files, effectively bypassing that entity’s tougher identity verification process. 

HSPD-12 addressed this concern by identifying the initiative as “a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors (including contractor employees).” HSPD-12 further defined “secure and reliable forms of identification” as follows: 

  • Issued based on sound criteria for verifying an individual employee’s identity 
  • Strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation 
  • Can be rapidly authenticated electronically 
  • Issued only by providers whose reliability has been established by an official accreditation process 

FIPS PUB 201-1 Covers Implementation, Interoperability
The Federal Information Security Management Act of 2002 placed the responsibility for developing standards related to the mandates of HSPD-12 in the hands of the National Institute of Standards and Technology (NIST). NIST clearly and technically described the “how” of HSPD-12 by creating and defining a Personal Identity Verification (PIV) system as described in Federal Information Processing Standards Publication 201-1 (FIPS PUB 201-1) and its related Special Publications such as 800-73, Interfaces for Personal Identity Verification. 

FIPS PUB 201-1 addresses the mandates of HSPD-12 — 1) secure and reliable forms of ID, and 2) interoperability among departments and agencies — with two parts. 

PIV-I — This first part describes the minimum requirements for a federal personal identity verification system, including personal identity proofing, registration and issuance. Essentially, PIV-I establishes a secure and reliable method of issuing IDs with the following important elements: 

  • Credentials are only issued to individuals whose true identity has been verified 
  • A proper authority must authorize issuance of the credential 
  • A background investigation for the credential holder is on record 
  • The individual who appears for identity proofing, and whose fingerprints are checked against databases, is the person to whom the credential is issued 
  • No credential is issued unless requested by proper authority 
  • A credential remains serviceable only up to its expiration date 
  • A revocation process exists such that expired or invalidated credentials are swiftly revoked 
  • A single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential 
  • An issued credential is not modified, duplicated or forged 

These features establish a secure and reliable method of identity assurance across all federal departments and agencies, creating trust in the process from one agency to the other. 

Systems integrators experienced in working with large corporations where ID card issuance has been decentralized should be able to recognize the potential to improve their clients’ overall security program using the PIV-I framework.

PIV-II — The second part of FIPS PUB 201-1 provides technical specifications about the credential issued to individuals as a result of processes in PIV-I. 

PIV-II requires a smart card-based credential (PIV card) that can be used by diverse systems (both electronic and human) across federal agencies and departments to verify the identity of the individual holding the card, as well as the legitimacy of the credential before access is allowed to either physical facilities or logical systems. 

It is important to note neither HSPD-12 or FIPS PUB 201-1 require any type of global access control system. Access control decisions, once verification has occurred, remain under the control of individual departments and agencies based on their existing access policies. The process of identification verification and authentication is separated from the access control decisions. 

In a nutshell, PIV-II defines what the PIV card will look like, what type of integrated circuit technology will be incorporated on the card, what logical data will be stored in the card, and how the PIV card will operate and interface with other systems. See the diagram on page 46 to observe the three major components of the PIV system and how they interact. 

The r
equirements of PIV-I take place within the PIV card issuance and management segment, sometimes referred to as the IDMS. It is not mandated that a common IDMS be used, only that new or existing systems and processes meet the requirements. They must also be able to “securely” communicate PIV cardholder status to other systems controlling access to physical and logical assets. 

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Get Our Newsletters