25 August, 2008
Organizations are looking at the spec, but not a lot of deployments yet
By Zack Martin, Editor
Many people agree that FIPS 201 is a good technical specification, but its acceptance outside the U.S. government remains slow. That might not be for long though. Other governments and private organizations are looking at the standard, which is filling a gap.
Back in 2000 when UK-based Consult Hyperion was assisting the Hong Kong National ID project they had to start from scratch. But things have changed since then, says John Elliott, head of the public sector practice and principal consultant at Consult Hyperion. “There’s no need to reinvent the wheel because there’s this spec coming out of the U.S.,” he says.
FIPS 201 offers an alternative to a vendor-based specification, says Mike Butler, program manager for GSA’s Homeland Security Presidential Directive 12 Managed Services Office. “If I were a large company I would take advantage of the government research instead of doing a proprietary solution because sooner or later those are going to die off,” he says.
“Unlike many of the other standards, this one is being tested and implemented,” Butler adds. “It’s already got hundreds of thousands of people using it with more every day.”
Others are noticing these advantages. Bethesda, Md.-based Lockheed Martin Corp. has a pilot using a FIPS 201-lite spec and the United Kingdom Police Service has reviewed it as well. These numbers are likely to grow as more governments and corporations endeavor to increase the security of their credentials.
Lockheed Martin started testing FIPS 201 credentials in May, says Bray Becker, a senior manager at the systems integrator. The company has issued 200 credentials for both physical and logical access at two different facilities. The test is scheduled to go through the rest of the year when the company will assess the pilot and figure out how to proceed.
“One of our primary reasons for moving toward a single card is the ability for that credential to be trusted by others,” Becker says. There are four digital certificates on the card, which are optional with FIPS 201, and the credentials are capable of digital signature, file encryption and workstation login.
The cards contain digital certificates from CertiPath LLC, a provider of public key infrastructure-based solutions for the aerospace industry. CertiPath gives Lockheed the basic support to work with government as digital certificates become more prevalent.
Becker says Lockheed is using the FIPS 201 data model, but had to make some changes for physical access. The card also includes HID proximity technology used for physical access to accommodate Lockheed’s existing infrastructure.
Lockheed’s IT department suggested a move toward the credential, Becker says. “FIPS 201 didn’t drive the project but it helped enable it and push along its adoption,” he says. “User name and password are no longer passable, stronger authentication is becoming necessary.”
Outside the U.S., the UK Police Service is looking at FIPS 201 for logical access, says Consult Hyperion’s Elliott. The law enforcement agency has a handful of national IT systems, such as fingerprint databases, that need secure access. Each of these system has different user names and complex password, which are difficult for the officers to remember.
They realized smart cards were the logical choice to standardize their credentials and Elliott determined that FIPS 201 would be a good specification. It suited their needs from a logical access standpoint and there are multiple approved products available from different vendors.
The agency is choosing options from the standard and will have a central PKI system that will control access to all the national systems, Elliott says. Users insert the smart card into a reader attached to a PC, enter one password and then have access to all the necessary systems. The spec also gives the force the opportunity to add functionality, such as physical access and a digital signature.
While the UK Police may be one of the first organizations outside the U.S. to use FIPS 201, there are more on the horizon, says Steve Howard, vice president of business development at Thales e-Security Inc. He says the UK and Australian governments are looking at the spec for their national identity programs. “It’s an open standard and provides a strong credential that enables biometrics beyond a facial photograph,” Howard says.
Thales is working with several organizations to deploy FIPS 201 credentials, Howard says. “We’re seeing a lot of attention particularly around aviation.”
The common identity proofing and issuance is something that appeals to the aviation community. Being able to proof a worker’s identity once and trust it at another facility is something these facilities want, Howard says.
Cost is going to be a major factor for organizations as well and might drive others to look at the standard too, Howard says. Since FIPS 201 products will be offered from multiple vendors, there will be competition for business. And since the products are standardized there will be less spent on custom programming.
Lots of interest, no uptake
Vendors in the credentialing space are seeing a “keen interest” in the spec but no deployments, says Neville Pattinson, director of government affairs and marketing, identity and security at Gemalto. Part of the problem is some perceived limitation of the FIPS 201 standard. “When you’re looking at something for the enterprise they want more than just FIPS 201, it doesn’t go far enough,” he says.
Specifically the standard doesn’t go far enough with PKI, Pattinson says. He points to the U.S. Department of Defense’s Common access Card program. He says the PKI that the Defense credential uses wouldn’t be possible if they were just using the FIPS 201 spec.
Oberthur Technologies is seeing movement toward using the FIPS 201 data model, says Patrick Hearn, vice president of Oberthur’s government ID market. But organizations aren’t necessarily using all the attributes, including the PKI.
There will also be some modifications to the current PIV standard that may influence how it’s used in the future. “There will be a FIPS 201 data model but there will also be a larger data model with the ability to support different identity programs,” Hearn says. “It is going to change and it will have greater alignment with a generic card specification.”
Jerome Becquart, vice president of products and services at Fremont, Calif.-based ActivIdentity Inc., says FIPS 201 could provide the basis for an international specification. “There are limitations to the PIV card today,” he says. “It doesn’t support different use cases that an enterprise would need but then there’s some overkill in other areas.”
ActivIdentity is seeing interest from two groups of users: systems integrators that work with the government and large companies with complex IT systems, Becquart says. The company has a couple of projects active in both these areas.
The evolution of FIPS 201 is nowhere near close to being finished. How widespread it will become is anybody’s guess, though it seems to be on a path for widespread deployment.