FIPS-201 and Enterprise Air

HSPD-12 Overview

Presidential directives are issued by the President of the United States to specify actions that must be taken by bodies or agencies of the federal government. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, specifies that a strict standard be created and implemented for the issuance of a common identification standard for all federal government employees and contractors. The directive was signed by the President on August 27, 2004. The directive describes, at a high level, that a common system be implemented for the vetting of identities (i.e. verifying that someone is who they say they are and verifying that they have passed a standardized background check) and for issuing a common id standard for all agencies to use when issuing identity credentials.
 
The National Institute of Standards and Technology and the Office of Management and Budget have been directed to provide standards and guidance for implementation of the directive.

FIPS-201 Overview

Introduction

The National Institute of Standards and Technology's (NIST) Computer Security Division was driven by HSPD-12 to create the FIPS-201, Personal Identity Verification of Federal Employees and Contractors, standard. The standard defines procedures for PIV activities such as identity proofing, registration procedures, identity card issuance, and identity card usage related to logical and physical security. FIPS-201 was approved by the Secretary of Commerce on February 25, 2005. The standard describes the following:

• How identities are to be verified
  
• How background checks are to be performed
  
• What standard agencies must live up to for background checks on employees
  
• The technical details of the physical credentials that will be used
  
• How credentials are to be maintained and revoked

The identity card is specified by FIPS-201 has become known as the PIV card (Personal Identity Verification) and much of the discussion on FIPS-201 is related to this card (e.g. issuing a PIV, the format of a PIV, proper use of a PIV, lifecycle of a PIV, and so on). This card is a smart card with both contact and contactless interfaces with the option for agencies to add other interfaces. The contactless interface is MiFARE DESFire v6.

FIPS-201 specifies many of the details of the standard, but also incorporates three separate technical documents as support material for the standard. These documents are as follows:

• NIST Special Publication 800-73, Integrated Circuit Card for Personal Identity Verification -- Specifies the interfaces to the smart card portion of the PIV card and the required data elements.
  
• NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification -- Specifies the how to acquire, format, and store biometric data for the PIV system.
  
• NIST Special Publication 800-78, Recommendations for Cryptographic Algorithms and Key Sizes -- Specifies cryptographic algorithms and key sizes that are approved for PIV use.

These documents are all available from the NIST website.  A discussion of these documents is beyond the scope of this document.
 

PIV-I

The PIV-I phase, which must be implemented by October 25, 2005 by all federal government agencies, includes the identity vetting requirements for FIPS-201. The following excerpt from the FIPS-201 standard summarizes PIV-I:

This standard is composed of two parts, PIV-I and PIV-II. The first part (PIV-I) describes the minimum requirements for a Federal personal identification system that meets the control and security objectives of HSPD 12, including personal identity proofing, registration, and issuance, but does not address the interoperability of PIV Cards and systems among departments and agencies.

PIV-II

PIV-II describes the detailed technical specifications required to create the physical credentials, information schemas, and data structures required to create an entire ecosystem of identity verification that enables interagency use and trust of individuals.

The second part (PIV-II) provides detailed technical specifications to support the control and security objectives in PIV-I as well as interoperability among Federal departments and agencies. PIV-II describes the policies and minimum requirements of a PIV Card that allows interoperability of credentials for physical access and logical access. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in NIST Special Publication 800-73 (SP 800-73), Interfaces for Personal Identity Verification. Similarly, the requirements for collection and formatting of biometric information are specified in NIST Special Publication 800-76 (SP800-76), Biometric Data Specification for Personal Identity Verification.

Public Comments on FIPS-201

Click the following link to read industry and government agency comments to the draft of FIPS-201 on the NIST website. These comments are probably the best way to understand the real implementation issues and challenges of implementing FIPS-201. http://csrc.nist.gov/piv-project/FIPS201-Public-Comments.html
 

Other Identity Card Programs

• DOD Common Access Card: The Defense Department has distributed its Common Access Card to 3.5 million personnel. DOD is working to migrate to compliant FIPS-201 infrastructure and identity credentials.
  
• DHS Access Cards: The Homeland Security Department had begun issuing the first 200 of its DHS access cards (DACs), with dual embedded chips and multiple digital certificates. These cards will be changed to compliant FIPS-201 cards in 2005.
  
• TWIC Program: The Transportation Worker Identity Card program is underway using similar, technologies as are specified in FIPS-201. As of June 2005 only trial deployments of cards have been issued.
  
• NASA: NASA has modified its program for credentialing 20,000 federal employees and 70,000 contractors.
  

FIPS-201 Benefits

The implementation of a common ID card provides benefits well beyond ensuring that the cardholder is who they say they are and that the issuing party still considers the credential to be valid. The cards can be used to streamline operations at all different levels and provide openings to use new technologies to raise the level of security and emergency response across government and even extend efficiencies to non-government agencies. Some benefits of using a PIV card are listed below:

• Helps to identify known felons/terrorists/ and other wanted/restricted persons
  
• Biometric data and photos can be stored directly on the card allowing any agency to verify identity without having to know (or manage the data for) anything about the person presenting the card
  
• Verifies that person holding card is actually the assigned cardholder
  
• Provides a shared trusted id that can be trusted by all users in the government community
  
• Streamlines verification of employees visiting other facilities
  
• Benefit can be stored on card
  
• Temporary data can be stored on card
  
• Provides a universal means of revoking credentials via PKI
  
• Lack of visual access level indications on cards will force increased use of electronic systems for verification thus further enhancing security.
  

FIPS-201 Timeline

• Aug 27 2004 HSPD-12 Issued by President George W Bush
  
• Sept 24, 2004 NIST issued draft FIPS 201
  
• Dec 23 2004 Comments on FIPS 201 closed
  
• Feb 25, 2005 FIPS 201 was released
  
• June 25, 2005 All agencies must have a program in place to work towards implementation
  
• June 27, 2005 Implementation Plans fir individual agencies due at OMB
  
• Oct 25, 2005 Physical and logical access systems should be in place "to the maximum extent practicable"

FIPS-201 Implementation

Overview

Implementation of FIPS-201 will require that agencies implement or upgrade existing systems to support the FIPS-201 requirements. There are many issues that need to be overcome. A few are listed below:

• Physical and logical security systems must read a new credential
  
• Physical and logical security systems must be able to receive credential creation (i.e. enrollment acceptance) and revocation data from a separate identity management system. Or the IDMS must be pre-integrated into new physical or logical security systems.
  
• Because the id badges will no longer have visual indicators denoting access levels, agencies with mixed security environments may need to install new technology to read cards and verify access.

These are just a few of the changes that may affect an agency's operations.

A generalized picture of the systems involved in the FIPS-201 standard is provided below. This diagram describes the very basic interconnection of these systems. Other systems and subsystems are not included in this high level diagram and the interconnection between these systems may be different depending on particular vendor implementations.

FIPS-201 and Logical Data Access

Logical data access relates to computerized data access and related technologies. While Enterprise Air utilizes logical data access technologies in its own applications and they are, in some cases, integrated to the physical security systems that are supported by Enterprise Air, these technologies are better discussed by companies who specialize in these technologies. Enterprise Air does not endorse any particular logical security vendor.

FIPS-201 and Physical Data Access

Physical access control systems implementation of FIPS-201 may vary. The implementation of FIPS-201 will drive new software integrations and business processes or operating concepts. In the past, agencies created their own methods of determining whether or not a person could be issued a credential. That credential was then generally issued via an application module in the physical security or access control system. Under that operating model, an agency created the badge ID according to rules chosen by the agency and then printed a badge according to the preferences and individual needs of the agency in question. This badge's use and lifecycle generally did not exist outside of the agency's access control system and most agencies lacked electronic systems to do more than simply scan a badge at the perimeter or door of a facility. In the worst case, badges were simply worn on a lanyard and visibly checked upon entry.

After FIPS-201 badges will be in a common format that can be read by and understood by all agencies. The physical access control vendors will need to support new badge formats in their data models. The changes are numerous, but on the surface most access control systems will need to modify their badge key from the old two segment approach of facility code + badge ID, to the FIPS-201 compliant format that at a high level consists of agency code, application code, and badge id segments. The identifying data on the card is actually more complex than described above and a FIPS-201 and NIST SP 800-73 documents search for CHUID, FASC-N, PKI, or certificates will clarify the issues.

FIPS-201 and Enterprise Air's Applications

The following section describes how FIPS-201 and PIV cards relates to several of Enterprise Air's mobile applications.

