FIPS 201 News
CoreStreet ready for DOD
CoreStreet announced that its PIVMAN product can now provide electronic authentication and validation of Common Access Cards for securing physical access to U.S. Department of Defense facilities worldwide.
The CoreStreet PIVMAN Solution encompasses software for handhelds and PCs, and is leveraged for both mobile and fixed authentication stations, as well as including a management station.
CoreStreet provides the critical Public Key Infrastructure certificate validation technology behind the DOD’s Robust Certificate Validation Service. The DOD implemented the CoreStreet Validation Authority as a solution for cost effective and scalable validation services for all 3.5 million service members and contractors.
With the CoreStreet PIVMAN Solution, DOD facilities can now perform electronic validation of identity and associated attributes, automatic updates when a connection is available, and capture of activity information for auditing purposes. Extending beyond the DoD, the CoreStreet PIVMAN Solution also enables validation of any federal, state or local credentials issued from FIPS-201 compliant or interoperable infrastructures, and of legacy credentials such as drivers’ licenses.
Applications that currently use this infrastructure include smart card logon, digitally signed email, access to secure web portals and authentication within web services architectures. The CoreStreet PIVMAN Solution provides the ability to extend the infrastructure supporting these logical access control functions to also support physical access control processes.
Bell ID added to GSA APL
Bell ID’s ANDiS4FIPS201 Card & Application Management solution has been placed on the GSA Approved Products List in recognition of its compliance with the FIPS 201: Electronic Personalization standard.
ANDiS4FIPS201 has been tested and approved as an electronic card personalization product which generates and loads mandatory and optional objects to a PIV Card, as defined by the National Institute of Standards and Technology.
Bell ID’s ANDiS4FIPS201 offers U.S. government agencies a card and application management system enabling them to manage the lifecycle of the card and the PIV application it holds. The ten different containers on the card are managed individually by ANDiS, enabling items with different lifecycles to be held on the same card. In addition, ANDiS4FIPS201 supports open source interfacing, which allows for swift and seamless integration with other components of the PIV card-issuing infrastructure.
NIST shows on-card fingerprint match is secure, speedy
Wireless match-on-card fingerprint trials have passed security and speed tests and barely missed, in two out of three instances, the accuracy tests, according to results released by the National Institute of Standards and Technology. Still, this match-on-card ID technology, designed for use in personal identification verification cards that many federal agencies must adopt this fall, does meet the agency’s standardized accuracy criteria, NIST reports.
NIST tested smart cards–10 with a 128-byte-long key and seven using the more secure 256-byte key–passed the security and timing test using wireless data transmissions. On the accuracy side, one batch of cards met the criteria set by NIST and two others narrowly missed. More tests with additional cards are planned soon.
According to HSPD-12, most federal employees and contractors will be using federally approved PIV cards to authenticate their identity when seeking entrance to federal facilities. In 2006 NIST published a standard for the credentials that specifies that the cards store a digital representation of key features of the bearer’s fingerprints for biometric identification.
Currently, anyone entering a biometrically-controlled access point would insert his or her PIV smart card into a slot and place their fingers on scanner. The cardholder then enters a PIN that enables his fingerprint information to be read from the card and the card reader matches the stored data against the scanned image of the cardholder’s fingerprints.
In the recent tests, NIST evaluated the match-on-card process in which biometric data from the fingerprint scanner is sent to the PIV smart card for matching by a processor chip embedded in the card. The stored data never leave the card. The advantage of this type of validation is that, if the card is lost or stolen, the fingerprint template on the card cannot be copied.
NIST sought answers to two questions: whether the smart cards’ electronic keys can keep the wireless data transmissions between the fingerprint reader and the cards secure and execute the match operation all within 2.5 seconds; and second, whether the match-on-card operation will produce as few false acceptance and false rejection decisions as traditional match-off-card schemes that require more computer power.
GAO: HSPD-12 progress made, but still a ways to go
The Government Accountability Office says the White House Office of Management and Budget needs to make some changes to how interoperable identification credentials are being deployed throughout the federal government.
Linda Koontz, director of Information Management Issues at the GAO, gave the recommendation during a hearing Wednesday on HSPD-12 in front of the U.S. House of Representative Subcommittee on Government Management, Organization, and Procurement. The complete list of witnesses can be found here. The GAO says progress has been made with issuing ID cards to federal employees and contractors but there are still issues that need to be addressed.
“The eight agencies we reviewed—the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the Nuclear Regulatory Commission; and the National Aeronautics and Space Administration—had generally completed background checks on most of their employees and contractors and established basic infrastructure, such as purchasing card readers. However, none of the agencies met OMB’s goal of issuing PIV cards by October 27, 2007, to all employees and contractor personnel who had been with the agency for 15 years or less. In addition, for the limited number of cards that had been issued, agencies generally had not been using the electronic authentication capabilities on the cards and had not developed implementation plans for those authentication mechanisms.”
The GAO recommends:
- “OMB establish realistic milestones for full implementation of the infrastructure needed to best use the electronic authentication capabilities of PIV cards in agencies.
- “OMB require each agency to develop a risk-based, detailed plan for implementing electronic capabilities.
- “OMB require agencies to align the acquisition of PIV cards with plans for implementing the cards’ electronic authentication capabilities. In response, OMB stated that HSPD-12 aligns with other information security programs. While OMB’s statement is correct, it would be more economical for agencies to time the acquisition of PIV cards to coincide with the implementation of the technical infrastructure necessary for enabling electronic authentication techniques. This approach has not been encouraged by OMB, which instead measures agencies primarily on how many cards they issue.”
Check back later for more information on the hearing.
Datastrip partners with Codebench for PIV verification
Datastrip Inc., Exton, Pa., has partnered with Codebench Inc. to verify PIV, TWIC and FRAC identification cards as well as enroll cardholders into physical access control system at government and military facilities. Datastrip will integrate CodeBench’s software into its Datastrip’s DSV2+TURBO handheld.
PIVCheck Mobile, the software from Boca Raton, Fla.-based Codebench, provides a solution with Ethernet, WiFI and optional GSM connectivity for cardholder validation of PIN, fingerprint biometric and certificates. It validates certificates by performing Internet-based queries from the DSV2+TURBO to compare them to an OCSP Responder, Certificate Authority or TSA Hot Lists.
PIVCheck Plus Mobile offers the same features and adds the ability for automated enrollment into compatible physical access control systems. Once an ID card is verified, software transmits the card’s data wirelessly from the DSV2+TURBO to the access control system. Also available is PIVCheck Certificate Manager that revalidates the imported card certificates. This tool revalidates certificates on a periodic basis to ensure continued validity and can automatically suspend a PACS badge associated with a revoked certificate.
Audio from March 26 IAB meeting online now
The March meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).
Opening Remarks
Tim Baldridge, NASAMP3: click here
Credentialing Interoperability in DHS Programs
Tom Lockwood, DHSPDF: click here
MP3: click here
Backend Attribute Exchange
Chris LoudenPDF: click here
MP3: click here
Results of Winter Blast Exercise
Craig Wilson, DHS/FEMAPDF: click here
MP3: click here
Status of NASA HSPD-12 Implementation
Tim Baldridge, NASAPDF: click here
MP3: click here
TWIC Update
Maurine Fanguy, TWIC PMPDF: click here
MP3: click here
SP 800-116 Strategy for use of PIV Credentials in PACS
Bill MacGregor, NISTPDF: click here
MP3: click here
Closing Remarks
Tim Baldridge, NASAMP3: click here
Cherry Products receive FIPS 201 certification
Four of Cherry Electrical smart card reader products have been granted FIP201 certification by the U.S. government. As a result, U.S. federal agencies and contractors are now authorized to use applicable Cherry keyboards and stand-alone smart card readers for logical access control under the Homeland Security Presidential Directive 12.
HSPD-12 requires the use of a common identification credential for both logical and physical access to federally controlled facilities and information systems. In response, the National Institute of Standards and Technology (NIST) published FIPS201 (Federal Information Processing Standard Publication 201), which specifies Personal Identity Verification (PIV) requirements for federal employees and contractors.
The applicable products are Cherry’s G83-6644 and G83-6744 keyboards with integrated smart card readers, its ST-1044U stand-alone smart card reader, and the SR-4044 PCMCIA smart card reader.
Survey: ID issues a concern
Thirty-seven percent of government I.T. officials don’t know when they will be compliant with government identity mandates, according to a survey commissioned by Quest Software Inc., Aliso Viejo, Calif. Another 35% think they will be compliant in the next two years.
The survey states that 69% of government I.T. professionals believe that identity management is “very important” to their organization or agency, 72% of respondents believe its importance will increase in the next five years.
But funding is an obstacle. Half of respondents believe Congress should provide more funding to agencies to develop and implement identity management systems. Some 49% says it should require greater planning and collaboration among federal agencies and state and local governments. Forty-seven percent say that funding will increase over the next five years.
Other survey findings include:
• Fifty-nine percent of city, county and municipal government I.T. professionals are “very concerned” about compromised critical public infrastructure compared to 45% of federal officials or 38% of state officials;
• Some 56% of government I.T. professionals have either personally seen or heard about someone violating their organization or agency’s security protocols;
• National security is more of a priority for 53% of respondents even if Americans’ personal privacy is negatively impacted.
The survey, conducted by Pursuant Inc. in January, polled 474 respondents made up of U.S. federal, state, local and municipal government I.T. decision makers.
CoreStreet, Probaris participate in Winter Blast
Probaris Inc. will issue the identification cards to first responders and CoreStreet Ltd. will provide the devices to read then during the Winter Blast First Responder Authentication Credential usage demonstration, hosted by the Federal Emergency Management Agency, the Office of National Capital Region Coordination and the U.S. Department of Homeland Security. The event is taking place March 6.
The purpose of the exercise is to prove the capability to rapidly and electronically authenticate first responders at disaster scenes. The authentication process enables emergency response officials to validate the identity and qualifications of first response personnel. The validation of personnel qualifications includes an electronic check of an individual’s certifications, authorizations and privileges.
Participants include Temple University Hospital in Philadelphia, Crozer-Chester Medical Center in Chester, Pennsylvania, the George Washington University Hospital and the Department of Veterans Affairs Hospital, both in Washington DC.
Interoperable identity credentials for the Winter Blast demonstration are being issued using Probaris ID. The credentials are compliant with federal standard Federal Information Processing Standard (FIPS) 201 to remove the burdens associated with first responder identification and the lifecycle management of credentials.
The CoreStreet PIVMAN software for handheld devices and related backend servers will manage the credential validation and privilege attribution for nearly 200 participants of the Winter Blast demonstration.
Imageware, GE Security Partner
San Diego-based ImageWare Systems Inc. announced a three-year, royalty-based, worldwide OEM agreement with GE Security Inc., Bradenton, Fla.
With the partnership, GE Security may include ImageWare’s products for biometric identity management, logical access control and card management as a part of its identity management solution offerings.
GE Security’s identity management solutions are security platforms with PIV I & II FIPS 201 compliant capabilities that support the production of a credential based on federal government approved PIV II credential platform specifications.