Understanding the product approval process for FIPS 201
21 September, 2007
A guide for both product developers and compliant card issuers
By Chris Corum, Executive Editor
If you are confused about what products you can and cannot buy for a FIPS 201 implementation, you are not alone. Both buyers and sellers of identity products are often found scratching their heads due to seemingly missing categories of products and sometimes confusing category names.
But in reality, it is an organized and defined process that has moved almost 300 products and services through a complex certification in just more than one year … not an easy task.
Talk to buyers and you will hear questions like this:
- I need certain piece of hardware or software but I can’t find a category for it in the Approved Products List (APL). Does that mean I can’t buy it or can I pick anything I want?
- I already have a bunch of card printers but the model is not listed on the APL. Are my existing products ‘grandfathered’ in or am I supposed to throw them away?
- If a product is listed on the APL can I buy it direct from the company or do I have to go through the GSA schedule or some other source?
Talk to vendors and you will hear questions like:
- There isn’t a category for my product. Can I request that one be added?
- My product fits in a number of categories but there is not one for that covers its total functionality. Should I go for approval in all the sub-categories or wait for a new category to be created?
- What is the difference between the GSA APL and SIN 132-62?
How did we get to this point?
A quick review … President Bush issued Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, in August 2004. To meet the requirement for a secure interoperable credential, the National Institute for Standards and Technology (NIST) created the Federal Information Processing Standard 201 (FIPS 201).
In OMB Memorandum M-05-24, the Office of Management and Budget (OMB) required that agencies purchase only federally approved products and services for implementation of HSPD-12. Thus, a means to approve products and services was necessary.
Because the General Services Administration (GSA) is responsible for acquisition of products by federal agencies, the GSA developed the FIPS 201 Evaluation Program. Understandably, the specific requirements prescribed in FIPS 201 and its special publications differ among the array of product and services, so categories were required. This effort led to the GSA Approved Product List (APL) for FIPS 201–a comprehensive list of products and services that have been determined to be compliant with FIPS 201.
In addition to the FIPS 201 Evaluation Program, three other compliance processes exist for PIV products.
NIST established a compliance testing effort called the NIST Personal Identity Verification Program (NPIVP) to, “validate the compliance/conformance of two PIV components–PIV middleware and PIV card application with the specifications in NIST SP 800-73-1.” NIST relies upon NVLAP accredited test labs to certify middleware and applications submitted for consideration.
The Minutiae Interoperability Exchange Test (MINEX) is a NIST effort to establish compliance for template generators and template matchers.
Certification of Single Fingerprint Devices against the Federal Bureau of Investigation’s (FBI) Integrated Automated Fingerprint Identification System (IAFIS) Image Quality Specifications (IQS).
Understanding the APL process
What must a company do to get a product approved for listing on the GSA APL? There is no better source to answer this question than Nabil Ghadiali, Technical Director, Information Assurance, Electrosoft and the Technical Lead for the GSA FIPS 201 Evaluation Program. Electrosoft, a 15-person information security company based in Virginia, is contracted by the GSA to provide technical support for the FIPS 201 Evaluation Program and serve as the gatekeepers–so to speak–for the APL.
The process begins online with the Evaluation Program Web Tool. “When vendor wants to submit a product,” says Mr. Ghadiali, “they fill in a login request form, send it to us (Electrosoft), then we send them a user ID and password.”
With each category there is a separate set of required documentation that must be submitted, and for some categories, the actual product may need to be submitted for testing as well (e.g. PIV Card, Card Readers).
Via the web tool, Lab staff monitor the new application submission and can track the documents to see what has been submitted and what is missing. “There is a timeline,” explains Mr. Ghadiali, “within 10 days after creating the application, you must start to submit the documents and (once started) 5 days to complete the submission.”
If the dates are not met, the application is rejected. This timeline was created to stop vendors from creating an application until their product or service was ready for evaluation.
“To this point we have only looked at documentation to see that it is physically there,” adds Mr. Ghadiali. “Once it is complete, it moves to ‘evaluation in progress’ status and the lab begins its work.”
