Your Complete Source for GSA Approved Identity Products

Audio from April 25 IAB meeting online now

FIPS 201 Administrator — Tue, 01 May 2012 14:08:00 -0400

The April meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

Opening Remarks
Tim Baldridge, IAB Chair
Generic Identity Command Set (GICS): Leveraging PIV to Build a Standard Platform for ID Tokens
Ketan Mehta, NIST

PDF: click here

MP3: click here
Continuing to Move ICAM into Mobile Computing
Owen Unangst, USDA

PDF: click here

MP3: click here
The Movement to Use PIV-I
David Belchick, CitiBank

PDF: click here

MP3: click here
NXP and HID Global Enable Mobile Access for NFC Phones Enabling Options for Storing and Managing PIV(-I) Credentials on Mobile Devices
Julian Lovelock, HID/Actividentity

PDF: click here

MP3: click here
Cross-Agency Federation: A Demonstration of Federated Identity Trust within the Federal Government and Industry at Level of Assurance 4
Tim Baldridge, NASA, and Bob Gilson, DoD)

PDF: click here

MP3: click here
Closing Remarks
Tim Baldridge, IAB Chair

Keyboard, biometric reader GSA approved

FIPS 201 Administrator — Thu, 26 Apr 2012 10:03:00 -0400

Key Source International announced GSA approval for it’s biometric keyboard and stand-alone biometric pod. KSI products are approved under FIPS 201 for Federal Employees and civilian contractors.

The KSI-1700/GFFB biometric keyboard and the KSI-1008F biometric pod meet these requirements for FIPS 201. Marktron of Frederick, Md., whose primary focus is on OEM’s, systems integrators and military/government agencies, represents KSI in the federal market.

Thursby launches iOS two-factor authenticating smart card reader

FIPS 201 Administrator — Sat, 21 Apr 2012 11:24:00 -0400

Thursby Software Systems, Inc. has released the PKard Reader, a touch Web browser solution for the iOS that includes secure authentication to a personal smart card.

With the PKard Reader, users can access a Web portal, collaboration sites and e-mail through either an iPad or an iPhone. A combination plug-in card reader and two-factor authentication app provide a secure user experience. The card reader accepts industry standard CAC, PIV, PIV-I and CIV smart cards and supports many industry and U.S. government standards, including ISO 7816, EMV level 1, NIST IR 6887, FCC class B part 15, CE, RoS, HSPD-12, FIPS 140-2 and FIPS 201.

The device is geared toward government agencies and private enterprises that issue smart cards to their employees. The reader is available for $149.99.

Thursby intends for this to be the first in a portfolio of software products that deliver secure enterprise functionality to iOS mobile devices.

HID unveils pivCLASS solutions

FIPS 201 Administrator — Wed, 28 Mar 2012 10:57:00 -0400

HID Global, announced the availability of its pivCLASS Government Solutions portfolio, an product suite that enables the U.S. federal government, government contractors and other facilities to comply with federal identity mandates without having to replace their existing physical access control system (PACS).

The pivCLASS family is designed to make it easy for agencies to meet requirements and use their PIVand other smart cards for physical access control, resulting in compliance, interoperability and high security.

HID Global’s pivCLASS solutions work with existing PACS and external trust authorities to deliver functionality specified by FIPS 201. Supporting PKI-at-the-door mandates and PIV-I and CIV (also known as PIV-C) requirements for cards issued by non-federal entities, the product family delivers solutions for upgrading a physical access control infrastructure so that it can authenticate PIV credentials across the full-range of assurance levels as defined by the federal government’s Special Publication 800-116. pivCLASS also supports the Transportation Worker Identification Credential (TWIC) reader specification.

With pivCLASS, customers achieve FIPS 201 compliance for their PACS by simply deploying new pivCLASS Readers and installing pivCLASS Authentication Modules between the readers and the existing PACS panel. The resulting, upgraded access control system can now perform FIPS 201 authentication checking for all NIST-defined assurance levels. The modular system performs all necessary authentication steps, from the time of enrollment to the time of access.

