15 May, 2009
By Salvatore D’Agostino, ID Machines
IDmachines has focused from day one on the opportunity created by Homeland Security Presidential Directive 12 (HSPD-12) and the requirements in the access control market place that would emerge as a result of Federal Information Processing Standard 201 (FIPS 201). It hasn’t always been the most popular position, given the extent of legacy solutions, the rate of innovation in the physical access control marketplace, and the extent to which the United States Government could be the change agent for both the physical access control industry, to say nothing of the logical access and identity management industries.
Some of the contrary positions have always been surprising, particularly once it became clear that FIPS 201 was not a flash in the pan. At a minimum it represented 15 million government employees and contractors. OK, so it’s enough to interest IDmachines but for a physical access control industry where many of the installations were less than 20 doors the sea change for the most part continued to be ignored or addressed with the least possible effort or innovation on the part of the industry “leaders.” In fact many government installations have and will be addressed by small scale solutions. In my opinion this is a case of fool me twice.
Not everyone has ignored the obvious and over the last couple of years, IDmachines has worked closely with a number of progressive companies to position them for what continues to be an enormous opportunity. Setting the correct product roadmap and establishing the proper go to market strategies don’t evolve overnight, nor do the relationships to take advantage of it. It was a process that started when I was involved in deploying the credential validation infrastructure and architecting and developing physical access control solutions to take advantage of this fundamental evolution of identity and security.
In the mean time there have been other related developments that continue to support IDmachines’ founding premise. The First Responder Authentication Credential (FRAC) and Transportation Worker Identification Credential (TWIC) introduce populations in the millions (in fact tens of millions). So now we are approaching 50 million new credentials to be issued that are based on the use of strong identities tightly bound to digital certificates.
Yet in many cases it has only been the introduction of requirements for approved products (these exist for both these sectors) that has gotten the industry to move forward. Not surprising but in most cases the industry “leaders” have had to have a ring put through their nose and subsequently get dragged into the arena when given the numbers a stampede would have been more in order.
OK, so the saga continues. If 50 million new credentials doesn’t get an industry’s attention let’s double the number. It doesn’t require Danish philosophy (it was Kierkegaard that gets credit for the concept of a “leap of faith”) or trusting a blogging Italian-American. It’s completely in the public domain.
In the last couple of weeks two very significant developments have become public in the access control market place. To those of us who have been following the evolution of FIPS 201 they come as no surprise. To those on the fence it should tip them toward the side of the believers. And for the skeptics it will likely be the case that once a dinosaur always a dinosaur (even the physical access control market moves fast enough for some opinions and vendors to become extinct). So what happened?
First was the announcement of the Four Bridges Forum. For those who have not yet gotten out the Public Key Infrastructure (PKI) learning curve (strongly suggested), the bridges referred to here are trust bridges that use the Federal Bridge Certificate Authority as an anchor for trusting identity. This blog has previous posts about the fact that the Federal Bridge sets both policy and technology standards for identity and credentialing in the early part of the 21st century.
The four bridges refers to the four industry sectors that have now chosen to align themselves and make available to others in their industry the ability to achieve interoperability and trust among its members and across industry and government. The first is the United States government, the second is the bio-pharmaceutical industry and the SAFE BioPharma bridge, third is aerospace industry and the CertiPath bridge and the fourth is the higher education industry and the EDUCAUSE bridge. This blog has alluded to the fact that certainly others will follow (in particular multiple components of our critical infrastructure).
Simply put this eliminates the argument that FIPS 201 will never be adopted outside of the U.S. government. This means that interoperability can be achieved. This adds use cases (intra-industry collaboration and U.S. government interactions). This adds economies of scale (as if 15 million government users weren’t enough to drive solution providers). This gets the standard to the tipping point of becoming ubiquitous.
The second item that is closely intertwined with the first is the Federal CIO Council putting out the policy for Personal Identity Verification (PIV, which is the name of the focus of FIPS 201) Interoperability (I) or PIV-I. This addresses an important issue. If FIPS 201 applied to Government and contractors how can you expand this beyond this silo.
There were aspects of the standard that were very U.S. government specific. As an example, part of the identity vetting process required a National Agency Check with Inquiries (NAC-I). Well you can’t do a NAC-I for a private sector employee. So the question became how you align one background check with another and how does this map to the level of assurance. These policy and technical interoperability issues needed to be addressed in order for the industry bridges to reach across to the government. The challenge was never technical it was more on the order of herding cats. And in my opinion it was done it short order and the right way.
So when you hear the question, “Does it meet FIPS 201?” it is not something that addresses a niche market. And depending on your perspective it just might be the most important question you can ask your product managers, system integrators, vendors or purchasing managers. And then depending on how the question is answered you can then get to my favorite retort: “Now really..?”
Read more from D’Agostino here.