Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility

Publication Date: September 2006

• Click here to download the white paper.
• Click here for additional resources compiled by the Smart Card Alliance Physical Access Council to assist organizations in their implementation of FIPS 201.

Homeland Security Presidential Directive 12 (HSPD-12), issued by President George W. Bush on August 27, 2004, mandated the establishment of a standard for identification of Federal government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to Federally controlled facilities and information systems.

The Department of Commerce and National Institute of Standards and Technology (NIST) were tasked with producing a standard for secure and reliable forms of identification. In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, issued on February 25, 2005, and a number of special publications that provide more detail on the implementation of the standard. This standard has far-reaching effects on Federal agencies in providing specifications that govern the entire chain of trust of the identity system and in specifying a single smart card–the PIV card–to be used for both physical and logical access, as well as other applications as determined by the individual agencies.

Both Federal agencies and enterprises are now implementing FIPS 201-compliant identity (ID) programs.

Purpose of this White Paper

There are many considerations for physical access control systems (PACS) under HSPD-12 and FIPS 201. One important consideration affecting organizations is the migration from existing PACS to new FIPS 201-compatible systems. What happens when some employees have PIV cards and some do not? How can the existing PACS accommodate the migration to FIPS 201 compatibility? Can systems be upgraded or must new systems be acquired? What security considerations are there?

The focus of this document is to consider the current security environment for physical access and, through a series of questions, make recommendations for how agencies can migrate and upgrade their current PACS to align them with the requirements of HSPD-12 and FIPS 201 end state compatibility. This document is informative and provides guidance for implementing a FIPS 201-compatible PACS. It is designed as a simple initial tool to assist agencies in planning for the initial deployment of FIPS 201-compatible PIV systems and issuance of PIV cards.

White Paper Tools

By assessing current system capabilities and understanding the changes needed to support FIPS 201, agencies can develop a plan for migration–including what components can be upgraded and what components need to be replaced. Organizations implementing FIPS 201-compatible PACS can use the tools in this white paper to develop the plan and approach to upgrading or replacing existing PACS equipment.

Tools include:

• A worksheet to assist with documenting the current PACS configuration.
• A detailed flow chart with assessment questions. Agencies should use this flow chart to walk through key PACS migration considerations and determine what hardware and software can be upgraded and what will need to be replaced.
• Guidance on alternative processes that can be used for registering a PIV card into a PACS.

Appendices include additional information on scenarios for using biometrics during PIV card registration and PACS use and external IT infrastructure subsystems that support FIPS 201. Also included are a FIPS 201 PACS site survey worksheet and glossary of terms.

This white paper was developed by the Smart Card Alliance Physical Access Council. Participants from 18 organizations were involved in the development of this report including: Actcom Security Solutions, a Diebold Company; BearingPoint; Booz Allen Hamilton; CoreStreet; Fargo Electronics; HID Corporation; Hirsch Electronics; Honeywell; Identification Technology Partners; Integrated Engineering; LEGIC Identsystems; LENEL, a UTC Fire & Security Company; Northrop Grumman; Saflink; SCM Microsystems; U.S. Department of Defense/Defense Manpower Data Center; U.S. Department of State.

About the Smart Card Alliance Physical Access Council

The Physical Access Council is one of several Smart Card Alliance Technology and Industry Councils, focused groups within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a specified industry or market segment and produce tangible results, speeding smart card adoption and industry growth.

The Physical Access Council is focused on accelerating the widespread acceptance, usage, and application of smart card technology for physical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the physical access industry and that will address key issues that end user organizations have in deploying new physical access system technology.

The Physical Access Council is managed by a combined government/industry steering committee. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software and reader vendors; physical access control systems vendors; and integration service providers. Physical Access Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.