FIPS 201 and Physical Access Control: An Overview of the Impact of FIPS 201 on Federal Physical Access Control Systems

Publication Date: September 2005

• Click Here to download the white paper [189k PDF]
• Click here for additional resources compiled by the Smart Card Alliance Physical Access Council to assist organizations in their implementation of FIPS 201.

Executive Summary

Historically, due to their purpose in the organization, logical and physical access control functions have been separate domains managed by different personnel implementing related but uncoordinated policies. As a result, the architecture, equipment, and identity verification requirements were independent and oriented toward their specific functional goals. The staff was trained and experienced in different security skills, with the physical access control system (PACS) typically managed by security personnel and the logical access control system managed by the IT department.

Today, however, logical and physical access control systems are beginning to converge. Verifying the identity of individuals both within an organization and among different organizations has become critically important. Although the skill sets and technologies for logical and physical access are still specialized, requirements for uniform security policy enforcement and the adoption of new access control technologies are driving dramatic and necessary changes to integrate both functions and systems. A prime example is Homeland Security Presidential Directive 12 (HSPD-12), issued by President George W. Bush on August 27, 2004, which mandates the establishment of a standard for identification of Federal Government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to Federally controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.

The convergence of logical and physical access control functions required by HSPD-12 benefits agencies in many ways. However, it also raises a unique set of challenges. In particular, combining physical and logical access on a single credential requires agencies to address issues that were handled by separate functional groups in the past.

HSPD-12 requires that the Federal credential (the PIV card) be secure and reliable, which is defined as a credential that:

• Is issued based on sound criteria for verifying an individual’s identity;
• Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
• Can be rapidly authenticated electronically; and
• Is issued only by providers whose reliability has been established by an official accreditation process.

The Department of Commerce and National Institute of Standards and Technology (NIST) were tasked with producing a standard for secure and reliable forms of identification. In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, on February 25, 2005. The FIPS 201 PIV card is to be used for both physical and logical access control, and other applications as determined by the individual agencies.

FIPS 201 and the NIST special publications supporting FIPS 201 were developed to provide guidance for implementing the HSPD-12 requirements for a common Federal identification credential that is to be used to access both physical and logical facilities and information systems.

These standards and specifications signal a momentous change in how the Federal government manages physical access controls and information security. While FIPS 201 and its associated special publications define many aspects for an interoperable Federal identity card, the standard also provides a variety of options for implementation and permits individual agencies to define their own approaches to meeting agency-specific access requirements. This white paper provides a roadmap to the key specifications that agencies need to consider in implementing FIPS 201-compliant physical access control systems and provides an overview of the key open questions where work is still being done on standards definition and implementation guidance.

The impact of FIPS 201 is not restricted to the Federal government. State and local governments are being encouraged to adopt the provisions of FIPS 201, and businesses that provide goods and services to the Federal government will find that a substantial segment of their workforce will need to be credentialed. The private sector is also leaning toward the use of similar technologies and controls. Over the past 2 years, large leading-edge enterprises such as Boeing, Microsoft, Sun Microsystems and Johnson & Johnson have been migrating toward the use of smart cards for both physical and logical access control authentication. Other enterprises have watched their progress carefully and are now planning their own implementations.

FIPS 201 and other initiatives that are being implemented to improve identity authentication are driving a paradigm shift for government agencies, businesses and smart card and PACS products and services providers. This shift is forcing a convergence of physical and logical access, requiring the adoption of new processes and technologies and forcing organizations to rethink their approach to managing access and authentication. It is critically important for industry and customers to work together to develop and implement standards-based solutions that address the new market realities and facilitate this transition.

About the White Paper

This white paper provides an overview of the impact of the Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, and related specifications on Federal physical access control systems (PACS) and describes how the PIV card should be used in PACS throughout the Federal Government. .

Topics covered in the white paper include:

• Key specifications that agencies need to consider in implementing FIPS 201-compliant physical access control systems
• Components and operation of a typical FIPS 201-compliant PACS
• Overview of key data stored on the PIV card: Cardholder Unique Identifier (CHUID) and biometric data
• Physical access rights and privileges in a FIPS 201-compliant PACS
• Correlation of FIPS 201 assurance levels with levels defined by the Office of Management and Budget (OMB) and by the Physical Access Interagency Interoperability Working Group (PAIIWG) of the Government Smart Card Interagency Advisory Board (IAB).
• Key PIV card life cycle considerations: identity proofing and registration; local PACS enrollment; revocation
• FIPS 201 product and service acquisition process
• Key open questions that affect the implementation of FIPS 201-compliant PACS

This white paper was developed by the Smart Card Alliance Physical Access Council, with individuals from 36 organizations involved in the development of the white paper. Participants included: ADT Federal Systems, AMAG Technology, Anteon, Booz Allen Hamilton, Competech Smart Card Solutions, Condortech Services, Inc., CoreStreet, Ltd., EDS, Fargo Electronics, GTSI Corp., HID Corporation, HIRSCH Electronics Corporation, IBM, Identity Alliance, LLC, Identification Technology Partners, Inc. (IDTP), Indala, InfoGard, Integrated Engineering, International Biometric Industry Association (IBIA), LEGIC Identsystems, Lenel, Lockheed Martin, MAXIMUS, MDI, NASA, Northrop Grumman Corporation, Oberthur Card Systems, Precise Biometrics, SAFLINK Corporation, SAIC, SCM Microsystems, Shane-Gelling Company, SPAWAR, Tyco Safety Products, U.S. Department of Homeland Security, XTec, Inc.

The Smart Card Alliance Physical Access Council has also created a resource on the Smart Card Alliance Web site that maintains up-to-date information about the status of FIPS 201 and provides information that is relevant to both government agencies and other enterprises implementing new PACS. The Physical Access Council recommends that organizations implementing new physical and logical access systems follow the industry activities closely and use this Alliance resource as they select new systems.

About the Physical Access Council

The Physical Access Council is focused on accelerating the widespread acceptance, usage, and application of smart card technology for physical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the physical access industry and that will address key issues that end user organizations have in deploying new physical access system technology. Physical Access Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.