FIPS 201 News

Slides from April 24 IAB meeting online now

Published Monday, April 29, 2013

Posted by FIPS 201 Administrator Mon, 29 Apr 2013 15:58:00 GMT

IAB AudioThe April meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

Audio was not available for this meeting

  • Opening Remarks

  • A Security Industry Association (SIA) Perspective on the Cost and Methods for Migrating PACS Systems to Use PIV and PKI as Relying Parties
    Steve Van Till, SIA

    PDF: click here

  • Update on FIPS 201-2 and Associated Publications
    Hildy Ferraiolo NIST

    PDF: click here

  • What the SCA is Doing to Increase Adoption of Strong Credentials - Government ID Training, PIV-I Implementation, and Interoperable Credentials
    Panel Discussion of SCA membership

    PDF: click here

  • Closing Remarks

Audio from February 27 IAB meeting online now

Published Thursday, March 14, 2013

Posted by FIPS 201 Administrator Thu, 14 Mar 2013 13:35:00 GMT

IAB AudioThe February meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

  • Opening Remarks

    MP3: click here

  • Discussion on Revisions Contained in Draft SP 800-63-2
    Bill Burr, NIST

    PDF: click here

    MP3: click here

  • The Objectives and Status of Modern Physical Access Working Group (MPAWG)
    Will Morrison and J’son Tyson, MPAWG Co-Chair

    PDF: click here

    MP3: click here

  • Overview of PACS Specification from the Security Industry Association (SIA) to Include All PIV Functionality
    Rob Zivney, Chair of the SIA PIV Working Group and Vice Chair of the Standards Committee

    PDF: click here

    MP3: click here

  • Closing Remarks

Entrust receives FIPS 201, 140 certifications

Published Tuesday, February 12, 2013

Posted by FIPS 201 Administrator Tue, 12 Feb 2013 18:15:00 GMT

Entrust Inc. finalized a pair of government approvals with FIPS 201 and FIPS 140 certifications for the company’s PIV smart card credential technology, which was reviewed, tested and certified by the National Institute of Standards and Technology.

These certifications demonstrate interoperability with established NIST standards. To ensure a seamless deployment, many organizations will only purchase solutions that carry certain certifications.

Based on standards set by the U.S. government, these certifications help ensure interoperability by vetting protocol conformance for smart cards – FIPS 201 – and testing cryptography strengths – FIPS 140. These approvals complement and support Entrust’s existing Common Criteria EAL 5 certification.

Reviewed by the NIST PIV Platform Validation Authority, FIPS 201 certification focuses on interoperability between the PIV application and other parts of the PIV solution, including physical access readers and logical access clients. The strict certification also verifies the smart card can withstand many years of rigorous wear and tear.

FIPS 140 certification ensures a solution meets or exceeds U.S. government security standards that specify requirements for cryptography modules and physical tamper-resistance. An example includes testing the elliptic curve cryptography implementation used within the solution.

PIV-enabling google apps

Published Monday, January 28, 2013

Posted by FIPS 201 Administrator Mon, 28 Jan 2013 18:30:00 GMT

NASA aims for the cloud

Andrew Hudson, Contributing Editor, Avisian Publications

NASA and Google are enabling government employees to access networks more conveniently and securely using their agency-issued Personal Identity Verification (PIV) cards.

“NASA has been running a pilot with Google Apps for Government for more than a year,” says Tim Baldridge, former NASA ICAM Solutions Architect who presented the pilot at an Interagency Advisory Board meeting.

The pilot–open to 600 IT personnel at the agency–enables NASA users to connect to Google Apps for Government using their existing PIV smart card for access to networks and accounts.

Incorporating NASA’s user interface–NASA Access Launchpad–the initiative increases authentication security and convenience while taking advantage of the Federal ICAM architecture.

“The Launchpad is a customized front-end program that we’ve built around Oracle Open SSO,” explains Baldridge. “The user interface is based on the four mechanisms in place: Windows Desktop single sign on, username and password, RSA token and Level of Assurance 3/PIV.”

The pilot configuration is mindful of the stringent conformance demands that can sometimes befall verification initiatives. “Google Apps is a SAML 2.0 capable ‘software as a service’ offering,” says Baldridge. The Access Launchpad uses SAML 2.0 but, he notes, the version recently put into production supports OpenID as well.

OpenID is an interest for future consideration for NASA though not currently incorporated in the Google Apps pilot. Baldridge makes it clear that the pilot initiative is not a final product. “We do not put any sensitive data up on the pilot,” explains Baldridge. “The pilot hasn’t gone through all the FISMA conformance, so everybody knows to treat this as low assurance.”

What does Google offer?

