29 December, 2009
By Guy Vancollie, chief marketing officer, CoreStreet (now an ActivIdentity Company)
The U.S. government issued HSPD 12, a “policy for a common identification standard for federal employees and contractors” on August 24, 2004. Under the HSPD-12 mandate, all federal employees and contractors will be issued a Personal Identity Verification–or PIV–a smart card with contact and contactless interfaces to be used as their identity credential.
Due to the need to define and set-up processes, such as the ones for vetting card recipients and for card issuance, the rollout of PIV cards was slower than initially expected. However, with more than 3.5 million cards, 60% of the required total, issued by the middle of 2009, critical mass has definitely been reached.
Also noteworthy was the May 2009 release of the “Personal Identity Verification Interoperability for Non-Federal Issuers” document, issued by the Federal CIO Council. It details how non-federal organizations can issue identity cards which are not only technically interoperable with the federal government PIV system, but which can also be issued in a manner that provides federal government relying parties the option to trust the cards.
As FIPS 201, the PIV card standard, is limited in scope to the federal government, the guidelines in the above mentioned document are welcome to ensure credentials such as First Responder Authentication Credential, Transportation Worker Identification Credential or the ones issued by government contractors, such as Lockheed Martin, Northrop Grumman and SAIC, can achieve interoperability.
The growing interest in PIV Interoperable (PIV-I) credentials was also very visible at the 8th Annual Smart Cards in Government Conference, with coverage of PIV-I woven throughout many of both the plenary and track sessions.
Although common access card usage used to be considered for logical access to information systems, it is important to note that the HSPD-12 directive also mandates their use for physical access to federal government facilities. And it is such convergence of using a single strong credential for both logical and physical security which will provide the lower cost and better security for the federal enterprise.
However, using the new PIV smart cards with many of the older, installed Physical Access Control Systems (PACS) is not an easy task. Indeed, most of the installed PACS systems are not equipped to function with the certificate infrastructure underlying the PIV system.
During 2009, CoreStreet experienced a substantial spike in interest for our FIPS-201 enabling technology, with many PACS manufacturers taking the steps required to make their systems compatible with the new Federal access requirements in the long term. In the meantime, agencies are taking steps to implement solutions to PIV enable their existing PACS systems with technology which requires some minor changes, but without the need for wholesale rip and replace of the installed base.
In fact, in parallel with the Smart Cards in Government Conference, the Interagency Advisory Board organized a visit to the offices of CertiPath to demonstrate the viability and effectiveness of a single-credential system that can provide secure access for both physical and logical assets, and provide interoperability for employees, customers and partners. The demoed federated PACS system, funded in part by the General Services Administration, which operates the U.S. Federal Bridge, showcased an architecture conforming to the principles of NIST SP 800-116.
In summary, 2010 promises to be the year when an initial set of federal employees will enjoy the benefits of security convergence and be able to use their new PIV credential not only for logical access to their information systems, but also for practical day-to-day physical access to their facilities.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of December, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews.com, ContactlessNews.com,CR80News.com, RFIDNews.org, FIPS201.com, NFCNews.com, ThirdFactor.com, and DigitalIDNews.com.