Integration Intelligence Issues: GETTING READY FOR FIPS 201
Beginning Aug. 27, 2006, all federal agencies are required to begin implementing FIPS 201, although some are implementing it at just a single location to start and may be using it only to control logical access. Authorized individuals will swipe a smart card into a reader and present their fingers for scanning by a biometric reader in order to obtain access to their agencyâ€™s computer network.
A key component of the new program is the background check that federal employees and contractors will go through. Usersâ€™ fingerprints will be sent to the Federal Bureau of Investigation for clearance and then will be imprinted on the smart card, also known as a personal identity verification (PIV) card. The goal is to ensure that each individual really is the individual he or she claims to be.
As Rob Zivney, chairman of the PIV Working Group for the Security Industry Association (SIA) and vice president of marketing at Hirsch Electronics explains, â€œThe PIV card uses a scheme to make sure that the number on the card is unique for the federally issued space. This number is 14 digits, or 48 bits, long and is derived from the issuing agency code, the agencyâ€™s local site or system code and a personal credential number. Because the number is larger than traditional numbers used in a physical access control system â€“ such as 26-bit Wiegand â€“ the card can be used interoperably and uniquely among federal agencies.â€ Other features of the PIV card include a facial image, a PIN and cryptography measures, Zivney says.
Once cleared, authorized individuals ultimately may be able to use a single credential at multiple federal agencies, although interoperability between agencies is likely a few years away. As Paul Brisgone, national director of ADTâ€™s Federal Systems Division explains, â€œThe government is working toward creating a federal bridge that will act as a cloud above different agency databases, but that will take a couple of years.â€
How extensively PIV cards will be used for access control remains to be seen. End users typically find contactless cards to be easier to use than contact cards, although the convenience of having a single card for physical and logical access may outweigh the inconvenience of having to swipe the card. Before using PIV cards for access control, however, agencies would have to replace existing card readers with PIV-compatible models â€” and any equipment used to support FIPS 201 installations also must be approved by the National Institute of Standards and Technology (NIST).
As of late June, four cards and two biometric equipment manufacturers had been approved, Zivney notes. â€œThe specification for readers has just finished the review for comment phase,â€ he adds. â€œIt is anticipated that reader testing can begin after this document is officially published.â€
Although some federal agencies may opt to do their own FIPS 201 installations, both Zivney and Brisgone anticipate that other agencies will hire security integrators to handle that task. â€œThere will be significant opportunity for security dealers and large system integrators to provide turnkey solutions,â€ Zivney notes. â€œThe government does not have the resources to install this entire program themselves.â€
ADT also sees an opportunity to leverage its nationwide presence to help create credentials for some federal agencies. These will need to be created on a local basis â€” and some agencies may not want to make the investment in the equipment needed to manufacture the cards at multiple locations. ADT plans to establish locations nationwide that would handle credential creation for multiple federal agencies on an outsourced basis. â€œWe have an end-to-end solution from enrollment to issuance and management all over the country,â€ Brisgone notes.