The NASA pilot is using four components–documents, sites, groups and contacts–of the Google Apps offering, explains Baldridge. Google Apps also features email and calendar support though NASA has foregone these applications in favor of its own mail and calendar functions based on Microsoft Exchange.

The pilot enables verification on a number of levels. The Access Launchpad logon screen will accept username and password, smart card and RSA tokens as credentials, says Baldridge.

Access to the service is simple. The user goes to Google Apps, is given a redirect back to NASA’s Launchpad token service and based on the login, an assertion is generated, explains Baldridge. “The Launchpad also has an implementation that includes Windows desktop single sign on,” he adds.

Using PIV

With multiple forms of authentication, identifying the type of login as well as the identity associated with it becomes important.

Access Launchpad serves a verifier function delineating between authentication technologies used at the time of login. “Whether we’re using a PIV card, PIV-I credential or a credential on a mobile device, we can verify it and make the assertion based on what we’ve verified,” says Baldridge.

The system can tell the difference between PIV-I and PIV, a mobile device or thumb drive/USB based device, says Baldridge. “The idea here is to remain extensible in the architecture where different kinds of form factors can be used according to their levels of assurance.”

The pilot, as expected, is a relatively stripped down version of the proposed final product and is only operating on Level of Assurance Two. For Baldridge, the fact that employees can use a one-time password or a PIV is the takeaway.


Simplicity is a key factor for the NASA initiative. The system enables an organization to sync massive rosters of credentials with Google in a simple and efficient manner, says Baldridge.

“We can take all 96,000 identities at NASA and present them to Google Apps for access if they are authorized,” says Baldridge. “We simply go into Google Apps, provide a spreadsheet of identities for authorization and after literally five minutes of configuration, all these identities are accessible–thru their PIV cards–to Google Apps.”

Speed and efficiency are key to any business model and Baldridge suggests that those interested in the bottom line should not discount the NASA/Google initiative. “Five minutes of configurations to turn your application on to 100,000 accounts, that’s a return on your investment,” says Baldridge. “You’re not redoing what you already did–provisioning and managing passwords.”

Cloud: the final frontier

The value in using PIV cards in NASA’s new system is that creates a secure application for authentication in the cloud. “All we would need to do to lift up the level of assurance is for the application to say ‘I need an authentication context that is level two or level three,’” Baldridge says.

This may seem a simple explanation for a rather complex solution. However, the results, according to NASA and Baldridge, are substantial. “We can say that the cloud is PIV capable, that is the message–the public statement,” says Baldridge.

Using the system is simple as well. NASA has a SAML 2.0 conformant configuration in place for, a commonly used government portal. “If you’re logged on to your NASA issued desktop, you can simply click the button without providing password or PIV–it is, in fact, the Windows desktop single sign on of NASA Launchpad.”

Baldridge sees this as a convenient, especially when traveling. “When you travel, you don’t have to remember username and passwords.”

The caveat

For all that NASA’s initiative with Google promises, Baldridge was sure to mention one caveat associated with the project. “The Federal SAML 2.0 single sign-on profile had an overly restrictive statement in it where (NIST Special Publication 800-63) actually says you have a secure channel or an encrypted assertion,” explains Baldridge. “But the profile only said encrypted assertion.”

“Google doesn’t encrypt the assertion, it only encrypts the channel,” explains Baldridge. “We were trying to fix that language but didn’t quite fix it right so we have another iteration to go through to get that right,” says Baldridge.

It’s a fine print issue that does little to take away from the NASA and Google Apps initiative.

Using the cloud to provide secure and streamlined employee verification is a key step to enable access anytime, anywhere. Add the fact that it incorporates PIV credentials that are already in the hands of government employees and the solution’s value rises.

HID buys Codebench

Published Tuesday, January 08, 2013

Posted by FIPS 201 Administrator Tue, 08 Jan 2013 18:28:00 GMT

HID Global announced it acquired Codebench, a provider of physical security identity management focusing on the government sector. The acquisition brings together two offerings in validation software and solutions for government credentials and will enable HID Global to offer solutions that ease deployment for its federal agency and contractor customers.

The Codebench offering joins HID Global’s federal identity portfolio and will enable the company to give customers a one-stop-shop to upgrade their physical access control system in accordance with FIPS-201 guidelines for PIV.

The addition of Codebench’s portfolio will also enhance HID Global’s capability to offer Transportation Worker Identification Card solutions as well as more complete PACS integration capabilities and to extend these capabilities into HID Global’s identity assurance Card Management System appliance.

The acquisition will also enable HID Global to serve the emerging market for commercial identity verification (CIV) using the same technologies as PIV for broader applications in health care, local and state government, first responder groups, and a broad range of other organizations. Additionally, the acquisition positions HID to move strong authentication beyond logical access control at the desktop.