Key pivCLASS components include:

pivCLASS Readers: A family of eight readers supports any FIPS-201 compliant contact or contactless card type including PIV, PIV-I, CIV, CAC, TWIC and FRAC. The readers provide backward compatibility with existing HID Global iCLASS and HID Prox readers to ease the transition from legacy cards to PKI-based credentials. HID Global plans to announce additional readers in the second quarter of 2012.
pivCLASS Authentication Modules (PAMs): PAMs are embedded computers packaged in a small form factor with pre-loaded, updatable firmware that are installed between the readers and existing physical access control panels. Each PAM can support up to two readers at one or two doors. Readers pass card information to the PAM which performs the required authentication checks to validate – or invalidate – the cardholder’s credentials. If valid, the PAM derives and sends a badge ID to the access control panel for an access authorization decision.
pivCLASS Validation Server: The Validation Server software provides centralized dynamic control of assurance level settings for each PAM. The Server configures the pivCLASS PAMs, manages their firmware updates, and regularly communicates with external trust authorities to import and send the PAMs updated credential status information for enforcement.

GSA certifies 3M Cogent PACs reader

FIPS 201 Administrator — Mon, 26 Mar 2012 12:29:00 -0400

3M Cogent announced that the U.S. General Services Administration, in accordance with FIPS 201, has certified its MiY-ID Gov biometric access control reader as an approved biometric authentication system standard.

At a high-level, the Biometric Authentication System performs: one-to-one biometric match, validation of the biometric signer’s certificate and interfacing with Online Certificate Status Protocol (OCSP) and Server-based Certificate Validation Protocol (SVCP).

MiY-ID is 3M Cogent’s biometric access control reader. As new security standards emerge, organizations are looking for a security product that meets current physical access control system standards for PIV, CAC, TWIC, and others. 3M Cogent’s MiY-ID-Gov enables them to meet current standards and adapt to changing standards without having to replace their PACS readers.

DC One Card Expands to Schools but Scales Back Taxi Driver Program, Use of PIV-I

FIPS 201 Administrator — Mon, 12 Mar 2012 11:02:00 -0400

By Jill Jaracz, Contributing Editor, Avisian Publishing

After a year of retooling its DC One Card program, DC officials are reconsidering the use of PIV-I and authentication of taxicab drivers, but they have added a school transit subsidy feature that all DC school children will use.

2011 saw a delay in the implementation of credit card readers and PIV-I identification options for taxicab drivers. The program was intended to enable drivers to use the DC One Card to sign in and verify identity at each shift. “The taxi cab project started, went cold for several months and is now considered a potential project,” says Rob Mancini, chief technology officer for the District of Columbia. As a whole the district is reviewing whether or not PIV-I is the correct technology.

While the taxi project was on hiatus, the DC One Card program underwent many changes in order to ensure that its applications add value. “Instead of a research and development exercise that created products with no demand, we put some discipline around the group,” says Mancini. Along with refocusing the group’s efforts, the office restructured the way it issues cards. Instead of having a large staff doing a lot of hands-on work, the office outsourced it’s printing to the Government Printing Office (GPO), says Mancini. DC One Card recipients then receive the card in the mail. “We tried to make the program more efficient,” says Mancini.

As a result of outsourcing the printing of DC One Cards to the GPO, the CTO’s office realized some cost savings. The cost of student cards dropped 52 cents from $7.72 to $7.20 per card. Citizen cards dropped about 10% from $11.63 to $10.24 per card. Citizen cards are more expensive to produce because of the higher level of identity vetting required and the additional mailing costs involved.

About 90,000 cards have been issued, says Howard Barrett, program manager of DC One Card and portfolio manager for planning and economic development in the Office of the Chief Technology Officer. Barrett, who took on the DC One Card management duties in June, is driving the direction of the credential, working to control costs and interacting with other agencies, Mancini says.

