GSA’s relationship with XTec precedes the advent of PIV credentials. In the years since XTec first provided smart card issuance for GSA, the provider has supported physical access control at multiple GSA federal buildings.

XTec’s cloud-based PACS solution is compliant with standards outlined by Federal Information Security Management Act, General Services Administration and the National Institute of Standards and Technology. In addition to GSA, the Department of State, Department of Defense, Department of Homeland Security, Environmental Protection Agency, Bureau of Prisons, National Science Foundation and Department of Labor also utilize XTec’s AuthentX PACS solution.

The primary use for the printers will be the Defense Department’s Common Access Card program, which prints more than of 3 million cards annually.

The FARGO HDP5000 has proven to be a simple, cost-effective and durable solution in the past as the Defense Department has been employing the use of HID’s High Definition Printing (HDP) for more than 10 years.

The memo requires an agency to issue a PIV credential to any contractor employed for more than six months. At the time this made sense. But since the emergence of the PIV-I standard, many government contractors began issuing credentials to their own employees.

Many in the contractor community want to the OMB guidance amended so that contractors with PIV-I credentials could use them instead of having to receive a new ID. But some government officials disagree, citing differences between PIV and PIV-I credentials. The former requires an in-depth background check, and there are technical differences as well.

It is not a large technical hurdle to provision a PIV-I credential on a federal network after the background check is complete, says Nicholas Piazzola, senior director of Government Authentication Solutions in the VeriSign Authentication Group. Changes could be made once the background check is complete to provision the PIV-I on a government network, creating a compromise between the contractor and government positions.

OMB declined an interview for the story but responded to questions via email. “Agencies have not raised any concerns to OMB regarding the requirement to issue identity credentials to their employees and contractors who require routine, long-term access (6 months or more) to federally controlled facilities and/or information systems,” a spokesperson states.

But agencies aren’t happy and security has become an issue, says Steve Howard, vice president of credentials at CertiPath. The federal government doesn’t have a good track record when it comes to enforcing who is employed by its contracting companies.

A host of questions arise. Is Joe Smith still employed by an agency’s cleaning contractor? How would the relying agency enforce this relationship? How quickly can an agency issue a PIV to all employees of the cleaning contractor to ensure they comply with OMB M-05-24?

Many agencies report a three to six month window in issuing a PIV to contractors. And during this delayed issuance window, what happens if the PIV credential applicant leaves his employer? What is done to allow a cleaning contractor access pending receipt of a PIV? Are they always under temporary badge escort rules? And what happens when a contract ends and the contractor moves to a new contract, potentially at a new agency?

“PIV-I handles the contractor relationship more elegantly and at lower or no cost to the federal government … all the while reducing security risks to a relying agency,” says Howard.

The Federal PKI policies directly tie the employee receiving a PIV-I credential to the human resources database of that employer. If an employee is fired or leaves, the credential is revoked. It’s this revocation process that improves the security of the agency’s relying system.

It’s also a matter of who knows the employee better than the contractor, Howard explains, stressing that it’s more likely to be the employer than the contracting federal agency. “The ability for employer issued PIV-I credentials to form the basis of agency security decisions is critical to going forward with PIV technology,” says Howard. “This is a significant weakness in the view of OMB M-05-24 and the interpretation of HSPD-12.”

The problem that arises, especially when dealing with contractors such as cleaning crews, is that they may switch agencies frequently. This can lead to a contractor with multiple agency-issued PIV credentials. If a contract employee changes their relationship annually, they could easily have up to three PIV credentials, one issued by each of the contracting agencies.

On the other hand, the individual could be issued one PIV-I by their employer, obtain one background investigation associated with that single credential, and greatly increase security and efficiency for the federal government, Howard explains.

Yet OMB M-05-24 does not allow this behavior. The federal government continues to spend money to credential and re-credential contractors, increasing security risks to relying agencies.

“Private sector PIV-I credential holders will realize benefits from using credentials on a single identity badge, says Gary Schneider, managing director and North America Public Sector Product head for Citi Transaction Services. “For all participants in the system it will save time, money and resources for their institutions. They will not have to issue or manage multiple badges for access to multiple locations as one federated credential can be used by all for access.”

There’s also the matter of the federal government enabling the PIV-I market to grow. Many companies have spent time and money to become certified to issue PIV-I credentials at the behest of the federal government. “The PIV-I market was created because the federal government asked for it,” says Bob Dulude, director of federal identity initiatives at HID Global. “A lot of time and resources went into creating a process as secure as PIV, and now the federal government is taking half of it away from us.”