Codebench remains located in Coconut Creek, Fla. and the company’s products, executives and staff become part of HID Global’s Identity Access Management (IAM) business.

Army Reserve upgrades physical access control

Published Monday, January 07, 2013

Posted by FIPS 201 Administrator Mon, 07 Jan 2013 18:33:00 GMT

Puts PIV to use with an eye toward standard’s revisions

Jill Jaracz, Contributing Editor, Avisian Publications

The mandate to achieve FIPS 201 compliance means that many government departments and agencies must upgrade their access control systems. In 2012, the U.S. Army Reserve Control (USARC) achieved their upgrade with the help of Monitor Dynamics’ FICAM Platform.

Before the upgrade, the Army Reserve relied on proximity and magnetic stripe technologies. This is what most Department of Defense and civilian U.S. federal government agencies still use, says Mike Garcia, vice president of marketing and business development at Monitor Dynamics.

“HSPD-12 and FIPS 201 have been around for seven and five years respectively, and while we have a great number of the high assurance ‘keys’ deployed, we have not seen the same uptick in physical access systems or ‘locks.’ The Defense Department with its physical access control requirements and now the entire federal government with OMB M-11-11 has created a compliance mandate for high-assurance locks–or physical access control systems–and we are beginning to see a huge increase in demand for compliant locks,” says Garcia.

Finding FIPS 201 compliant systems is actually one of the challenges in complying with the mandate. The standard defines the credential and various component parts but it does not define the overall physical access control system. To answer that question, the Army Reserve started with future proofing in mind, Garcia says. They sought FIPS 201-2 compliance considering potential modifications to the existing standard in their choice of access control systems. The Army Reserve opted for a system that could comply with government mandates requiring electronic validation of PIV credentials and also could meet future standards.

To that end, the Army Reserve chose Monitor Dynamics’ Trusted FICAM Platform.

“The command and control center software manages everything in the field globally,” says Garcia. “From the head-end of the physical access control system, which is usually located at the headquarters on the main server, you have administrator privileges and rights to control the rest of the field hardware, computers and other devices.”

The system enables the Army Reserve to use Defense Department-issued Common Access Cards for logical and physical access control in a unified system delivering PKI at the reader, says Garcia. The multi-factor authentication requirements of the system make it impossible for anyone other than the cardholder to gain access. This prevents security breaches due to lost, stolen, manipulated, invalid, copied and revoked cards or cards that have no trusted path, says Garcia.

The Army Reserve can provision PIV and PIV-I cards from other issuers into their physical access control system, says Garcia. “One of the biggest problems in physical access control system is visitor management. The ability to understand that an individual is who they claim to be and they are still employed is a quantum leap in security over current conditions,” says Garcia. “The access privileges to the building are still granted and managed locally, but it is with a higher assurance.”

The Army Reserve granted contracts on a facility-by-facility basis. During the past two years, Monitor Dynamics has been installing systems in locations across the nation. To date, the Trusted FICAM Platform has been implemented in more than 40 locations.

Upon implementation, the Army Reserve then works with CertiPath to perform a site certification based on CertiPath’s checklist and testing methodology. CertiPath conducts the system level testing on the Trusted FICAM Platform by taking the PIV/PIV-I capable components and testing them as a complete system against FICAM controls encompassing both security and usability. CertiPath tests the head end server, validation client, secure controller, physical access control panels and card readers at the door using both external cards and CertiPath’s proprietary threat-specific cards.

To use the system, a person presents a Common Access Card, PIV or PIV-I- smart card to a two-factor or three-factor FIPS 201 approved reader at the door. The user then inputs a PIN and/or scans an index finger.

The system checks the various factors against the credential and the information on the card’s chip. If one factor doesn’t match, the person is denied entry at the door. If the factors do match, the system verifies the person against the revocation list.

If the Certificate Authority deems the digital certification the card to be invalid, be it expired, lost, stolen or fake, it’s denied. If it’s a valid match, the Certificate Authority sends it on to the physical access control systems head-end to make the entry and exit decision at the door.

The entire authentication and validation process takes 2.5 to 3 seconds on the FICAM system, including the time needed to enter a PIN, says Garcia.

Getting users used to the new system was a bit of a challenge for some. Army Reserve personnel also had to get used to employing two and three factors for authentication. Having to learn this new process and remember a PIN proved to be a complicated adjustment for some who had been using the prior system for many years, says Garcia.

System administrators also had to get used to a new enrollment system with FICAM. The learning curve can cause a bottleneck in the short term but becomes easier over time, says Garcia. Likewise, a more complicated badge means a more involved badging system. In the old system, administrators could take a picture, issue a badge and hand it to the person.

FIPS 201 has more security requirements that administrators must abide by when issuing badges, says Garcia. “These challenges can all be addressed with training and repetition,” says Garcia. “And when compared to prior systems that run two wires to a reader and enroll a proximity card, the benefits and security are much greater.”

Audio from December 5 IAB meeting online now

Published Monday, December 10, 2012

Posted by FIPS 201 Administrator Mon, 10 Dec 2012 15:46:00 GMT

IAB AudioThe December meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

  • Opening Remarks

    MP3: click here

  • The State Identity Credential and Access Management Guidance and Roadmap (SICAM)
    Chad Grant, NASCIO

    PDF: click here

    MP3: click here

  • PIV and PIV-I Use in Health IT Relying Party Systems
    Mike Magrath, Gemalto

    PDF: click here

    MP3: click here

  • Briefing on Draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices
    Andy Regenscheid, NIST

    PDF: click here

    MP3: click here

  • Cloud-Sourcing Public Key Enablement
    Jeff Nigriny, Certipath

    PDF: click here

    MP3: click here

  • Closing Remarks

Belkin smart card reader FIPS 201 certified

Published Friday, November 16, 2012

Posted by FIPS 201 Administrator Fri, 16 Nov 2012 15:41:00 GMT

Belkin Enterprise announced that its USB Smart Card and Common Access Card Reader is FIPS 201 compliant and listed on the GSA FIPS 201 Products List. Belkin’s USB Smart Card and CAC Reader is designed for government applications.

Offering a range of smart card compatibility, including Class A, B, C, the Belkin Smart Card Reader features a compact, tamper-resistant design for one-handed card insertion.

Designed to support smart cards meeting ISO 7816 standards, which include the Common Access Card and PIV, the Belkin Smart Card Reader has been built to assure high security for government applications. Its unibody enclosure works to eliminate entry points and prevent physical electronic tampering. All firmware is in ROM (read only memory) to assure no risk of alteration.

Suprema fingerprint live scanners receive FIPS 201 certification

Published Monday, November 05, 2012

Posted by FIPS 201 Administrator Mon, 05 Nov 2012 17:39:00 GMT

Biometric and identification specialists Suprema have announced that their latest fingerprint live scanner has been fully tested and has attained certification from the Federal Bureau of Investigation (FBI) for meeting FIPS 201 standards.

FIPS 201 certification imposes thorough requirements on the image quality of fingerprint capturing devices for authentication of government employees and contractors.

Three Suprema printer models have attained FIPS 201 certification— the RealScan-G10, RealScan-D and RealScan-G1.

The RealScan-G10 is a ten-print live scanner that captures slaps, two thumbs and single flat/rolled fingerprint images. The RealScan-G10 also has FBI IQS Appendix F certification and features an IP54-rated durable structure.

The RealScan-D is also an FBI IQS Appendix F certified device, but is a portable live scanner, which captures dual fingerprint, single flat and rolled fingerprint images.

Rounding out the FIPS 201 certified devices if the RealScan-G1— the latest addition to the company’s line of fingerprint live scanners. The RealScan-G1 features a high-precision, durable optical structure, captures 500dpi images, is IP54-rated and features a dust and waterproof structure.

Magicard’s Prima 4 certified by FIPS 201

Published Wednesday, October 24, 2012

Posted by FIPS 201 Administrator Wed, 24 Oct 2012 14:25:00 GMT

Ultra Electronics Card Systems— creator of the Magicard series of ID card printers— has announced that its Prima 4 reverse transfer printer has completed the U.S. General Services Administration (GSA) Evaluation for card printers.

Completion of the GSA evaluation means that the Prima 4 card printer will be added to the GSA Approved Product List (APL) for the FIPS 201 Specification. Magnetic stripe as well as a range of smart card encoding options are supported on the printer, producing both standard and customized holographic print options.

Reinforcing secure card issuance with a combination of inline and post-printing options, the Prima 4 uses ultra-violet images or text and can be outfitted with over-laminates for added durability and security. FIPS 201 compliance means that the printer solution can be used or secure issuance in any number of Federal, state or local agencies.

Published in the wake of the Homeland Security Presidential Directive 12 (HSPD-12) – which mandated a common ID credential for physical and logical access to Federal facilities and information systems— FIPS 201 outlines the identity testing, enrollment and issuance requirements for a common identity credential.

Ultra Electronics Card Systems has been producing its Magicard line of card printers for more than 18 years. The company offers solutions that are trusted and employed by hundreds of governmental agencies and private sector firms alike.

Older news: 1 2 3 ... 52  •  Next