Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Similar documents
Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

Strategies for the Implementation of PIV I Secure Identity Credentials

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform

TWIC Transportation Worker Identification Credential. Overview

FiXs - Federated and Secure Identity Management in Operation

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

Single Secure Credential to Access Facilities and IT Resources

000027

IMPLEMENTING AN HSPD-12 SOLUTION

Interagency Advisory Board Meeting Agenda, December 7, 2009

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

Helping Meet the OMB Directive

Secure Government Computing Initiatives & SecureZIP

There is an increasing desire and need to combine the logical access and physical access functions of major organizations.

Identiv FICAM Readers

TWIC / CAC Wiegand 58 bit format

Leveraging HSPD-12 to Meet E-authentication E

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Biometric Use Case Models for Personal Identity Verification

Secure Solutions. EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible Cards Accessories

PKI and FICAM Overview and Outlook

DATA SHEET. ez/piv CARD KEY FEATURES:

TWIC Implementation Challenges and Successes at the Port of LA. July 20, 2011

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

CertiPath TrustVisitor and TrustManager. The need for visitor management in FICAM Compliant PACS

Guidelines for the Use of PIV Credentials in Facility Access

Revision 2 of FIPS 201 and its Associated Special Publications

Cryptologic and Cyber Systems Division

Physical Access Control Systems and FIPS 201

Paul A. Karger

Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility

Version 3.4 December 01,

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

Federated Access. Identity & Privacy Protection

Using PIV Technology Outside the US Government

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

INNOMETRIKS INC. Rhino Quick Start Guide

PIV Data Model Test Guidelines

MIS Week 9 Host Hardening

Corporate Commitment to Excellence

Interagency Advisory Board (IAB) Meeting. August 09, 2005

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

Interagency Advisory Board Meeting Agenda, April 27, 2011

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board Meeting Agenda, December 7, 2009

Match On Card MINEX 2

Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

The Leader in Unified Access and Intrusion

I N F O R M A T I O N S E C U R I T Y

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Why choose Medeco? Medeco Security Locks A History of High Security and Innovation

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

g6 Authentication Platform

I N F O R M A T I O N S E C U R I T Y

Smart Card Alliance Comments and Considerations on Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

NFC Identity and Access Control

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

10 Considerations for a Cloud Procurement. March 2017

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

iclass SE Platform Solutions The New Standard in Access Control

Using the Prototype TWIC for Access A System Integrator Perspective

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop. Scalability: Dimensions for PACS System Growth

U.S. E-Authentication Interoperability Lab Engineer

Velocity Certificate Checking Service Installation Guide & Release Notes

National Transportation Worker ID Card (TWIC) Credentialing Direct Action Group Functional Requirements DRAFT

Sphinx Feature List. Summary. Windows Logon Features. Card-secured logon to Windows. End-user managed Windows logon data

No More Excuses: Feds Need to Lead with Strong Authentication!

Introduction of the Identity Assurance Framework. Defining the framework and its goals

INFORMATION ASSURANCE DIRECTORATE

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Draft Version 2.3E

State of Colorado Cyber Security Policies

Interagency Advisory Board Meeting Agenda, March 5, 2009

TWIC Reader Technology Phase

FICAM Configuration Guide

CREDENTSYS CARD FAMILY

Standard CIP Cyber Security Critical Cyber Asset Identification

FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Secure Lightweight Activation and Lifecycle Management

Standard CIP Cyber Security Critical Cyber Asset Identification

Guardium UI Login using a Smart card

FREEDOM ACCESS CONTROL

HID goid Mobile ID Solution

Velocity 3.6 SP2.1 Product Release Bulletin. August 2017

SYSTEM GALAXY HARDWARE. 635-Series

Why you should adopt the NIST Cybersecurity Framework

Interfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation

Transcription:

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Introduction The expectations and requirements on government contracts for safety and security projects are both specific and complex. The cumbersome nature of government processes means that many potential bidders avoid these projects. Or that those who do bid often misinterpret the scope and/or cannot meet the requirements in the proposal. But for the well-informed and educated integrator who understands these requirements and has the support of a committed manufacturer, government facilities offer an opportunity to expand into a new market space. The first steps to understanding the complexity of this market segment begin with examining the current landscape of governmentspecific security regulations. For Physical Access Control Systems (PACS), that means understanding the requirements for the federal government s Personal Identity Verification (PIV) standards.