NIST went back and revised the draft due to the volume of comments on key issues. The most vocal concerns centered on the absence of a plan to use the PIV with mobile devices. NIST recognized this and included the concept of using derived credentials on mobile devices.

This derived credential has the PIV presented to a mobile device manager that then assigns a sub-credential to a device using a parent/child model. The derived credential would be placed on a secure element within the handset or tablet. Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary.

Derived credentials were mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication. But this prior mention of derived credentials was in a generic form and not specific to PIV.

There are also changes to the contactless interface on the horizon. Commenters wanted the contact application of the PIV to be available on the contactless portion as well. The revised draft introduces the concept of a virtual contact interface, over which all functionality of the PIV Card would be accessible.

Biometric changes

The revised draft calls for facial images to be stored on the chip, whereas previously they had been stored on the backend databases and only printed on the card. Security guards can add to the security of the credential by checking the image on it as well as the one stored in it to make sure it’s the same individual. The credential will store two fingerprint templates for off-card comparison and optionally store two iris templates and two fingerprint templates for on-card matching.

Other changes on the authentication front include less reliance on visual inspection and on the cardholder unique identifier from the card. The revised draft acknowledges that the visual inspection and the CHUID authentication mechanisms provide little or no identity assurance of the cardholder.

The draft also proposes use of the Unique Universal Identifier, which had not been the case previously. The PIV must also contain PIV authentication data and card authentication data, each of which includes an asymmetric key pair and corresponding certificates.

If the applicant already has a federal government email address the credential will also have an asymmetric key pair and corresponding certificate for digital signatures and another for key management.

Other optional keys include a symmetric card authentication key for supporting physical access applications and a symmetric PIV Card Application Administration key associated with the card management system.

NIST will hold a public workshop on Revised Draft FIPS 201-2 on July 25 at NIST in Gaithersburg, Md.

The camera comes equipped with Tamron’s M12VM412 CCTV lens. The lens has a focal length of 4-12 mm. Its f/1.4-close aperture provides images in low-light conditions. It has afocus range of 0.3 m, manual iris, zoom and focus with lock and in air back focus of 9.05 mm to 18.90 mm. The lens surface is multi-coated to reduce ghosting and flare in backlit conditions.

The joint product is being geared toward companies needing images for industrial and security applications.

Government Smart Card Interagency Advisory Board (IAB) Meeting

• Opening Remarks
  Tim Baldridge, IAB Chair

  MP3: click here

• Physical Access Control / Logical Access Control Interoperability Proof-of-Concept Demo Outcome
  Karyn Higa-Smith, DHS S&T and others

  PDF: click here

  MP3: click here

• Discussion on the July 25th Workshop at NIST that Introduces and Discusses the Revised Draft FIPS 201-2
  Hildegard Ferraiolo, NIST

  PDF: click here

  MP3: click here

• Smart Card Alliance Update
  Randy Vanderhoof, SCA

  PDF: click here

  MP3: click here

• TSCP Common Operating Rules: Interoperability Governance
  Keith Ward, TSCP

  PDF: click here

  MP3: click here

• Closing Remarks
  Tim Baldridge, IAB Chair

  MP3: click here

The Trusted FICAM Platform achieved certification by CertiPath and is on the Certified Products List. MonDyn provides FIPS-201 training and site certification for each location through its CertiPath Certified affiliation. The Platform delivers PKI @ the Reader and is validated across the Federal Bridge for PIV-I credential verification. The Trusted FICAM Platform is the first PACS system which allows all PIV-I credentials to successfully operate and communicate with each other securely.

The Trusted FICAM Platform has been successfully implemented and is currently operating reading PIV-I and CAC across numerous U.S. Army Reserve Command locations throughout the nation. The platform has delivered convergence capabilities to the command for both physical and logical access to facilities and computer networks.

The solution? Take it to the cloud.

The Neil Smith Federal Building may be among the first federal buildings to deploy a cloud-based physical access control system, but it certainly won’t be the last. Moving physical access to a centralized server that can communicate with multiple agencies or office locations is a trend many industry insiders are seeing.

While this may not be the public cloud that consumers are used to hearing about, government agencies and enterprises are migrating systems to private clouds, linking various locations via servers held in centralized, remote data centers.

