FIPS-201 and Enterprise Air
Presidential directives are issued by the President of the United States to
specify actions that must be taken by bodies or agencies of the federal
government. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a
Common Identification Standard for Federal Employees and Contractors, specifies
that a strict standard be created and implemented for the issuance of a common
identification standard for all federal government employees and contractors.
The directive was signed by the President on August 27, 2004. The directive
describes, at a high level, that a common system be implemented for the vetting
of identities (i.e. verifying that someone is who they say they are and
verifying that they have passed a standardized background check) and for issuing
a common id standard for all agencies to use when issuing identity credentials.
The National Institute of Standards and Technology's (NIST) Computer Security Division was driven by HSPD-12 to create the FIPS-201, Personal Identity Verification of Federal Employees and Contractors, standard. The standard defines procedures for PIV activities such as identity proofing, registration procedures, identity card issuance, and identity card usage related to logical and physical security. FIPS-201 was approved by the Secretary of Commerce on February 25, 2005. The standard describes the following:
The identity card is specified by FIPS-201 has become known as the PIV card (Personal Identity Verification) and much of the discussion on FIPS-201 is related to this card (e.g. issuing a PIV, the format of a PIV, proper use of a PIV, lifecycle of a PIV, and so on). This card is a smart card with both contact and contactless interfaces with the option for agencies to add other interfaces. The contactless interface is MiFARE DESFire v6.
FIPS-201 specifies many of the details of the standard, but also incorporates
three separate technical documents as support material for the standard. These
documents are as follows:
These documents are all available from the
NIST website. A discussion of
these documents is beyond the scope of this document.
The PIV-I phase, which must be implemented by October 25, 2005 by all federal government agencies, includes the identity vetting requirements for FIPS-201. The following excerpt from the FIPS-201 standard summarizes PIV-I:
This standard is composed of two parts, PIV-I and PIV-II. The first part (PIV-I) describes the minimum requirements for a Federal personal identification system that meets the control and security objectives of HSPD 12, including personal identity proofing, registration, and issuance, but does not address the interoperability of PIV Cards and systems among departments and agencies.
PIV-II describes the detailed technical specifications required to create the physical credentials, information schemas, and data structures required to create an entire ecosystem of identity verification that enables interagency use and trust of individuals.
The second part (PIV-II) provides detailed technical specifications to support the control and security objectives in PIV-I as well as interoperability among Federal departments and agencies. PIV-II describes the policies and minimum requirements of a PIV Card that allows interoperability of credentials for physical access and logical access. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in NIST Special Publication 800-73 (SP 800-73), Interfaces for Personal Identity Verification. Similarly, the requirements for collection and formatting of biometric information are specified in NIST Special Publication 800-76 (SP800-76), Biometric Data Specification for Personal Identity Verification.
Public Comments on FIPS-201
Click the following link to read industry and government agency comments to the
draft of FIPS-201 on the NIST website. These comments are probably the best way
to understand the real implementation issues and challenges of implementing
Other Identity Card Programs
The implementation of a common ID card provides benefits well beyond ensuring that the cardholder is who they say they are and that the issuing party still considers the credential to be valid. The cards can be used to streamline operations at all different levels and provide openings to use new technologies to raise the level of security and emergency response across government and even extend efficiencies to non-government agencies. Some benefits of using a PIV card are listed below:
Implementation of FIPS-201 will require that agencies implement or upgrade
existing systems to support the FIPS-201 requirements. There are many issues
that need to be overcome. A few are listed below:
These are just a few of the changes that may affect an agency's operations.
A generalized picture of the systems involved in the FIPS-201 standard is provided below. This diagram describes the very basic interconnection of these systems. Other systems and subsystems are not included in this high level diagram and the interconnection between these systems may be different depending on particular vendor implementations.
FIPS-201 and Logical Data Access
Logical data access relates to computerized data access and related technologies. While Enterprise Air utilizes logical data access technologies in its own applications and they are, in some cases, integrated to the physical security systems that are supported by Enterprise Air, these technologies are better discussed by companies who specialize in these technologies. Enterprise Air does not endorse any particular logical security vendor.
FIPS-201 and Physical Data Access
Physical access control systems implementation of FIPS-201 may vary. The implementation of FIPS-201 will drive new software integrations and business processes or operating concepts. In the past, agencies created their own methods of determining whether or not a person could be issued a credential. That credential was then generally issued via an application module in the physical security or access control system. Under that operating model, an agency created the badge ID according to rules chosen by the agency and then printed a badge according to the preferences and individual needs of the agency in question. This badge's use and lifecycle generally did not exist outside of the agency's access control system and most agencies lacked electronic systems to do more than simply scan a badge at the perimeter or door of a facility. In the worst case, badges were simply worn on a lanyard and visibly checked upon entry.
After FIPS-201 badges will be in a common format that can be read by and understood by all agencies. The physical access control vendors will need to support new badge formats in their data models. The changes are numerous, but on the surface most access control systems will need to modify their badge key from the old two segment approach of facility code + badge ID, to the FIPS-201 compliant format that at a high level consists of agency code, application code, and badge id segments. The identifying data on the card is actually more complex than described above and a FIPS-201 and NIST SP 800-73 documents search for CHUID, FASC-N, PKI, or certificates will clarify the issues.
