More Government Agencies Moving to Smart Cards?


The U.S. Federal Government accelerated its move to smart cards during the mid-2000s following the U.S. issuance of Homeland Security Presidential Directive 12 (HSPD-12) and the release of Federal Information Processing Standards Publication 201 (FIPS 201), which defined the identity vetting, enrollment and issuance requirements for a common, highly secure identity credential.

Now it looks like other countries are taking note: as U.S. federal agencies have begun deploying solutions, these efforts have attracted international attention and FIPS 201 is now under consideration for government, public safety and critical infrastructure personnel in other countries as well.

FIPS 201 standards are also spreading beyond Federal agencies into the government contractor and commercial spaces, with Personal Identity Verification-Interoperable (PIV-I) cards for government contractors and Commercial Identity Verification (CIV) credentials for commercial users. Each of these identity cards supports strong authentication mechanisms, and is used both for physical and logical access to federally controlled facilities and information systems, as well as to gain access and highly secure commercial facilities and IT networks in the case of the CIV credential.

An existing physical access control system (PACS) must be modified to support the use these credentials. However, achieving FIPS 201 compliance or simply upgrading PACs to higher security within public or private sector organizations needn't require a wholesale rip-and-replace system upgrade, though. The best, most cost-effective FIPS 201 based upgrade approach is to augment existing panels and door controller functionality to provide strong PKI based validation at the time-of-access. Any upgrade should maximize reuse, support multiple PACS and ensure that both PIV-I and CIV credentials can be used. In the U.S., the upgrade also must meet the requirements of a GSA-approved authentication system, and support multiple authentication systems according to the National Institute of Standards and Technology (NIST) Special Publication 800-116 related to "controlled," "limited" and "exclusion" areas within government facilities.

Such an upgrade to meet these goals can be achieved with just two changes: replace existing card readers with PIV-enabled readers, and insert an authentication module between the reader and door controller. These modifications accomplish the task, and a validation server provides centralized control of assurance level settings and the distribution of validation data. This is the model HID has developed for customers with our new pivCLASS solutions that include all of these components for enabling the use of PIV-I and CIV credentials without modifications or replacements of any non-reader component in an existing PACS.

Issuance of PIV cards is virtually complete in the U.S. and agencies are now turning their attention to identifying and implementing PACS changes to utilize these credentials for access control. Meanwhile, other countries are now evaluating PIV-I and CIV credentials for their own government, public safety and critical infrastructure personnel, and I look forward to helping streamline this move to higher security for organizations around the world with HID's complete portfolio of pivCLASS solutions.