Organizations are also moving away from proprietary physical access control technology to systems that use open standards. The U.S. government’s FIPS 201 specification is a driver for these standards-based systems, explains John Piccininni, vice president of business development at the Identive Group. “Access control systems have been highly-proprietary, but we’re moving away from that to open-source environments,” he adds.

The U.S. government is facilitating this move to standards-based, enterprise systems, says Kevin Kozlowski, vice president at Xtec. The White House Office of Management and Budget Memorandum M-11-11 mandates that federal agencies start using issued PIV badges for logical and physical access. Additionally, the growing availability of FIPS 201-based physical access systems is offering another option for enterprises seeking standardized solutions.

In Des Moines the switch to the new physical access system was facilitated by both M-11-11 and the need to update an existing system that was 10-years-old, Leete says. GSA officials at the building discussed it for almost a year before deciding they wanted a physical access system that would be remotely hosted.

Leete found such a system from BridgePoint Systems. However, the company’s solution had not been certified by the GSA for use in federal buildings or on the GSA network.

BridgePoint worked with the GSA to get approval for the system, says Tom Corder, president and CEO at the company. The system went through vulnerability testing and was approved for use on the GSA network. “In the true world of cloud, it will never truly be Software as a Service, you have to have some hardware where you do enrollment,” he explains. But it met Leete’s desire to minimize server deployment.

The system is run on a GSA server in Kansas City, Mo. The system can issue new PIV credentials and can also enroll existing credentials into the local system, Corder says. Once enrollment is complete, the data goes to the cloud and privileges for access are downloaded to the building’s network of controllers and door readers. BridgePoint enrolls the signature from the PKI certificate on the credential, and during authentication verifies that enrolled certificate with the one on the presented card.

Before the system could be installed all 800 employees and 100 contractors working in the building had to be enrolled, Leete says. That started with many finally receiving their initial PIV credential. “Every agency was different, some had PIV cards, some had never gotten them and few were actually using them,” he says.

If employees already had a PIV card, enrolling in the system consisted of entering their PIN, phone number and agency. For employees that knew their PIN, the process took just 90 seconds. “Almost all had to have PIN resets,” explains Leete, a process that added time and complexity.

Deploying hardware

Once the user base was enrolled in the local system, the larger solution could be deployed. A new head controller had to be installed along with networking for that piece of hardware to the security office. Other than that, the existing wiring infrastructure was able to work with the new system. For the new smart card readers - contact, contactless, and PIN pads–BridgePoint made a special plug to connect the new readers to the existing wiring, Leete says.

The installation was done over two weeks, Leete says. The physical access control system required installation of 23 readers on parking gates, elevator controls and automated doors. “We did the elevators first to make sure we didn’t have any unforeseen problems,” he adds. All the work was done in the evening after normal work hours so employees weren’t inconvenienced.

Employees typically just use the contactless interface on the card for access to the elevators and other areas, Leete says. There are contact readers and PIN pads as well that can be used in situations requiring heightened security. Perimeter doors are equipped to read the chip’s contact interface and require a PIN for access outside normal business hours.

Issuance and enrollment challenges

Deploying and using the system was relatively easy, but communicating and coordinating with all 45 agencies was a more difficult task, Leete says. Simply obtaining the lists of individuals who had to be issued PIV credentials and enrolled in the system took a lot of time.

The first day the new system was turned on there were 50 people who still hadn’t come in to enroll in the local physical access system. Others had neglected to turn in old badges. “We had to tell the public service officers not to let people in with old badges,” Leete adds.

The building also houses offices for two senators whose staffs are not eligible to receive PIV credentials. HSPD-12 only mandates PIV credentials for executive branch employees and the senate staffers are legislative employees. For these individuals, Leete and his team created a different credential that would work with the new system.

While the Neil Smith building is the first GSA facility to deploy the cloud-based system, it’s open to others. “Any of those GSA buildings in the Kansas City region can basically jump on our system, and they can do it at a lower cost,” says Corder. “And they don’t have to bid out or evaluate other systems.”

The local building would need only purchase an enrollment system and the proper controllers, and could have it up and running easily, Corder says. BridgePoint is fielding questions from other government agencies on the cloud-based system but has no other federal deployments.

Since the cloud-based system was deployed last summer, there have been only a couple of problems when there was server maintenance at the Kansas City facility, Leete says. Those issues have since been remedied.