The Birth of Personal Identity Verification Systems Homeland Security Presidential Directive 12 was put in place to strengthen both physical and information security. The groundwork for a common identification standard for federal government employees and contractors was established on August 27, 2004 with the issuance of Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12 was put in place to strengthen both physical and information security by adopting a common interoperable identification standard. This common standard was defined by the National Institute of Standards (NIST) agency in the Federal Information Processing Standards (FIPS) Publication 201 Personal Identity Verification (PIV) of Federal Employees and Contractors. It defines the identity credential and data contained on it, the infrastructure of the PIV system, as well as the requirements for different security levels at a federal facility or information resource. The current version of FIPS 201-2, was released in 2013 and mandated the inclusion of most optional features listed in 201-1 and directed its implementation no later than 12 months from the effective date of the standard. Since all federal agencies are required to conform, this provides system integrators with an opportunity to provide the technology and know-how to increase security of these facilities. Systems integrators have a unique opportunity to provide the technology and know-how to increase the security of government facilities.

Understanding PIV Systems With the implementation of FIPS 201, every federal employee and contractor is issued a PIV ID following a thorough background check. That credential then permits physical and logical access to federally controlled buildings and information systems. FIPS 201 also ensures interoperability across departments and agencies, and across installations. Because of the complexity and enormity of these tasks, PIV systems, as outlined in FIPS 201-2, are divided into the following three major subsystems: The PIV Front-End Subsystem is where the card holder physically interacts with the system to gain access to a federal resource (physical or logical). This includes the PIV card, credential and biometric readers, and a PIN input device. The PIV Card Issuance and Management Subsystem provides a means to collect, store and maintain all information about the applicants identity and then issue a PIV credential for use by the cardholder. The PIV Relying Subsystem makes the logical decision to allow access to federal resources when the PIV credential is presented to a card reader, biometric reader or PIN input. NIST FIPS PUB 201-2 PIV System Notional Model PIV Card Issuance and Management Subsystem Identity Proofing & Registration PKI Directory & Certificate Status Responder PIV Relying Subsystem Physical Access Control I&A Authorization Authorization Data Physical Resource Card Issuance & Maintenance I&A Authorization Logical Resource Key Management Logical Access Control I&A Identification & Authentication Authorization Data PIV Cardholder Card Reader / Writer PIV Card LEGEND Shapes Direction of Information Flow Processes Components PIN Input Device Biometric Reader PIV Front-End Subsystem Shading PIV Card Issuance and Management Subsystem PIV Relying Subsystem PIV Front-End Subsystem

The secure credential is the heart of the system. Get the Details The secure credential is the heart of the PIV system. Employees and contractors use the PIV credential for authentication to resources including physical access to buildings and information systems. Card readers are located at access points to secure facilities where a cardholder may wish to gain access. The reader communicates with the PIV credential to retrieve the appropriate information, located in the card s memory, to relay it to the access control systems for granting or denying access. If higher security is required, additional authentication factors such as PIN codes and biometric readers may also be employed. The physical format of the card must follow guidelines set out by the FIPS 201-2 standard. This ensures consistency across entities and aids in visual inspection of the credential for authenticity. The PIV Card Issuance and Management Subsystem collects, stores, and maintains all information and documentation that is required for verifying and assuring the applicant s identity. The PIV relying subsystem includes components such as card readers, locks and related access control devices responsible for determining a particular PIV cardholder s access to a physical or logical resource. Physical resources are secured facilities (e.g., building, room, parking garage); logical resources include computers or network systems. The authorization data stored on the card defines the privileges possessed by the employee or vendor who is requesting access. In the case of door openings, the Physical Access Control System (PACS) grants or denies access to a particular resource. However, PACS in federal facilities had several challenges before FIPS 201 was implemented across facilities. These challenges included: NIST SPECIAL PUBLICATION 800-116 FIPS 201 redefines the requirements for building access in a fundamental way: instead of each facility issuing an access card solely for that facility s defined PACS architecture, a facility relies on the PIV card that was issued by the same, or a different, agency certified by the federal government. The facility still has control over the user s access privileges, but the technology has been standardized to optimize inter-agency interoperability.» Many PACS were facility-centric and card access to one facility did not translate to card access at another» Some systems could not process government credential numbers based on length» Lower security credentials like mag stripe and prox are easily copied» Revocation of a credential in one facility did not migrate to other sites

