FIPS 201 News
ARX receives certification for network hardware security module
ARX received FIPS 201 approval from the U.S. Government’s General Services Administration on the Approved Products List for compliance for its PrivateServer network-attached hardware security module.
The ARX PrivateServer HSM is a network-attached HSM and key management system. It comes with a load balancing option, and enables organizations to stay in compliance with several regulations that address information privacy and integrity.
The PrivateServer HSM is a solution designed to be network-attached and to serve multiple users and applications.
PrivateServer HSM has a number of API plug-n-play interfaces that support ID card systems, including full support for Microsoft’s CAPI/CNG, PKCS#11, and JCA standards.
GSA adds two SecuGen products to FIPS 201 approved list
SecuGen announced that the General Services Administration added two of its fingerprint scanners to the FIPS 201 Evaluation Program Approved Products list.
The solutions, which are both compliant with the National Institute of Standards and Technology’s Personal Identity Verification FIPS 201 standard, are the Hamster IV v2 fingerprint reader and ID-USB SC/PIV v2 combined fingerprint and smart card reader.
The SecuGen Hamster IV v2 is an updated version of its FBI Certified, single fingerprint reader while the ID-USB SC/PIV v2 is an updated version of its FBI Certified fingerprint reader combined with a smart card reader.
SecuGen distributes its biometric products through Systems Integrators, Independent Software Vendors and Original Equipment Manufacturers.
SecuGen's Hamster IV receives FIPS 201/PIV certification
SecuGen has announced its Hamster IV v2 fingerprint reader, the new generation of its Hamster IV fingerprint readers, has met the requirements Personal Identity Verification (PIV) Single Finger Capture Device Specifications and received FBI certification for FIPS 201/PIV.
The new version of the Hamster IV retains most of the aspects of its predecessor such as rugged design and image quality, but has also increased the image capture speed and has USB 1.1 and 2.0 compatibility.
White House demands agencies actually use PIV cards
OMB memo mandates FIPS 201 compliance for all new systems
When the White House Office of Management and Budget released a memorandum in February mandating that all agencies to start using the FIPS 201 PIV credentials for physical and logical access, it was met with mixed responses.
Vendors and consultants cheered. The credentials would finally be used for more than a flash badge and new contracts were in site. Agencies, however, bemoaned another unfunded mandate. Agency sources say it’s 2005 all over again referring to the original HSPD-12 document that mandated credential issuance with no additional budget.
Agencies were required to submit plans on how they would implement PIV-enabled systems by the end of March, and all new physical and logical access systems under development following the memo’s release must be PIV-enabled.
With more than 4.8 million PIV credentials issued to government employees and contractors, 84% complete, most would assume the IDs were widely used. The not so secret ‘dirty little secret’ is that with few exceptions the credentials are not used for much more than a flash badge.
The OMB memorandum, M-11-11, aims to change that. “This will see systems being implemented and FIPS 201, PIV and ICAM taken seriously for the first time,” says Salvatore D’Agostino, CEO at IDmachines.
As of early August there were very few agency requests for new physical or logical access systems that would use the PIV. This is likely to change before the end of the fiscal year on Sept. 30, explains D’Agostino. “Between now and then quite a few things will be committed,” he says.
A big question surrounds deployment timelines, says Patrick Hearn, vice president of government and identification markets for North America at Oberthur Technologies. The OMB memo doesn’t specify a deadline for the new systems to be deployed and for some it could take years. “The question is whether OMB will be tolerant of the smaller agencies,” he says.
Penalties for not deploying systems aren’t described in the memo, but in the past agencies failing to meet OMB’s guidance had funding pulled. This was the same threat agencies had when initially rolling out PIV. “OMB M-11-11 implies risk to budget if you don’t comply … it will be interesting to see if it bites anyone,” D’Agostino says.
It’s mixed as to whether agencies are prepared to rollout systems that would take advantage of the PIV cards, Hearn says. “Some agencies have prepared and implemented hardware,” he says.
Others are at a transition point waiting for further guidance from NIST and additional compliant products from vendors before moving forward, Hearn says. NIST Special Publication 800-73-3 deals with middleware for PIV and there’s an issue because few, if any, systems meet the current specification on the GSA’s approved product list.
D’Agostino says deploying systems shouldn’t be difficult for most agencies. The specifications have been out there and products exist. “People understand what PIV and FICAM entail and it’s just a matter of building out the infrastructure,” he says.
Using PIV for logical access is increasingly important as hacks on government agencies increase. “Part of the effort is to ensure on the logical access side that agencies use cryptographic algorithms as quickly as possible,” he says.
While work is underway in some agencies, some question whether the U.S. Department of Homeland Security, the agency charged with overseeing deployment of systems that would use PIV, is taking the OMB memo seriously. As of June 30 Homeland Security reported that it had, for the first time, issued credentials to all employees. Sources say the agency has historically been slow to rollout PIV-compliant systems.
With only a handful of agencies using PIV credentials for their intended purposes it’s overdue to see some pressure applied. But with no definitive timeline for deployment, it’s hard to say if agencies will feel any real pressure to rollout systems that take advantage of the PIV technology.