Corporate enterprise finds value too

Corporations are also recognizing benefits that come from migrating separate systems for multiple locations to a single managed service solution. “They want one offering that is more robust,” says Dave Adams, senior director of Product Marketing for HID Global. “They don’t want the physical access control server to sit in a closet somewhere with one person in the control.”

The move to a cloud-based solution is in concert with the emergence of near field communication for physical access too, Adams says. “In the future our ability to connect a trusted source to that cloud-based system and deliver identities directly to a handset will reconfigure how physical access systems work,” he says.

Brivo Systems is also seeing corporate clients wanting to move physical access control to the cloud, says John Szczygal, executive vice president at the company. “On the enterprise side, corporations want to get away from their own personal investments and leverage another infrastructure,” he adds.

Brivo says physical access from the cloud can be as simple as installing a panel and a new system can be installed overnight, says Szczygal.

From proprietary to standards based

Other than cloud based physical access system, the other trend is the move from proprietary technology to standards-based systems. One of the drivers behind this is FIPS 201 and federal officials using PIV credentials for physical access control, says Szczygal.

The GSA manages many federal buildings–like the Neil Smith Building–that house multiple agencies. The GSA operates the perimeter security for these buildings but then the agencies typically have their own security within. This often led to buildings having multiple physical access control system, Szczygal says. “The typical federal building would have 15 to 30 different access control systems and many different types of credentials,” he adds.

Issuing PIV credentials has helped because the credentials use the same standard and appearance but agencies are still deploying different physical access control systems, Szczygal says. This is starting to change.

When corporate enterprises are looking to upgrade their physical access systems, Brivo encourages them to look at the Federal Identity, Credential and Access Road map for guidance and FIPS 201 as well, Szczygal says. “It provides an excellent framework, a great process for credential issuance and it also considers the lifecycle of the credentials … something that is lacking elsewhere,” he says.

Standardized technology increases end user options. “Multiple vendors can provide technology and the flexibility to add other applications,” Piccininni says.

This is a change for the physical access control vendors, says Xtec’s Kozlowski. “Legacy physical access control systems are based on secrets,” he says. “New systems are moving into a standard environment not based on secrets but sound, robust security.”

These new systems are also breaking down the barrier between security personnel and IT staff, Kozlowski explains. The two departments haven’t communicated, but since physical access systems are starting to run on the same network this is changing. “Now that they’re utilizing a common infrastructure they need to work together,” he says.

The white whale for physical access control vendors is a converged credential, one that is used for both physical and logical access. Convergence has been discussed for many years, and while FIPS 201 is a converged credential few use it for both purposes.

In the corporate world the use is even less but some are taking smaller steps to convergence that take advantage of network-based physical access systems, Piccininni says. He points to the IF Map protocol, which publishes access control logs to a server. Other servers can subscribe to that log and restrict access based on events. For example, if an individual tries to login to the network from inside the building and they haven’t swiped in via the physical access system, they won’t be allowed to access network resources.

The next step is to use that same credential for login to the network, but even taking this one step can reduce potential intrusions. “This has cut down some hack attempts by half,” Piccininni says.

With networks increasingly becoming the target of hackers it goes beyond good public relations to increase the security of the logical assets as well as the physical, says Szczygal. “Corporations are taking the credential a lot more seriously,” he adds.

Enterprise physical access at Denver school

Prior to 1999 Laradon, a Denver-based school for children and adults with developmental disabilities, didn’t have any physical access control system on its 15 building campus.

“The buildings were just open and people could come and go as they please,” says Annie Green, deputy director at Laradon. Established in the late 1940s, Laradon is a charitable organization in the Rocky Mountain region offering support, education, and training to children with developmental disabilities. Today, Laradon offers 12 different programs to more than 600 children and adults at their eight-acre campus in northwest Denver.

After school shootings at Columbine and other locations, Laradon rethought this open policy. Initially it started checking in everyone who entered the campus but then another shooting at a nearby recreation center caused the school to further tighten security.

In 2007 officials decided to deploy a cloud-based physical access control system that uses contactless smart cards, Green says. The school now has access control readers on 15 interior doors and three entrance gates to the campus. Key-Rite Security was the systems integrator for the project that uses technology from Brivo Systems.

The system gave Laradon a Web interface so that the 200 employees could be categorized and provided appropriate levels of access, Green says. For example, all the directors have 24-hour access while managers and teachers are only given access depending on when they’re scheduled to work. Access can also be changed via the Web interface so if someone forgets something in a classroom they can be given a temporary window of access to retrieve the item.

