Using FIPS 201 and the PIV Card for the Corporate Enterprise

Corporate enterprises have always required employees to carry cards or badges that verify the employee’s identity and allow the employee to access enterprise resources. However, changes in both the regulatory environment and the amount of risk that enterprises face from unauthorized access are driving executives to reevaluate their identity management practices. How should a potential employee’s identity be verified? How can corporate security ensure that only authorized employees have access to facilities, enterprise networks, and computers? How can authorized employees use identity credentials to access enterprise resources easily and efficiently?

Establishing a robust identity management framework within an enterprise requires both the implementation of new business processes and the selection of appropriate credentialing technology. While there are many approaches to enterprise identity management, industry and government have worked for over 10 years to develop both a standardized identification process within the government and specifications for proving an individual’s identity and providing individuals with a secure identity credential. The process and technical specifications, which are now being implemented throughout the Federal Government, are documented as Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. This standard provides an identity management framework that enterprises should regard as a best practice in the design and implementation of their own identity management programs.

This article summarizes the benefits of considering this standard as a starting point for achieving identity assurance and access control across the corporate enterprise.

Logical and Physical Security Convergence

The FIPS 201 standard provides Federal agencies with a blueprint for designing and implementing a comprehensive smart card credentialing program and also has a significant impact on programs in the private sector. The signing of HSPD-12 and the subsequent creation of FIPS 201 has been termed a “landmark event for the industry.”

For the first time, a formal standard exists that will allow agencies to purchase biometric and credentialing solutions with the assurance of interoperability and mutual levels of trust. With solid vetting requirements and rigid smart card and biometric interoperability standards, the ID solutions industry is rapidly moving to support it. Other federal ID programs like [the Transportation Worker Identification Credential] TWIC, Registered Traveler and the First Responder [Authentication] Card initiative have pledged to follow the same technical standards, allowing them to be more rapidly and affordably deployed. [1]

Organizations are pointing to the standard as a means of achieving a more holistic approach to security, incorporating personnel security (vetting, background checks, security training and awareness), logical security (network and application access), physical security (facility access, including video analytics), and incident monitoring and response. Although the current state of enterprise security may arguably be the best ever, enterprises still have a long way to go in terms of recognizing and breaking down various security “stovepipes” that result in disjointed and less-than-efficient security implementations.

Security convergence is a real and growing concept in the commercial world. Enterprises such as Sun, Boeing, Pfizer, Unisys, Lockheed Martin, Northrop Grumman and others are implementing smart card-based badges that provide employee access to both physical and logical resources. Government identity programs internationally are providing smart cards that securely support multiple applications from different issuers. Vendors are building capabilities into systems so that physical access control systems can communicate with enterprise identity management systems and provide consolidated access control.

Consolidating access control will enable corporations to realize some of the benefits that government agencies are beginning to enjoy. Centralizing operations that are often performed locally, such as personnel screening and vetting, can improve overall IT security and physical security. In addition, removing redundant stovepipe functions across an enterprise reduces costs.

Enterprise Use of FIPS 201 Technologies

Enterprises have the opportunity to leverage the work that the Federal Government has done in FIPS 201 to define identity vetting and verification processes and specify conforming identity credential technology. While only Federal agencies can issue “official” PIV cards, enterprises can follow FIPS 201 processes, use FIPS 201-defined technologies, and implement credentials that are PIV interoperable or PIV compatible, as appropriate.

A PIV interoperable credential is a credential that meets the FIPS 201 technical standards (and can therefore work with PIV infrastructure elements, such as card readers) and also follows the FIPS 201 process for issuing credentials. Following the FIPS 201 process for credential issuance allows all Federal relying parties to trust the card, across organizations. This trust is established by a common enrollment, registration, and issuance process and a strong authentication credential that leverages a cross-certified and federated public key infrastructure. A PIV interoperable credential would be of great value to enterprises that do business with the government and have a requirement to issue interoperable identity credentials. In addition, related organizations within an industry could decide to follow common FIPS 201 processes to establish a basis for trusting identity credentials across organizations.