PIV-I on the bubble?

In terms of the taxicab project, which originally called for drivers to have PIV-I credentials for authentication and meter activation, as well as the installation of credit card readers in cabs, this has meant a little scaling back.

The Office of the Chief Technology Officer is questioning whether or not the PIV-I technology offers enough value for the cost, Barrett says. There would have to be many uses for the credential in order to reap the full benefits, he explains. “If we had multiple agencies we could support [with PIV-I] we’d think about it. It’s not required as a solution, so we’re not going to use it as a solution for taxicabs at this time,” says Barrett.

In 2012, the CTO’s priority is to implement credit card readers in taxicabs. The District’s Office of Contract and Procurement released a request for proposal in the beginning of 2012 and will award a vendor contract in early summer.

The hope is to have credit card point-of-sales devices in cabs by the fall of 2012. Barrett says it’s likely that not all cabs will have capability by then, but the system will have operational deployment. The District is one of the last large municipalities to add credit card capabilities.

In 2013, they will reevaluate the ability to use PIV-I, which means any such functionality is unlikely to be realized until 2014.

Students get DC One

Although the taxicab project was delayed in 2011, another project made use of the DC One Card as a platform.

This past year the Office of the Chief Technology Officer partnered with the District Department of Transportation to add the school transit subsidy program to the DC One Card. Mancini says the transportation department approached his office about adding this program, which is a four-way partnership between the CTO, transportation, the school system and the Metro.

It will take 18 months to roll out, and will cover the approximately 14,000 students who participate in the Transit Subsidy Program.

The DC One Card replaces the current paper voucher system. “[It gives us the] ability to control eligibility and use of the program in a more efficient way,” says Aaron Overman, acting associate director of the Progressive Transportation Services Administration at the transportation department.

With the analog system, there was no way to trace use of the program back to the student, says Overman. This made it possible for fraudulent use student transit subsidies. “Anecdotally we hear all the time about students graduating high school and taking a younger student’s card,” says Overman.

If students lost their transit pass, they also had to pay to replace it. Tying the subsidy to the card enables electronic trace back. If a card is lost or stolen, it can be turned off and the subsidy can be prorated onto a new card. “It lessens the burden of lost or stolen cards,” says Overman. Parents pay $30 per month per student for the transit subsidy. An adult fare is five to six times that much, says Overman.

This initiative started as a one-school pilot program last April. “It was easy to work out the kinks,” says Barrett. The preparation for this pilot involved writing code that took about two to three months.

Due to the success of the pilot, the program expanded to the seven secondary schools in fall 2011 and to all public high schools and middle schools at the end of 2011, with a mandate of all eligible students needing to use a DC One Card for transit subsidies starting on Jan. 1, 2012.

The next step will be adding the city’s 60 to 70 charter schools to the program, which will cover the remaining 50% of the district’s students.

Overman says the office will implement a three-school pilot in March or April 2012.

Adding the charter schools to this program provides challenges in that each charter school is run individually and the department of transportation will have to bring these smaller, individually run systems into one larger system.

“If we can get everything working, then definitely next fall (all schools will be live). Our goal is to have every single school in the district,” says Overman.

The transportation department projects 20% savings in converting to the electronic transit subsidy program.

Many charter schools also see potential uses for the One Card such as adding lunch programs, attendance and library usage applications to it. “It’s up to each individual school in how they use the card,” says Overman, adding that each school can work on what applications they’d like to add to realize further savings and efficiencies.

“School transit is starting as a first piece of what we’d like to see,” says Overman.

Just as Overman sees transit is the first step for schools, many see schools as the first step for the DC One Card. The sky can be the limit with these types of programs, as people imagine more and more applications and functions. But, as DC found with both taxicab and PIV-I additions, implementation and budgets can be the real challenge to rollout.

What does DC’s move away from PIV-I mean?

In 2009 Washington DC was committed to PIV-I. The district intended to issue credentials to first responders with plans to extend the program to city workers.

In 2010 the agency announced a program that would issue PIV-I credentials to taxi drivers and even citizens to enable residents to ride the Metro, check out library books and access schools and recreation centers.

Some of these uses cases are still moving forward, tens of thousands of cards have been issued, but none are PIV-I. The district didn’t see the use case for the technology, says Howard Barrett, program manager of DC One Card and Program Management Office and portfolio manager for planning and economic development in the Office of the Chief Technology Officer.

“There are a couple of factors influencing the current status regarding PIV-I implementation,” Barrett says. “A significant upfront investment is required, (and) there is also a need to ensure an appropriate return on investment should DC government pursue PIV-I deployment.”

Deploying a PIV-I system is expensive and the district wants to make sure that cost is justified. “We just a need to ensure cost-benefit objectives will be realized for the substantial investment,” Barrett adds. “In addition to existing available solutions, DC will also consider new, emerging technologies before making the decision to invest in a specific platform.”

This is going to be common as jurisdictions and corporations consider deployment of identity credentials, , says Salvatore D’Agostino, CEO at IDmachines. Outside of organizations that have a lot of interaction with the federal government, such as large defense contractors, PIV-I may not make sense, he says.

As it stands now, PIV-I is expensive and deploying it for anything other than an enterprise application would be a stretch, D’Agostino says. w “Where it goes wrong is when it depends on an edge use case, like taxi cab drivers,” he adds. “You can’t do it because of an edge case, you have to do it because of an enterprise case.

Audio from February 22 IAB meeting online now

FIPS 201 Administrator — Wed, 29 Feb 2012 13:02:00 -0500

The February meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Government Smart Card Interagency Advisory Board (IAB) Meeting

Opening Remarks
Tim Baldridge, IAB Chair

MP3: click here
Overview of Electronic Authentication Guideline (NIST Special Pub 800-63-1)
Elaine Newton and Ray Perlner, NIST

PDF: click here

MP3: click here
TSCP Inc. - Global Secure Information Sharing, Enabling Cybersecurity Strategies between Industry and Governments
Keith Ward

PDF: click here

MP3: click here
Demonstration and Briefing on Two Factor Authentication for Mobile Devices Using CAC/PIV
Paul Nelson, Thursby Software Systems

PDF: click here

MP3: click here
Panel Discussion on Threats to 2 Factor Authentication
Moderated by Steve Howard; Panelists - Eric le Saint, ActivIdentity and Constantine Conrad, Alienvault Labs

MP3: click here
Closing Remarks
Tim Baldridge, IAB Chair

MP3: click here

GSA implements cloud-based physical access system

FIPS 201 Administrator — Thu, 26 Jan 2012 12:43:00 -0500

The General Services Administration (GSA) has implemented its first cloud-based physical access system at the Neal Smith Federal Building in Des Moines, Iowa.

The GSA contracted with BridgePoint Systems to utilize its TrustAlert Physical Access Control Systems. BridgePoint partnered with EmbarkIT to install the system, which replaced the GSA’s 10-year-old legacy system. The system leverages the GSA’s Kansas City, Missouri-based WAN and remote IT infrastructure, which allows the building to shrink its carbon footprint.

BridgePoint used the existing infrastructure at the Neal Smith Federal Building for installing the TrustAlert PACS with a cloud-based protocol. The system meets federal standards and guidelines including HSPD-12 and FIPS 201-2.

It’s interoperable among the 40-plus agencies located in the building and works with the 500-plus employees who already have PIV credentials. An additional 300 employees who currently do not have PIV credentials will transition to the new system.

The PACS required the installation of 23 readers on parking gates, elevator controls and automated doors. The GSA and EmbarkIT enabled employee and contractor building access with the TrustAlert Enrollment system, which enabled them to set up different levels of security clearance and access permission.

The project came in ahead of schedule and on budget.