To help understand and implement the use of PIV cards with PACS, the National Institute of Standards and Technology s Special Publication 800-116 provides specific technical guidance and recommendations. It describes a strategy for agencies to PIV-enable their PACS, migrating to government-wide interoperability as well as assist with managing physical access to facilities and assets. SP 800-116 assigns risk levels to different areas of a facility: Unrestricted, Controlled, Limited and Exclusion. Utilizing specific authentication(s) for each level provides a framework for security. These authentication types include: Visual (VIS) Government Facility with Multiple Access Levels Front Door Office Conference Room Cardholder Unique Identifier (CHUID) Side Door Card Authentication Key (CAK) PIV Authentication Key (PKI) Biometric (BIO) Biometric attended (BIO-A) A factor number can be assigned depending on how many authentication types are used to gain access at an opening. For instance, BIO-A is considered a two-factor authentication as it verifies identity based on a biometric fingerprint read as well as a visual inspection of the card by a guard. As the door openings lead to higher security areas, the authentication factor rises. But what if the facility would like to extend the PACS to secure interior door openings using a single credential even if they do not require the higher security required at other openings? Uncontrolled Area Controlled Area Limited Area Exclusion Area For each assurance level, specific authentication modes are needed, each requiring one or more physical access control components: AUTHENTICATION MODES AUTHENTICATION FACTORS SP 800-116 SECURITY AREA Legacy and FASCN Readers None Uncontrolled CHUID + VIS 1 Controlled CAK 1 Controlled PIV + PIN 2 Limited PIV + PIN + BIO 3 Exclusion BIO: Biometric; CAK: Card Authentication Key; CHUID: Cardholder Unique Identifier; FASC-N: Federal Agency Smart Credential Number; PIN: Personal Identification Number; PIV: Personal Identity Verification (PIV) Authentication Key; VIS: Visual As the door openings lead to higher security areas, the authentication factor rises.

This often creates a bit of a challenge for government facilities in two ways: They have to budget and spend more for a hardwired PACS system, regardless of whether it must meet FIPS 201-2 criteria or not They face massive infrastructure upgrade work if they wish to implement the credentialing standards to doorways other than the main entryways This extensive gap in doorway security can now be filled more cost effectively thanks to a new breed of wireless locks that connect to building control systems via secure WiFi network infrastructure. These intelligent WiFi locks have the ability to simply read these enhanced identification credentials without the requirements of meeting the traditional FIPS 201-2 mandated strong authentication protocols. Extending Access Control Using Wireless PIV-Enabled Locks PIV-capable wireless locks are the perfect solution for interior spaces where government employees and contractors want to leverage their secure PIV credentials in the most cost-effective manner, where they have previously been authenticated at a perimeter entry point. When used in conjunction with the FIPS 201-2 hardwired access control system architectures delivering strong authentication, PIV-capable WiFibased wireless locks enable a Federal facility to implement facility-wide, one-card PACS without adding expensive infrastructure and without compromising on necessary security requirements. Where utilizing existing WiFi architecture for this PIV-enabled application may create owner concerns, there are Power-over- Ethernet options available in the marketplace as well. The Opportunity in Securing Federal Facilities There are approximately 6 million PIV credentials currently being used at federal facilities today. And each one is an opportunity for an integrator and service provider who understand the needs of the sector. Every PIV credential can be used not only for access to building entries, but for interior openings, file storage, server racks and more, giving them much greater utility. Capitalizing on this space requires developing partnerships with committed manufacturers who both provide the appropriate products and understand the nuances of the solution. That applies not just at the federal level, but also at state and municipal governments that also have complex requirements.

To learn more about the types of PACS systems available to meet the needs of government facilities, contact a government solutions expert at ASSA ABLOY. Resources National Institute of Standards and Technology, Federal Information Processing Standards Publication Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://nvlpubs.nist.gov/nistpubs/fips/nist.fips.201-2.pdf National Institute of Standards and Technology, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), November 2008. http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-116.pdf ASSA ABLOY Door Security Solutions 110 Sargent Drive New Haven, CT 06511 1.800.DSS.EZ4U (377.3948) www.assaabloydss.com Copyright 2018 ASSA ABLOY Sales and Marketing Group Inc.; all rights reserved. Reproduction in whole or in part without the express written permission of ASSA ABLOY Sales and Marketing Group Inc. is prohibited. Effective 2/2018 2500-3886

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback