Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Transcription

1 Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

2 Introduction The expectations and requirements on government contracts for safety and security projects are both specific and complex. The cumbersome nature of government processes means that many potential bidders avoid these projects. Or that those who do bid often misinterpret the scope and/or cannot meet the requirements in the proposal. But for the well-informed and educated integrator who understands these requirements and has the support of a committed manufacturer, government facilities offer an opportunity to expand into a new market space. The first steps to understanding the complexity of this market segment begin with examining the current landscape of governmentspecific security regulations. For Physical Access Control Systems (PACS), that means understanding the requirements for the federal government s Personal Identity Verification (PIV) standards.

3 The Birth of Personal Identity Verification Systems Homeland Security Presidential Directive 12 was put in place to strengthen both physical and information security. The groundwork for a common identification standard for federal government employees and contractors was established on August 27, 2004 with the issuance of Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12 was put in place to strengthen both physical and information security by adopting a common interoperable identification standard. This common standard was defined by the National Institute of Standards (NIST) agency in the Federal Information Processing Standards (FIPS) Publication 201 Personal Identity Verification (PIV) of Federal Employees and Contractors. It defines the identity credential and data contained on it, the infrastructure of the PIV system, as well as the requirements for different security levels at a federal facility or information resource. The current version of FIPS 201-2, was released in 2013 and mandated the inclusion of most optional features listed in and directed its implementation no later than 12 months from the effective date of the standard. Since all federal agencies are required to conform, this provides system integrators with an opportunity to provide the technology and know-how to increase security of these facilities. Systems integrators have a unique opportunity to provide the technology and know-how to increase the security of government facilities.

4 Understanding PIV Systems With the implementation of FIPS 201, every federal employee and contractor is issued a PIV ID following a thorough background check. That credential then permits physical and logical access to federally controlled buildings and information systems. FIPS 201 also ensures interoperability across departments and agencies, and across installations. Because of the complexity and enormity of these tasks, PIV systems, as outlined in FIPS 201-2, are divided into the following three major subsystems: The PIV Front-End Subsystem is where the card holder physically interacts with the system to gain access to a federal resource (physical or logical). This includes the PIV card, credential and biometric readers, and a PIN input device. The PIV Card Issuance and Management Subsystem provides a means to collect, store and maintain all information about the applicants identity and then issue a PIV credential for use by the cardholder. The PIV Relying Subsystem makes the logical decision to allow access to federal resources when the PIV credential is presented to a card reader, biometric reader or PIN input. NIST FIPS PUB PIV System Notional Model PIV Card Issuance and Management Subsystem Identity Proofing & Registration PKI Directory & Certificate Status Responder PIV Relying Subsystem Physical Access Control I&A Authorization Authorization Data Physical Resource Card Issuance & Maintenance I&A Authorization Logical Resource Key Management Logical Access Control I&A Identification & Authentication Authorization Data PIV Cardholder Card Reader / Writer PIV Card LEGEND Shapes Direction of Information Flow Processes Components PIN Input Device Biometric Reader PIV Front-End Subsystem Shading PIV Card Issuance and Management Subsystem PIV Relying Subsystem PIV Front-End Subsystem

5 The secure credential is the heart of the system. Get the Details The secure credential is the heart of the PIV system. Employees and contractors use the PIV credential for authentication to resources including physical access to buildings and information systems. Card readers are located at access points to secure facilities where a cardholder may wish to gain access. The reader communicates with the PIV credential to retrieve the appropriate information, located in the card s memory, to relay it to the access control systems for granting or denying access. If higher security is required, additional authentication factors such as PIN codes and biometric readers may also be employed. The physical format of the card must follow guidelines set out by the FIPS standard. This ensures consistency across entities and aids in visual inspection of the credential for authenticity. The PIV Card Issuance and Management Subsystem collects, stores, and maintains all information and documentation that is required for verifying and assuring the applicant s identity. The PIV relying subsystem includes components such as card readers, locks and related access control devices responsible for determining a particular PIV cardholder s access to a physical or logical resource. Physical resources are secured facilities (e.g., building, room, parking garage); logical resources include computers or network systems. The authorization data stored on the card defines the privileges possessed by the employee or vendor who is requesting access. In the case of door openings, the Physical Access Control System (PACS) grants or denies access to a particular resource. However, PACS in federal facilities had several challenges before FIPS 201 was implemented across facilities. These challenges included: NIST SPECIAL PUBLICATION FIPS 201 redefines the requirements for building access in a fundamental way: instead of each facility issuing an access card solely for that facility s defined PACS architecture, a facility relies on the PIV card that was issued by the same, or a different, agency certified by the federal government. The facility still has control over the user s access privileges, but the technology has been standardized to optimize inter-agency interoperability.» Many PACS were facility-centric and card access to one facility did not translate to card access at another» Some systems could not process government credential numbers based on length» Lower security credentials like mag stripe and prox are easily copied» Revocation of a credential in one facility did not migrate to other sites