FIPS-201 and Enterprise Air's Applications
The following section describes how FIPS-201 and PIV cards relates to several of Enterprise Air's mobile applications.
Portable Credentialing and Portable Incident Control
Current Application Description
Enterprise Air's Portable Credentialing and Incident Control Application is a self contained solution for rolling out a security system capable of rapidly locking down a sensitive area such as a disaster site. The system allows pre-enrollment of known emergency response workers as well as rapid enrollment of workers as they arrive on site via an automated registration procedure. Perimeter (or areas) and access rules can be quickly and easily defined to allow classes of emergency workers to have access to sites. For example, an administrator can configure the system so that Electric Utilities workers can be automatically be given access to the zone where they are needed. As each Electrical Utilities worker arrives onsite he can be enrolled in the system by scanning his employee card and driver's license and will automatically be granted access to the site. The system can work with their existing ID or issue new site specific ID credentials. As each worker enters the site they will be scanned by the system which will track their entry time into the system. Timers can be set so that an incident commander can control the 'time-in' to the incident and easily locate resources.
How it will work under FIPS-201
Under FIPS-201 the Portable Credentialing System can still function by enrolling persons into the system who do not have a PIV card. But persons with a PIV card will not be required to perform any enrollment into the system because the PIV card already is a trusted credential and because the card's credential information contains enough information about the person to determine whether or not they should have access to a site. An incident commander could simply grant access to an entire category of PIV card holders by specifying a configurable set of criteria. The criteria for allowing access includes information such as agency code, ESF function, or other certification information. As the PIV holder attempts to access a site, the PIV cards will be checked for authenticity and then the credential information will be checked against the criteria setup by the incident commander to determine whether or not a person should be granted access to an area.
It is important to remember that the possession of a PIV card does not by itself grant a person access to an incident site. The incident commander controls the site. And since there will eventually be tens of millions of PIV cards issued, the possession of a PIV card alone will not be a meaningful representation of a persons eligibility for entrance. The PIV card MUST be verified and then the credential MUST be checked against the incident commander's incident access configuration.
Click here for more information about Enterprise Air's portable Credentialing Application
Mobile ID Verification
Current Application Description
Mobile ID Verification (MIDV) allows ID credentials to be read using Enterprise Air Mobile ID Readers. Mobile ID Readers are handheld devices with color displays that can read a variety of badge formats (e.g. HID Prox, Mag Stripe, MiFARE, Bar Code, etc) and display information about the cardholder using a lookup in a database stored on the handheld device or, over a wireless network, located in a server side database. The application can get its badge information by entering data into Enterprise Air's workstation user interface or, more commonly, by interfacing to an existing access control system. Enterprise Air interfaces to most major access control systems.
How it will work under FIPS-201
Under FIPS-201 Enterprise Air's application can still utilize access levels and permissions that are maintained in the physical access control system. The MIDV application will expect the physical access control system to maintain a constant connection with the identity management system in order to keep track of modifications and revocations of credentials. But since the PIV cards will have much of the data that was previously stored on the device side database (synchronized form the physical access control server) some or all of the displayed data on the device may come directly from the ID card itself. This means that, in a MIDV implementation, the administrator will have several choices about how the system will utilize the new data stored on the PIV card. A simple example of this is the storage of biometric fingerprint templates. In previous MIDV implementations MIDV would have stored the biometric template in the cardholder record on the device database. With a PIV card the biometric template will be read directly off the PIV card.
here for more information about Enterprise Air's Mobile ID Verification
Rapid Count Mobile Mustering
Current Application Description
Rapid Count Mustering is an application system that tracks building occupants through a sophisticated set of physical access control system interfaces in order to keep an up to date inventory of all building occupants in case of an emergency evacuation. Once an evacuation begins, operators/marshals within the building bring handheld devices to predetermined evacuation assembly points in order to scan badges causing the badge holder to be removed from the missing persons list. The application maintains a live list of missing persons and last known location in the building for rescue operators to use and for continuity of operations. The system uses existing physical access control badges to scan personnel and transmits data using wireless or sync based communications. In the pre-FIPS-201 world, the badge is scanned for a badge number which acts as a simple key to the cardholder information from an access control system. The system also allows the scan of any machine readable card in order to collect the information about a person who has evacuated from a facility - even if that person was not registered as having been in the facility. IDs such as driver's licenses are used for this purpose and can be joined to human readable information about a person at a later time using Police/Motor Vehicles databases.
How it Will Work Under FIPS-201
Under FIPS-2-1 an access control system will still provide the application with information about who is inside the facility and badge id's will check persons off the missing person's list by scanning the PIV card. But many new procedures can be opened up using data stored on the card. For example, persons with medical information on the card can be instantly identified and directed to special assistance. Persons who are members of emergency response teams or are part of a continuity of operations plan can be directed to task areas based on qualifications that exist on their cards.
Click here for more information about Enterprise Air's Rapid Count Mustering System
|Copyright © 2001-2012 Enterprise Air, Inc. All Rights Reserved|