The system also enables officials to monitor contract work done on the premises. “We recently had some electrical and heat system work done and we programmed Brivo to provide the workers a three-hour window in only that building, and we could monitor how long they actually worked,” Green says.

“We saw there was a need for Apple users to get their smart cards working without being rocket scientists,” says Paul Nelson, Thursby’s chief technology officer. “This is the first product that addresses individual users of iPads and iPhones with the built-in the security as if it were a military product.”

Last September, Thursby released PKard for Mac v1.1 to enable federal and private sector employees to use their U.S. Defense Department Common Access Cards and PIV cards to access secure Web sites, Web VPN and secure mail using Apple desktops and laptops.

The software automatically links popular Web sites with the security certificates needed to access them, and eliminates the work-arounds typically required to use Macs in primarily Windows-based environments, such as virtualized Windows or thumb drives, Nelson says.

The newly released PKard Reader app V1 takes those features mobile. The app creates a secure browser connection for iPads and iPhones and with a smart card reader enables federal employees to use their credentials to access secure federal Web portals and Web sites. It’s designed for use with mobile devices operating at iOS 5 or higher. It can be used with smart card readers including the baiMobile 3000 MP encrypted Bluetooth reader, the Precise Biometrics Tactivo card and fingerprint reader or Thursby’s PKard reader.

The PKard Suite combines the app with Thursby’s proprietary PKard smart card reader, which plugs directly into the 30-pin connector on an iPhone, iPad, or iPod touch. The PKard reader is a little square device that fits into a pocket easily, and all a user has to do is plug it into the phone, Nelson says.

Apple approved the app in April so it’s in the process of rolling out to users. Prior to this, however, Thursby had 88 beta-testers in government agencies such as the Department of Defense, Department of Homeland Security, the Transportation Security Administration and the Federal Aviation Administration. “They have helped us work out the bugs,” Nelson says.

Michael Danberry, chief of Network Operations at MI Readiness Command in Belvoir, Va., and author of the troubleshooting site http://www.MilitaryCac.com, was one of the beta-testers. “The government has made a lot of movement toward everything being through public key infrastructure. They’ve pushed us in that direction but haven’t given us a lot of tools to make it all work,” he says.

According to Danberry, Thursby’s Pkard Suite is the only product he has found that enables use of CAC cards with iPhones and iPads that is easy to use and affordable.

An equivalent product is on the market, the baiMobile Bluetooth smart card reader costs $289, plus $57.80 each year for service. “The cost really limits how many people you can give the technology to,” Danberry says.

Danberry and his colleagues are “looking for ways to access services easily, using the personal technology they like the most,” namely their iPhones and iPads, he says. “People want these card readers and want them now, and they are willing to pay $150 to get it.”

Product features

Features of the mobile app include a secure reset feature, which clears the browser history “so there is no trace of anything left in the app,” Nelson says. It provides the ability to sign and encrypt email, a requirement for government employees. The PKard Suite can be integrated with Google Apps so an individual can use the smart card to log in and do your work there.

The PKard Mac app is free through iTunes, but Thursby is selling the PKard suite with Thursby’s card reader for $149.95. The company hopes to drive the price down to about $75 by next year, Nelson says. “It’s just a question of increasing the manufacturing capacity.”

A $75 price point would position the product in the sweet spot for the target audience of individual users. “We want to get the product in the hands of individuals first, before trying to work with government agencies,” Nelson says.

He envisions military reservists using the suite to access Web portals they already use for online training and to update time cards. “There is a lot of opportunity there, because there are quite a few people who have these credentials,” he says.

And although individuals in the federal government will be the primary users, the company hopes it will be adopted for first-responder use by state and local governments as well. The app could allow emergency personnel at a disaster site verify the identities and qualifications of other workers, Nelson says.

With mobile smart card readers, federal employees can access work-related services such as Outlook email, the Department of Defense travel system and reimbursement filing systems. The pay system as well as personal official military records are all “smart card enabled and there is more and more stuff coming online all the time,” Danberry says. For federal employees, “it’s not just about security, but also about being able to use and access your information in multiple places.”

Thursby’s PKard app draws on many of the features of the company’s other products. The company has been making software to help Mac computers integrate seamlessly into primarily Windows-based systems in government and enterprise since 1986.