Portable Credentialing and Portable Incident Control

Current Application Description

Enterprise Air's Portable Credentialing and Incident Control Application is a self contained solution for rolling out a security system capable of rapidly locking down a sensitive area such as a disaster site. The system allows pre-enrollment of known emergency response workers as well as rapid enrollment of workers as they arrive on site via an automated registration procedure. Perimeter (or areas) and access rules can be quickly and easily defined to allow classes of emergency workers to have access to sites. For example, an administrator can configure the system so that Electric Utilities workers can be automatically be given access to the zone where they are needed. As each Electrical Utilities worker arrives onsite he can be enrolled in the system by scanning his employee card and driver's license and will automatically be granted access to the site. The system can work with their existing ID or issue new site specific ID credentials. As each worker enters the site they will be scanned by the system which will track their entry time into the system. Timers can be set so that an incident commander can control the 'time-in' to the incident and easily locate resources.

How it will work under FIPS-201

Under FIPS-201 the Portable Credentialing System can still function by enrolling persons into the system who do not have a PIV card. But persons with a PIV card will not be required to perform any enrollment into the system because the PIV card already is a trusted credential and because the card's credential information contains enough information about the person to determine whether or not they should have access to a site. An incident commander could simply grant access to an entire category of PIV card holders by specifying a configurable set of criteria. The criteria for allowing access includes information such as agency code, ESF function, or other certification information. As the PIV holder attempts to access a site, the PIV cards will be checked for authenticity and then the credential information will be checked against the criteria setup by the incident commander to determine whether or not a person should be granted access to an area.

It is important to remember that the possession of a PIV card does not by itself grant a person access to an incident site. The incident commander controls the site. And since there will eventually be tens of millions of PIV cards issued, the possession of a PIV card alone will not be a meaningful representation of a persons eligibility for entrance. The PIV card MUST be verified and then the credential MUST be checked against the incident commander's incident access configuration.

Click here for more information about Enterprise Air's portable Credentialing Application

Mobile ID Verification

Current Application Description

Mobile ID Verification (MIDV) allows ID credentials to be read using Enterprise Air Mobile ID Readers. Mobile ID Readers are handheld devices with color displays that can read a variety of badge formats (e.g. HID Prox, Mag Stripe, MiFARE, Bar Code, etc) and display information about the cardholder using a lookup in a database stored on the handheld device or, over a wireless network, located in a server side database. The application can get its badge information by entering data into Enterprise Air's workstation user interface or, more commonly, by interfacing to an existing access control system. Enterprise Air interfaces to most major access control systems.

How it will work under FIPS-201

Under FIPS-201 Enterprise Air's application can still utilize access levels and permissions that are maintained in the physical access control system. The MIDV application will expect the physical access control system to maintain a constant connection with the identity management system in order to keep track of modifications and revocations of credentials. But since the PIV cards will have much of the data that was previously stored on the device side database (synchronized form the physical access control server) some or all of the displayed data on the device may come directly from the ID card itself. This means that, in a MIDV implementation, the administrator will have several choices about how the system will utilize the new data stored on the PIV card. A simple example of this is the storage of biometric fingerprint templates. In previous MIDV implementations MIDV would have stored the biometric template in the cardholder record on the device database. With a PIV card the biometric template will be read directly off the PIV card.

Click here for more information about Enterprise Air's Mobile ID Verification Applications

Rapid Count Mobile Mustering

Current Application Description

Rapid Count Mustering is an application system that tracks building occupants through a sophisticated set of physical access control system interfaces in order to keep an up to date inventory of all building occupants in case of an emergency evacuation. Once an evacuation begins, operators/marshals within the building bring handheld devices to predetermined evacuation assembly points in order to scan badges causing the badge holder to be removed from the missing persons list. The application maintains a live list of missing persons and last known location in the building for rescue operators to use and for continuity of operations. The system uses existing physical access control badges to scan personnel and transmits data using wireless or sync based communications. In the pre-FIPS-201 world, the badge is scanned for a badge number which acts as a simple key to the cardholder information from an access control system. The system also allows the scan of any machine readable card in order to collect the information about a person who has evacuated from a facility - even if that person was not registered as having been in the facility. IDs such as driver's licenses are used for this purpose and can be joined to human readable information about a person at a later time using Police/Motor Vehicles databases.

How it Will Work Under FIPS-201

Under FIPS-2-1 an access control system will still provide the application with information about who is inside the facility and badge id's will check persons off the missing person's list by scanning the PIV card. But many new procedures can be opened up using data stored on the card. For example, persons with medical information on the card can be instantly identified and directed to special assistance. Persons who are members of emergency response teams or are part of a continuity of operations plan can be directed to task areas based on qualifications that exist on their cards.

Click here for more information about Enterprise Air's Rapid Count Mustering System