There are different steps during the process (e.g. vendor documentation review begin, vendor documentation review complete, evaluation complete, evaluation report complete, awaiting government approval authorization) and the vendor can monitor these status changes via the web tool having visibility in the progress of their application through the evaluation.
When the Lab finishes the evaluation, a final report is written and sent to GSA FIPS 201 EP program manager, for review and final approval authorization. If the product is approved, it is added to the APL.
If the product is found to be non-conformant, the vendor is notified and the product is not listed. “The vendor can then request a non-conformance review to demonstrate how their product meets the requirements,” says Mr. Ghadiali, “basically an appeal and review process.”
If a product that was found non-conformant, is modified and released as a new version, it can be resubmitted but the process must begin anew. It does tend to go more quickly the next time, suggests Mr. Ghadiali, because of the understanding gained in the initial review.
How many products are under review and what are the costs?
“On a weekly basis we may have between 5 and 10 applications (added to the web tool),” suggested Mr. Ghadiali, though he stressed this is only an estimate.
“We saw 70 or 80 in the weeks prior to April (2007),” he added, alluding to the cutoff date after which the fees for evaluations were to be borne on a cost-reimbursable basis by the vendor.
Just how much an evaluation will cost depends on the category. Because the scope of the tests required to confirm or deny conformance differs by product, so too does the price. “Some evaluations–like graphical personalization service–require site visits,” notes Mr. Ghadiali. “A cryptographic module (on the other hand) may be fairly easy as the vendor already has their FIPS 140-2 validation from NIST.”
Now that multiple Labs will be certified to perform evaluations, the fees will be market driven. Mr. Ghadiali suggested that the simplest evaluation might cost anywhere from a few hundred dollars to a maximum fee of about a few thousand dollars. He stressed that vendors should contact the Labs to determine the fee each would charge prior to making a decision on which Lab to go with.
The new lab structure
Until April 2007, only one Lab was approved to test products for the APL. The contract for this testing service had been awarded to Electrosoft and the company subcontracted the work to Atlan Labs. Since then the Evaluation Program has developed requirements for Lab Qualifications in order to enable other Labs to participate.
Electrosoft has moved into its new role staffing the Evaluation Program Management Office. Says Mr. Ghadiali, “we, along with April Giles the GSA Evaluation Program Chief Architect, make sure the Evaluation Program stays current with the requirements as NIST makes revisions to their documentation and all the Labs have the documents and tools they need … we oversee the Labs.”
Based on the GSA Lab qualifications requirements, Atlan Labs continues its testing functions as an approved lab without the involvement of Electrosoft.
To make the list, a lab must be a part of the NIST Voluntary Laboratory Accreditation Program (NVLAP). The program, according to NIST, “accredits public and private labs based on evaluation of their technical qualifications and competence to carry out specific calibrations or tests.”
Because the NVLAP certifies all types of test labs, only those approved for Cryptographic Module Testing (CMT) are eligible for the FIPS 201 Evaluation program as the skills required for testing have been deemed most closely related. The CMT labs test crypto products for compliance with FIPS 140 standards. Currently, there are 14 labs with CMT status.
Validation of the PIV card application and PIV middleware via the NPIVP comes next. Ten of the 14 CMT Labs have been approved as NPIVP Labs to date. Finally, these Labs must have the GSA test methods added to their qualifications. With all these criteria met, the Lab can apply to GSA for inclusion as an Evaluation Lab within the FIPS 201 Evaluation Program.
To date, only InfoGard has joined Atlan as an approved lab but more are expected soon. “As I understand there are a few Labs that have GSA test methods under their belt so they could apply to GSA,” suggests Mr. Ghadiali.
How were the categories selected?
As suggested in the opening of this piece, a great deal of confusion continues to surround the APL. Much of it centers around products that are necessary for a FIPS 201 ID implementation but are not seemingly covered by a category on the APL. Vendors question how they can get their products approved and issuers question how they can obtain these unlisted products.
Many of these concerns are alleviated by a single explanation. As Mr. Ghadiali explains, the categories on the APL were not ‘selected,’ rather they simply fell out of the actual FIPS 201 Standard. “We read the Standard and made a category when a specific requirement for a product or service was mandated … No requirements, no category.”