Current status of HSPD-12
HSPD-12 credentials issued as of June 1, 2011
Credentials issued to employees*: 4,151,358 (88%)
Credentials issued to contractors: 842,946 (81%)
Total credentials issued: 4,994,304 (87%)
Background investigations verified/completed as of June 1, 2011
Background investigations completed for employees*: 4,128,415 (87%)
Background investigations completed for contractors: 886,137 (85%)
Total investigations verified/completed: 5,014,552 (86%)
Additional stats
18 federal credential issuance infrastructures are in operation nationwide
59 system integrators
592 products on GSA Approved Products and Services List
APL product details: http://www.fips201.com
Agency specific status: http://www.whitehouse.gov/omb/e-gov/hspd12_reports/
*US Military Personnel are included in Employee Numbers
Source: GSA
HID Global achieves FIPS 201 certification for multiCLASS magnetic stripe readers
HID Global announced FIPS 201 certification for its line of multiCLASS magnetic stripe readers. The expansion offers U.S. government organizations a simplified path as they begin to migrate programs from legacy magnetic stripe cards to contactless 13.56 MHz FIPS201 credentials.
HID Global’s multiCLASS line of multi-technology readers allows an agency’s access control system to function properly during the transition from current card technology to new FIPS 201 card requirements. Using patented features, the multiCLASS reader is capable of simultaneously reading legacy cards and the new FIPS 201 cards.
HID Global is targeting its FIPS 201 multiCLASS readers at federal, municipal, state and local governments which must be prepared to respond to the regulatory landscape and technological advancements.
In addition to achieving FIPS 201 certification, HID Global has also achieved UL294/cUL outdoor certification on all multiCLASS magnetic stripe readers. HID’s FIPS-201-certified multiCLASS readers also recently won the Security Products Magazine Govies Award, which recognizes outstanding products in government security.
SecuGen releases biometric scanner and card reader in-one solution
SecuGen, a developer of biometric technology solutions, has announced the availability of its SecuGen iD-USB SC/PIV, a USB-connectible device that is capable of scanning fingerprints and smart cards and is FIPS 201/PIV compliant.
SecuGen is targeting its new offering at the large number of government and commercial projects that require both biometric and smart card capabilities in the solutions they choose. The new unit is now listed on the General Services Administration’s FIPS 201 Approved Products List.
Some of the aspects of the new device that SecuGen is touting include its compliance with different standards.
Its optical fingerprint sensor is certified to meet the FBI’s Image Quality Specifications. Additionally, the reader comes with drivers Windows, Linux and various embedded operating systems allowing for more choice from end users of what to use as the computer to run the device.
The E-Plex 5800 series, no software required
Kaba Access Control recently unveiled its new E-Plex 5800 series, which features a stand-alone access control system approved by GSA to meet FIPS 201 requirements.
The CoreStreet Enabled E-Plex 5800 series incorporates a variety of options and features to accommodate to the customer’s preferences and applications.
Users have two methods of handling the system: without software by enrolling FIPS 201 cards right at the reader, or using software to check card validation against the Federal Bridge, import photos, set access schedules, retrieve audit trail and other features.
The E-Plex 5800 series is on the FIPS 201 Approved Product List and is now available for shipment.
Episode 42: What's ahead for identity and the federal government?
2009 was when the discussion started on the problems with identity in the federal government began. Will 2010 be the year where solutions to these problems come to light? Regarding ID Editor Zack Martin spoke to Kelli Emerick, executive director of the Secure ID Coalition, to see what might happen in the new year with different ID projects.
SanDisk Cruzer USB drives meet federal government needs
SanDisk Corp., a provider of flash memory cards, announced that its SanDisk Cruzer Enterprise secure USB flash drives are now enhanced to meet the requirements of government employees. The Cruzer Enterprise design was independently tested and certified under Military Standard 810-F environmental standards in addition to being suitable for use by the visually-impaired under Section 508 requirements.
Cruzer Enterprise drives feature cryptographic modules and encryption algorithms, a waterproof design and are compliant with Trade Agreements Act requirements for purposes of U.S. Government procurements. In addition, the Cruzer Enterprise line of flash drives is listed for Common Criteria certification, which it is expected to receive next month.
ACS smart card reader receives FIPS 201 certification
ACS has announced that the ACR38 smart card reader has obtained FIPS 201 certification.
The approval of the reader enables the ACR38 to be used by federal agencies in their smart card applications such as physical access, network access and other authentication solutions. The FIPS 201 certification is a requirement of GSA for devices used in a smart card solution to ensure government-wide interoperability.
ACS also has unveiled the ACR38K Smart Keyboard. The ACR38K Smart Keyboard combines the smart card reader to a keyboard which enables convenience to implement smart-card-based systems or applications in the PC environment.
The keyboard has a ACR38 smart card reader module embedded and supports a variety of smart cards including ISO-7816 Class A, B and C cards as well as most of the common memory cards.