FIPS 201 PACS and Government-wide ID Management Security Update

I attended the 2010 GSA FIPS 201 Evaluation Program (EP) Information Day, and Security Industry Association (SIA) Government Summit held in Washington D.C. on June 7-9. There, I learned how important physical access control systems (PACS) and Identity, Credential, and Access Management (ICAM) are to the security industry.

For the uninitiated, the GSA FIPS 201 EP is the U.S. Federal Government program that places identity management products on the FIPS 201 Evaluation Program Approved Products List (APL). Products receive placement only after undergoing a security evaluation administered by a GSA FIPS 201 EP approved laboratory, such as atsec information security corporation.

The GSA FIPS 201 EP Information Day was attended by both technology companies and security evaluation labs. The SIA Government Summit was a gathering of security technology companies and U.S. Federal Government representatives. These two events were held in conjunction based on their joint interest in security, and shared common concerns for PACS and ICAM.

ICAM is a sub-committee of the Information Security & Identity Management Committee (ISIMC), which was created by the Federal CIO Council in 2008. The Federal ICAM (FICAM) Roadmap goes beyond mandating the use of Personal Identity Verification (PIV) cards within the Federal Government, with its goal of a “consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity, and interoperability.” FIPS 201-based PACS directly relate to the Federal ICAM Roadmap key initiative to “fully leverage Personal Identity Verification (PIV) & interoperable credentials” because PACS use PIV card and card reader technology to identify and authenticate individuals prior to granting physical access to facilities and/or assets.

FIPS 201-based PACS have many components including, but not limited to, a PIV card reader (with an authentication mechanism), access controllers, a physical access control device (electronically-controlled lock, etc.), and a host system consisting of application software and PIV middleware. Under FIPS 201, authentication mechanisms can be biometric (fingerprint verification), cryptographic (Personal Identification Number (PIN) entry and PIV authentication certificate verification), or token based (Card Holder Unique ID (CHUID) verification).

In addition, the optional Card Authentication Key (CAK) may be used for physical access control in place of the PIV Authentication Key found in the PIV authentication certificate. One advantage of CAK usage is that PIN entry is not required, which considerably speeds up physical access control (just imagine the back up of traffic if a line of cars were awaiting access to a military base and car's occupant must enter a PIN number before access). The current disadvantage of CAK usage is that it is deemed optional by FIPS 201-1. Therefore, interoperability is hindered due to the wide variations of CAK implementations in use (thankfully, the upcoming FIPS 201-2 standard plans to address this issue).

Related to ICAM and PACS, atsec recently completed the first product security evaluations for three of the four GSA FIPS 201 EP authentication system product categories:
CAK Authentication System (APL item #486)
PIV Authentication System (APL item #485)
CHUID Authentication System (APL item #466)
The importance of the the first authentication system product security evaluations cannot be understated as PACS and ICAM take center stage in importance to the Federal Government. Evaluations such as these are further evidence of the security industry moving from PIV card issuance to actual PIV card usage and system integration.

More information and resources on atsec information security corporation, ICAM, and the GSA FIPS 201 EP can be found at http://atsec.com/us/it-security-services.html, http://www.idmanagement.gov, and http://fips201ep.cio.gov.


Auston Holt
Deputy GSA FIPS 201 EP Lab Manager, atsec information security corporation