Upgrading existing physical access control to comply with PIV mandates

FIPS 201 Administrator — Tue, 24 Jan 2012 11:03:00 -0500

By Dave Adams, Senior Product Marketing Manager, HID Global

Beginning in fiscal year 2012, U.S. government agencies must upgrade their physical and logical access control systems to provide federal employees and contractors with more secure and reliable forms of identification using Personal Identity Verification (PIV) credentials. These credentials must leverage smart card and biometric technology in accordance with National Institute of Standards and Technology guidelines embodied in FIPS 201. These upgrades must be completed before federal agencies may use development and technology refresh funds to complete other activities.

Until recently, upgrading to FIPS 201 standards was a difficult and expensive process that involved a number of suppliers and consultants. It also generally required a wholesale replacement of the current physical access control system (PACS) infrastructure, including head-end servers, panels and door control hardware.

This has all changed. With the advent of modular hardware solutions and turnkey implementation strategies, agencies can establish a clear migration path from existing credentials and preserve investments in their existing PACS infrastructure. This also allows them to support changing security requirements and enable cost-effective enhancements down the road.

Understanding FIPS 201 requirements

HSPD-12 set a clear goal to improve physical access control security and reliability through the use of government-wide standards. The FIPS 201 standard went further to define the specific characteristics of an interoperable identity credential to be used throughout government. Another important document, SP 800-116, introduced the concept of “Controlled, Limited, and Exclusion” areas, and required agencies to employ risk-based PIV authentication mechanisms for different areas within a facility (see Fig. 1).

Fig. 1: Innermost use of PIV authentication mechanisms

Simplifying the compliance process

Ideally, it should be possible to upgrade an existing PACS infrastructure so that it can authenticate credentials across the full range of assurance levels as defined in SP 800-116, without requiring a wholesale rip-and-replacement.

This is now possible using a modular hardware approach that delivers a high level of flexibility for future modifications. Agencies can install a combination of enhanced readers and FIPS 201 authentication modules that operate with existing components in the current PACS infrastructure. It is easy to deploy and eliminates the need to acquire a complicated mix of expertise, technologies and suppliers.

At the core of this solution is a reader that must feature EAL5+ Secure Element hardware. This ensures tamper-proof protection of keys and cryptographic operations. Additionally, the reader should use the industry-standard Open Supervised Device Protocol (OSDP) communications specification to establish a secure bidirectional link with FIPS 201 authentication modules.

To achieve compliance, agencies simply deploy the new readers and install authentication modules between the readers and the existing PACS panel. This upgraded access control system can now perform PIV authentication tasks across all PIV permission levels, with a validation server providing centralized control of assurance level settings and the distribution of validation data. This modular compliance system performs all necessary PIV authentication steps, beginning at the time of enrollment.

When a credential with the appropriate assurance level is presented to a corresponding reader, the authentication module validates the card according to the assurance level setting. The authentication module then extracts the FASC-N or UUID from the card and passes it on to the PACS panel for an access decision and logging. To prohibit access by revoked cards, the system retrieves and checks the card revocation status from the issuing certification authority or hotlist.

To validate visitor PIV cards, authentication modules use the Server-based Certificate Validation Protocol (SCVP) to establish a chain of trust through the Federal Bridge. Vendors must have first successfully completed cross-certification to the PIV-I standard via the CertiPath Bridge, which ensures interoperability across government agencies and with non-government members of the Federal Bridge. For invalid cards, the authentication module is configurable to send a preset badge ID to the PACS panel (for logging and investigation) and/or close an output relay (to trigger a video camera, for instance).

In the case of communications interruption in the validation process, authentication modules maintain an updated validation data cache that enables them to function “offline.” Meanwhile, strong authentication continues at the door.

Other features further improve simplicity and flexibility. By capturing cardholder data the first time a card is presented for validation to a reader connected to an authentication module, this data can be shared with other authentication modules. This feature delivers several benefits. It makes it possible to use existing access control enrollment functionality and it enables integration with an identity management or card management system. It also enables the use of third-party enrollment packages.

Meeting current and future compliance needs

Until recently, agencies faced with the mandate to upgrade their physical access control system to FIPS 201 compliance were required to work with multiple vendors and often had no choice but to replace their entire PACS infrastructure. The latest, modular solutions give agencies a single point of responsibility and accountability for achieving compliance without a wholesale rip-and-replace upgrade.

The solutions also provide the means to support many compliance needs, including PKI-at-the-door mandates as well as PIV-I and PIV-C requirements for cards issued by non-federal entities. For these and other challenging compliance requirements, today’s modular solutions give agencies a migration path that protects their current PACS investments while enabling them to employ risk-based security levels in selected areas, as required, and to leverage ongoing improvements in access control technology.

Three ID trends in the security industry

FIPS 201 Administrator — Tue, 10 Jan 2012 10:15:00 -0500

By Peter Boriskin, Director of Product Management EAC, ASSA ABLOY

As technology continues to advance in the security industry, the nature of credentials and ID technologies in higher education and government facilities is rapidly changing.

We’re seeing a number of different trends, including the enforcement of FIPS 201 and PIV requirements for government agencies, migration from low security to higher security on college and university campuses, and growth of near field communications technology.

TREND #1: Government Mandates- FIPS 201 & PIV

Today’s security landscape has had a major impact on the world, specifically for the U.S. government, post-9/11. With the introduction of FIPS 201 requirements and PIV requirements for Federal employees and contractors in 2005, all government facilities are required to implement a specific plan for implementation by the end of 2011. Agencies wishing to leverage funds from the OMB must have a plan to upgrade all existing physical and logical access control systems to support PIV.

A major aspect of FIPS 201 focuses on the credential itself, since the PIV card must be smart and meet a variety of ISO/IEC specifications, read/write capabilities and encryption standards. We also believe that the upcoming FIPS 201-2 revision will drive additional access control requirements in the near future.

TREND #2: Security Migration for College Campuses

We’re seeing a general need for a migration path from low security credentials to higher security technologies for both college campuses and other types of facilities. Since this results in a mixed credential population, we’ve addressed this migration by introducing lock solutions that support both magnetic stripe and prox or iCLASS credentials, as well as lock solutions that can read multiple credentials with a single reader.

There is also a continued need to cut costs market wide, so we feel lock solutions that include fewer components, reducing material and installation costs and decreasing maintenance over the life of the product are the best option.

TREND #3: The Adoption of NFC/Mobile Keys

The advent of NFC or Mobile Keys technology in environments like college campuses, hotels and homes is another big trend we’re seeing across the industry.

This ID technology enables credentials and key information to be sent directly to smart devices over the air, enabling individuals to unlock a door by authenticating the smart device to the lock. This is an exciting area that we believe will begin to grow tremendously in the future. It offers not only higher security but also the simple convenience that users have come to expect as an increasing number of services become available through mobile phones.

Secure Identity Object (SIO) is another new technology from HID Global for digital credentials that supports advanced applications, mobility and heightened security. SIO ensures data authenticity and privacy through multi-layered security with tamper-proof protection of keys. An SIO can be an ID number or a fingerprint, and is not limited to traditional credentials so it can reside on a smart phone as a mobile key or on a key fob or token.

Overall, we’re seeing that organizations are matching the level of protection commensurate with the actual level of threat, with a custom security solution tailored to the specific requirements of each opening.

We will continue to see credential and ID technology rapidly evolve as decision makers begin customizing security solutions to meet the level of threat posed at higher education facilities, ensure compliance with requirements for government agencies, and address the growing demands for commercial spaces.

About the AVISIAN Publishing Expert Panel

At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of January, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews, ContactlessNews, CR80News, NFCNews, DigitalIDNews, ThirdFactor, RFIDNews, EnterpriseIDNews, FinancialIDNews, GovernmentIDNews, HealthIDNews, FIPS201.com, IDNoticias ^es.