Trends in Government Credentials
The government market is a completely different animal when it comes to card and credential security and any integrator or manufacturer who works in that space knows the complexities involved. Several things are happening now that are changing the government market, from the FICAM certifications to FIPS 201-2. SDM spoke with several industry professionals that work in the government market to find out the latest, and how it may impact the credential market in the future.
Adam Shane, senior systems design architect, AMAG Technology, has a great explanation of what is going on in the government world:
“What happened is there was the FIPS-201 standard that created the PIV card. That has all these PKI components built into the card. Initially, the government was talking about just using it as an identity document and being able to read the ID number off the card in what they call a free read. As people started becoming more familiar with the technology, the use and deployment of the card was gaining speed and momentum. Then the government said, ‘Actually, using free read off the card is not really sufficient. It exposes too much risk.
“At that point they decided they needed to move forward with a different program that was taking place that was going to build off the PIV card. That is what they call Federal Identity Credential and Access Management (FICAM). Basically it takes into account the understanding that identity is like a service or a utility. The government wants to get to a place where identity is shared across the whole federal government and the PIV card is a way to get there.
“As long as an agency meets FIPS-201 it is certified to do everything necessary to issue a PIV card. It has all the security necessary for all other agencies to trust that card is authentic and that the agency issuing it has been certified. That trust across all agencies in the executive branch hadn’t been there before FIPS-201 and HSPD-12. FICAM built off that and says, ‘Now that we have that trust and this high assurance credential, we have to use it in the appropriate fashion.’
“There is more and more technical guidance on top of how to properly use the PIVcard. On the certification side, with the GSA testing they were originally testing basic FIPS-201 compliance. Now they have gone beyond checking boxes and are now talking more about the use of the card and are you properly using it in a FICAM appropriate manner? FICAM is actually much bigger than FIPS-201.”
FIPS-20-2 hasn’t been fully ratified yet, but is expected soon. Meanwhile, the FICAM certification is more about the GSA (the procurement arm of the government) to ensure that the products they certified actually do what they say and are not just “smoke and mirrors.” That is why they are now requiring certifications that demonstrate how the whole system works together rather than just individual components, he explains.
“FICAM is reasonably new,” says Christopher Sincock, DAQ Electronics LLC. “The requirements have been around for a little more than a year now. In our government-based work we are anticipating that FICAM will be required soon.”
Sincock adds that FICAM also requires some level of certification on the installation side, something he anticipates manufacturers taking on as a service provided to integrators, because the expense of getting certified may outweigh the benefit for them.
Several manufacturers either have FICAM certification now, or are in the process. “We are in the FICAM world now,” says Rick Caruthers, executive vice president, Galaxy Control Systems. “We are being validated with three manufacturer partners currently. We as manufacturers go through this process every few years.”
Despite that, many say that the adoption on the government side is hindered by budgets, just like their commercial counterparts.
“It doubles the cost per-door just to have the validation,” Caruthers says. “It is all predicated on budgets. The three letter agencies tend to get it faster.”
Tyco’s Software House division has received some FICAM listings already and is heavily involved in committees, says Rick Focke, senior product manager, Tyco Security Products. He explains the genesis of the FIPS 201-2 card is an attempt to rectify the “free read” issue, with a more powerful card for both logical and physical applications. Despite the initial cost differentiation, Focke sees an eventual transfer to the commercial space.
“We are starting to already see a little spillover [of] the high-assurance methodology into the non-government space,” he says. “It is sort of like the space program: All the money goes there, then it filters down into the consumer market. The same thing may happen with card access. ‘Here is the new way to do it with a unique certificate on each card, authenticated every time you use it.’” It is very early days yet, however, he adds.