Changes to FIPS-201-2: How will they affect you?

YARMOUTH, Maine—Is it important for integrators who don't do government work to pay attention to what's going on with federal mandates for access control in government buildings? According to experts who spoke to Security Systems News for this story, the answer is yes.

Yes, the process for standardizing access control to government buildings has been ongoing for a long time—eight years to be exact. But, slow progress is being made. Experts point to the Office of Management and Budget deadline that withholds technology funding from federal agencies that have not complied with HSPD-12. They say this OMB deadline is helping push the process along with government agencies. And they note that manufacturers will gear products to the needs of this major customer—government.

Already, quasi-governmental agencies and some large private-sector businesses are using PIV-like credentials (called PIV-I). Other PIV-like cards have been in use for a while—TWIC for transportation workers and FRAC for first responders.  

Elements of these standardizations will all bleed over into the commercial market eventually, experts told SSN, so it behooves systems integrators to take an interest in the federal mandates.

Here's a review of the mandates we're talking about. In 2004, the White House issued HSPD-12, a presidential directive that says all federal employees and contractors should have a common, secure credential for access to federal buildings. FIPS-201 is the publication, first released in 2005, that describes what federal agencies need to do to comply with HSPD-12.

The most recent iteration of FIPS-201 is FIPS-201-2. It has gone through two drafts. All comments on the second draft were due on Aug. 10, and the industry is now awaiting a final version of FIPS-201-2. It is expected to be released early in 2013.

However, the industry is also hoping that there will be further clarifications on several technical aspects of FIPS-201-2 before that final version is released.

“I hope that the [document of the technical clarifications] comes out before FIPS-201-2 is final,” said Walter Hamilton, senior consultant with Identification Technology Partners. “One would think it wouldn't make sense to have undefined functions. … That would be a major hole.”

Those technical clarifications will come from another document (called 800-73-XX), which like FIPS-201-2 comes from the National Institute for Standards and Technology, part of the U.S. Department of Commerce.

Making it even more problematic is the fact that once a final version of FIPS-201-2 is released, it cannot be updated for another five years.

Rob Zivney, chairman of the Security Industry Association's PIV Working Group, said it's frustrating that the most recent draft of FIPS-201-2 “establishes multiple, serial life cycles which might prevent the very use of some of the more secure and more useful 'new optional' or 'newly mandatory' features.”

If a final version is released in early 2013, it will have been eight years since the prior version was released.

“Though there is a requirement to not update more often than five years, there are also delays due to the review and comment process,” Zivney said. “This latest version adds in an extension of 12 months for compliance on card issuance. The card maximum life cycle is now six years, so we might be well into the next FIPS version before we see some of the optional features start to appear on the card. And after that, another card life cycle yet before they become mandatory.”

He noted that the new features cannot really be used by a reader/system until they exist in the entire card population.

“Add it all up and the exciting new features might take a decade and a half before they can be put to use,” Zivney said. He called on NIST to determine “how to cost-effectively reduce the life cycles to actually put the new features in use.”

Assuming the life cycle question is taken care of, what are some of the important changes in FIPS-201-2?

Zivney said the most significant change is the “deprecation and demotion of the CHUID [a basic reader technology] as an authentication factor.”

 He said that the industry “knew from the beginning that the CHUID mechanism was really no better than the proximity technologies it replaced.” He surmised that the reader technology was chosen to reach a consensus for a common standard among the federal agencies and said that it has been the “basis of many expensive upgrades of readers and physical access control systems.” VIS (visual inspection of credentials) is also being demoted to a lower assurance level. It will be “interesting,” Zivney said, to see how federal agencies react to these changes.  

Zivney said he is happy that a more secure and usable technology, the CAK or Card Authentication Key, will now become mandatory. “The CAK brings usage of the cryptographic and PKI capabilities of the card into use to replace … the CHUID and VIS.” He said the CAK is “well suited to use in the environments for physical access control applications as it is contactless, or no slot required.”

Other new items in the latest FIPS-201-2 revised draft are listed as optional until the next revision, at which time some will be made mandatory. Features expected to remain optional include On Card Comparison (OCC) for biometrics (also called Biometric Match On Card), virtual contact interface, derived credentials for mobile devices, and Secure Channel.

“Secure Channel provides for encrypted communication between the card and the reader for the first time, opening the door to more use of the contactless interface. In fact, Secure Channel is a prerequisite to use of OCC, virtual contact interface, and derived credentials,” Zivney said.

Bob Fontana, president, GM and CTO of Codebench, a provider of middleware for access control systems, said: “The idea here is to speed things up by allowing biometric information to be exchanged over [the] contactless [interface] and at a faster rate.”

Fontana noted there are several issues that still need to be worked out with the derived credentials for mobile devices. “The phone has to be as strong as a PIV card, and a PIV card is very secure,” he said. Questions remain, for example, about provisioning a smart card reliably to ensure that an interception can't “divert the credential and transfer it to another phone,” Fontana said.

“That mechanism has to be worked out and tested and certified,” he added.   

Again, the fact that new technical details have yet to be defined will hold back manufacturers and integrators in bringing the necessary products and systems to market.

Nevertheless, Zivney and others said that despite the hurry-up-and-wait nature of the implementation of HSPD-12, PIV standards will become increasingly important in the private sector.

Zivney pointed out that PIV and PIV-I standards are used in the aerospace, defense, bio-pharma and banking industries, and state and local governments also are looking to use PIV-I. TWIC has been “a great success on seaports and with truckers and is based on PIV, though it went further faster. First responders have their FRAC card, also based on PIV,” he said.

Zivney said that systems integrators will have to learn the “nuances of the new PKI and biometric-based smart card technologies as they spread into the private sector, where there is great concern for cyber security and identity theft.”  

What's going on in the government “is not just about new cards and readers, but indeed about the next-generation physical access control systems that will use them securely and cost-competitively,” Zivney said.