A PIV compatible credential is a credential that meets the FIPS 201 technical specifications but does not follow the FIPS 201 process for credential issuance. Federal relying parties cannot automatically trust the card. Enterprises issuing compatible credentials can benefit by being able to use the growing range of products on the FIPS-201 Approved Products List. Cards, readers, software, and other products can be purchased from a variety of vendors, be connected, and function as a system.

Enterprises can choose to implement interoperable or compatible credentials. FIPS 201 provides a defined framework and technical specifications for enterprises to follow for both. By basing identity credentialing efforts on FIPS 201, enterprises can:

• Follow a proven process for employee identity vetting

• Implement an identity vetting process that provides the basis for trusting identities across organizations or with Federal agencies

• Implement an identity credentialing solution that has the potential to be interoperable and compatible across organizations or with Federal agencies

• Acquire proven products and services that meet FIPS 201 technical specifications from multiple vendors

Strengths of FIPS 201 for Enterprise Identity Credentialing Programs

The FIPS 201 standard delivers the following benefits to both government organizations and commercial enterprises:

• Specifies a “useful” and “secure” identity card that supports a wide range of use cases

• Enables card support across a wide range of PCs, servers, and mobile devices

• Defines processes and technical specifications that enable interoperability across organizations

• Fosters competition to reduce prices

The FIPS 201 PIV card offers the following advantages over other smart card-based approaches for enterprises:

• It is supported by a wide range of manufacturers and integrators.

• It does not compel an organization to use a single vendor for key components.

• It provides flexible authentication, signature, and encryption functionality.

• It is well positioned to take advantage of emerging technologies, such as biometrics.

• As a standard that will be used by Federal agencies to issue credentials to millions of U.S. Federal employees and contractors, it has the advantage of scale.

• It provides the framework to support interoperable identity credentials across organizations.

Because of these factors, implementing a FIPS 201 PIV-card-based approach to identity credentials can be extremely beneficial to organizations outside of the U.S. Federal government. An organization using the FIPS 201 model and standard can take advantage of a high level of functionality at economical volume prices. The identity technology has been thoroughly scrutinized and is trusted at the highest levels. And the credentialing process is flexible and has been thoroughly vetted to represent best practice.

Conclusion

The standardization of identity credentialing processes and approaches is a major step forward for identity management in both enterprises and government organizations. Standardization fosters interoperability. Standardization simplifies implementation by driving the industry to develop products, applications, processes, and practices that meet the standard and are interoperable. Standardization provides enterprises with a greater variety of products at a lower cost.

The FIPS 201 standard has established a foundation for both government and commercial identity credentialing programs. By using FIPS 201 as the basis for an employee identity credentialing system, enterprises can move toward standardized processes and technologies that enable interoperability and are supported by commercial off-the-shelf products from multiple vendors.

So what should an enterprise do next? A good first step is to get educated on FIPS 201 – particularly the FIPS 201 identity verification processes and technologies – to see how it can be used to meet requirements for high assurance identity verification, secure interoperable identity credentials, and authentication for physical and logical access. By using FIPS 201, enterprises can take advantage of the investment being made by the U.S. government and industry to implement standards-based identity credentialing programs.

Notes

[1] “The Rapidly Emerging Identity Solutions Industry,” Stanford Group Company, July 20, 2006

About the Article

This article is an extract from the white paper, Using FIPS 201 and the PIV Card for the Corporate Enterprise, developed by the Smart Card Alliance Identity Council and Physical Access Council. Additional information about the use of smart cards for secure identity applications can be found at http://www.smartcardalliance.org.

About the Smart Card Alliance Identity Council

The Smart Card Alliance Identity Council is focused on promoting the need for technologies and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.

About the Smart Card Alliance Physical Access Council

The Smart Card Alliance Physical Access Council is focused on accelerating the widespread acceptance, usage, and application of smart card technology for physical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the physical access industry and that will address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software and reader vendors; physical access control systems vendors; and integration service providers.