“We aren’t in the business of making new requirements,” he explains, “only testing those established by the Standard.” Thus it is unlikely that new categories will be added to the APL, at least until a revision is made to FIPS 201.
A caveat to that is that when it was deemed necessary from a security point of view, the FIPS 201 Evaluation Program did add specific security related requirements (e.g. addition of security controls around the storage of printed PIV Cards). This caveat applies primarily in the case of Service categories.
Here is an example that may help explain it in concrete terms. Obviously, to issue a FIPS 201 compliant credential a printer ribbon must be used in the ID card printer. Yet there is no category on the APL for printer ribbons. Does this mean that agencies cannot buy a printer ribbon? Obviously not. It simply means that the FIPS 201 documentation did not deem it necessary to create specific requirements for ribbons. So an agency is free to buy any printer ribbon they deem appropriate for their needs.
“If there is a product that is applies within the context of PIV, but there are no requirements,” concludes Mr. Ghadiali, “they (the vendor) need not submit.” And agencies are free to buy any product they require. The only stipulation is that if a category exists for the product, they must choose from the APL.
Buying APL products
To facilitate purchase of PIV-related products, the GSA established a dedicated category under Schedule 70 (the information technology purchasing schedule) called Special Item Number 132-62 (SIN 132-62). According to the GSA, the category is, “for products and services for agencies to implement the requirements of HSPD-12, FIPS-201 and associated National Institute of Standards and Technology special publications.”
The components specified under SIN 132-62 are:
- PIV enrollment and registration services
- PIV systems infrastructure
- PIV card management and production services
- PIV card finalization services
- Physical-access control products and services
- Logical-access control products and services
- PIV system integration services
- Approved FIPS-201-compliant products and services.
Only products on the APL can be offered through SIN 132-62, however non-approved integrated solutions may be offered by system integrators qualified by GSA and listed on SIN 13-62 as well. The requirement, however, is that these solution providers must commit to delivering only APL products.
If the product is not listed on SIN 132-62 but is listed on the APL, it can be procured through another Schedule that it might be on or via the open market.
Clearing up the confusion
At the outset of this article, a series of commonly heard questions from both vendors and buyers of FIPS 201 products and services was presented. To conclude, these questions are directly answered based on the information presented in the article.
I need certain piece of hardware or software but I can’t find a category for it in the Approved Products List (APL). Does that mean I can’t buy it or can I pick anything I want?
Yes, if there is no category for a specific product an agency is free to select the product that best meets the identified need.
I already have a bunch of card printers but the model is not listed on the APL. Are my existing products ‘grandfathered’ in or am I supposed to throw them away?
If an existing product is not listed on the APL, it hasn’t been evaluated or approved by the FIPS 201 Evaluation Program. Agencies that choose to use such products may therefore be in non-compliance with the standard.
If a product is listed on the APL can I buy it direct from the company or do I have to go through the GSA schedule or some other source?
Products can be purchased from the GSA schedule or can be procured on the open market. Schedule 70, SIN 132-62 covers PIV-related items however there is not mandate that agencies acquire all components from this source.
There isn’t a category for my product. Can I request that one be added?
No. Because the categories were pulled directly from the FIPS 201 specification, only those products that had specific, written requirements need to be approved. If there is not a category for your product, agencies are free to buy it if desired.
My product fits in a number of categories but there is not one for that covers its total functionality. Should I go for approval in all the sub-categories or wait for a new category to be created?
New categories will not be added unless future revisions to the FIPS 201 specification merit additions. If you would like to have your product on the list, it can be submitted for approval if it meets the category description as documented within that particular Approval Procedure. Products that fall under multiple categories will need to be submitted for evaluation under each category separately.
For example, a multi-technology reader that can read the Card Holder Unique ID Number (CHUID) from both contact and contactless cards could be approved in both the contact reader category and the contactless reader category.
What is the difference between the GSA APL and SIN 132-62?
The APL is the listing of PIV-related products that have been approved by GSA as compliant with FIPS 201 requirements. SIN 132-62 is the purchasing schedule that enables agencies to procure APL products. It is, however, not the only means to procure these products as they can be purchased through the open market.