6 To help understand and implement the use of PIV cards with PACS, the National Institute of Standards and Technology s Special Publication provides specific technical guidance and recommendations. It describes a strategy for agencies to PIV-enable their PACS, migrating to government-wide interoperability as well as assist with managing physical access to facilities and assets. SP assigns risk levels to different areas of a facility: Unrestricted, Controlled, Limited and Exclusion. Utilizing specific authentication(s) for each level provides a framework for security. These authentication types include: Visual (VIS) Government Facility with Multiple Access Levels Front Door Office Conference Room Cardholder Unique Identifier (CHUID) Side Door Card Authentication Key (CAK) PIV Authentication Key (PKI) Biometric (BIO) Biometric attended (BIO-A) A factor number can be assigned depending on how many authentication types are used to gain access at an opening. For instance, BIO-A is considered a two-factor authentication as it verifies identity based on a biometric fingerprint read as well as a visual inspection of the card by a guard. As the door openings lead to higher security areas, the authentication factor rises. But what if the facility would like to extend the PACS to secure interior door openings using a single credential even if they do not require the higher security required at other openings? Uncontrolled Area Controlled Area Limited Area Exclusion Area For each assurance level, specific authentication modes are needed, each requiring one or more physical access control components: AUTHENTICATION MODES AUTHENTICATION FACTORS SP SECURITY AREA Legacy and FASCN Readers None Uncontrolled CHUID + VIS 1 Controlled CAK 1 Controlled PIV + PIN 2 Limited PIV + PIN + BIO 3 Exclusion BIO: Biometric; CAK: Card Authentication Key; CHUID: Cardholder Unique Identifier; FASC-N: Federal Agency Smart Credential Number; PIN: Personal Identification Number; PIV: Personal Identity Verification (PIV) Authentication Key; VIS: Visual As the door openings lead to higher security areas, the authentication factor rises.

7 This often creates a bit of a challenge for government facilities in two ways: They have to budget and spend more for a hardwired PACS system, regardless of whether it must meet FIPS criteria or not They face massive infrastructure upgrade work if they wish to implement the credentialing standards to doorways other than the main entryways This extensive gap in doorway security can now be filled more cost effectively thanks to a new breed of wireless locks that connect to building control systems via secure WiFi network infrastructure. These intelligent WiFi locks have the ability to simply read these enhanced identification credentials without the requirements of meeting the traditional FIPS mandated strong authentication protocols. Extending Access Control Using Wireless PIV-Enabled Locks PIV-capable wireless locks are the perfect solution for interior spaces where government employees and contractors want to leverage their secure PIV credentials in the most cost-effective manner, where they have previously been authenticated at a perimeter entry point. When used in conjunction with the FIPS hardwired access control system architectures delivering strong authentication, PIV-capable WiFibased wireless locks enable a Federal facility to implement facility-wide, one-card PACS without adding expensive infrastructure and without compromising on necessary security requirements. Where utilizing existing WiFi architecture for this PIV-enabled application may create owner concerns, there are Power-over- Ethernet options available in the marketplace as well. The Opportunity in Securing Federal Facilities There are approximately 6 million PIV credentials currently being used at federal facilities today. And each one is an opportunity for an integrator and service provider who understand the needs of the sector. Every PIV credential can be used not only for access to building entries, but for interior openings, file storage, server racks and more, giving them much greater utility. Capitalizing on this space requires developing partnerships with committed manufacturers who both provide the appropriate products and understand the nuances of the solution. That applies not just at the federal level, but also at state and municipal governments that also have complex requirements.

8 To learn more about the types of PACS systems available to meet the needs of government facilities, contact a government solutions expert at ASSA ABLOY. Resources National Institute of Standards and Technology, Federal Information Processing Standards Publication Personal Identity Verification (PIV) of Federal Employees and Contractors, August National Institute of Standards and Technology, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), November ASSA ABLOY Door Security Solutions 110 Sargent Drive New Haven, CT DSS.EZ4U ( ) Copyright 2018 ASSA ABLOY Sales and Marketing Group Inc.; all rights reserved. Reproduction in whole or in part without the express written permission of ASSA ABLOY Sales and Marketing Group Inc. is prohibited. Effective 2/