One Card Fits All
Industry and government address challenges in creating a universal access credential.
The U.S. government has determined the standards for a single identification verification card to replace the multitude of badges government workers must use today to gain access to facilities. A single credential is not a new idea. BearingPoint Incorporated is currently in the third phase of a project to create the Transportation Worker Identification Card for the Transportation Security Administration (TSA).
Homeland Security Presidential Directive 12 (HSPD-12), issued in August 2004, instigated the effort to standardize both physical and logical access control in federal agencies. The directive called for a common identification standard to be created for federal employees and contractors who work in government facilities on a regular basis. Although the ancillary goal is to improve security, the primary objective is to create a single credential that authenticates a person’s identity and is interoperable throughout government facilities yet protects the cardholder’s privacy.
Four federal agencies are responsible for implementing the directive: the U.S. Department of Commerce, the Office of Management and Budget, the General Services Administration and the Office of Personnel Management. Work on creating a standard for what information should be included on the card began immediately after the directive was published. The National Institute of Standards and Technology (NIST),
NIST first examined the available technologies and existing practices within agencies. According to Curt Barker, personal identity verification (PIV) program manager at NIST, his organization found that, for the most part, agencies required items such as a driver’s license, social security card or passport as proof of identity to obtain an access badge. But any of these could be obtained fraudulently, he points out.
As a result, in designing the standard for an affordable PIV card, NIST decided that a background check would be required. This process will involve applicants making certain assertions about their background that will then be checked. “That served a couple of purposes. It reduced the probability that you’d be issuing a credential to someone whose employer or last employer was a vacant lot, and it also creates a situation in which the person has to assert, under penalty of perjury, certain information about himself or herself as being correct,” Barker explains.
This requirement raised privacy concerns immediately; however, NIST discovered that a 1953 executive order requires a national agency check of all
“What we found at that point was that some agencies were actually conducting the check; others were not. The level of enforcement was pretty spotty. There were quite a number of waivers that had been granted. By putting the requirement into the standard under the Federal Information Security Management Act of 2002, it becomes binding on all agencies, and there are no waivers,” Barker says. “We can argue whether this is truly adequate or whether it’s overkill, but one advantage is that, from the standpoint of cross-accreditation across departmental lines, it’s common.”
In addition to the background check, FIPS 201 calls for individuals to present two identity source documents, one of which must be a federal or state government-issued picture identification card. The PIV card also must include an integrated circuit chip and a number of unique identifiers, including two fingerprints from the individual and a public key infrastructure, or PKI, certificate. In addition, it must contain a cardholder-unique identity string that includes an employee number, an employer code, the expiration date and a card-unique identification number. A cryptographic key will protect sensitive stored and communicated data.
The standard also features requirements to protect the cardholder’s privacy. Each employee will have to enter a personal identification number before any information other than the cardholder identity string can be pulled from the card.
At this point in the standard development process, NIST realized the level of complexity involved in developing a smart card or other token credential that could hold all the data and be implemented in the existing agency and vendor environment, Barker relates. Part of the problem was the HSPD-12 deadline, which called for implementation eight months after the standard was published in February 2005. Consequently, FIPS 201 was divided into two parts. Part one focused on vetting individuals and all the necessary activity up to and including the issuance approval of the credential. Agencies had to comply with these requirements by October 27, 2005. The White House then agreed that part two, which includes ensuring that the cards, readers and controllers at all agencies are interoperable, could be deferred. The deadline for phase two is October 27, 2006.
Barker notes the pros and cons of the quick turnaround time from standard development to implementation. “From the beginning, the people that were involved in actually putting the standard out knew that meeting the October 2005 deadline would be somewhere between difficult and impossible. At the beginning, we thought that the timelines were extraordinarily tight. As we went through the process and upon reflection, we realized that if they hadn’t established very, very tight timelines, we’d still be arguing about what to do. So by imposing the timelines as they did, it gave us the goad we needed to move forward quickly,” he states.
The wide variances in sophistication in existing systems also posed some challenges. For example, the security processes in some agencies were still conducted manually, so the security departments within the agencies may not have been notified about new employees until weeks after identification badges were issued. On the other hand, organizations such as the U.S. Defense Department had highly automated and efficient programs in place. The Common Access Card already has been issued to more than 3 million personnel.
In addition, another issue that still needed to be resolved involved the card readers. There were two options: contact and contactless interfaces. Contact readers are practical for logical access because users can slide their cards into a reader attached to their computers then wait to gain access to the network and approved applications. However, this method is impractical for physical access because the wait time would cause human traffic jams at facility doors every day. To address this problem, NIST designated that the cards must be readable by both.
Because the cards will feature cryptography, NIST also insists that they conform to FIPS 140-2, a standard that describes the requirements for information technology products used to access Sensitive But Unclassified information. This requisite poses another challenge because the cards must be tested to ensure compliance. NIST has established a cryptographic module validation program at 10 laboratories for conformance testing, but testing takes time, Barker admits.
Additional challenges arose. Although FIPS 201 was issued in February 2005, as of late last year, NIST was still waiting for a policy-level decision about the storage format of fingerprints. Two approaches can be used. The first is to capture a digital image of a fingerprint, which is extremely accurate but creates privacy and security concerns: If someone surreptitiously acquires the file, the fingerprint could be reconstructed.
The second method involves creating a minutia template of a fingerprint. Using this technique, a summary set of fingerprint data points adequate for identification is collected. The approach requires fewer memory resources on the card and allows the card to be read faster. If the information is stolen, the thief may be able to enter a facility; however, the fingerprint could not be replicated. Barker says NIST is ready to move forward quickly with either approach.
|BearingPoint’s card solution for the TSA can support more than 10 million employees and is closely aligned with Federal Information Processing Standard 201, which the National Institute of Standards and Technology developed in response to Homeland Security Presidential Directive 12.|
The current lack of standards raises a number of issues that must be resolved, he adds. On the technical side, many existing control systems can handle only access processing for the number of employees at a specific site. Whether 4,000, 10,000 or 100,000, it is a finite number, Zivney explains, so some agencies will have to replace their current systems to recognize all cards.
“Not all the manufacturers realize that standards are a plus. But until now, there haven’t been any standards for the government to procure against, and once the standards come out, the government must procure to industry standards. Things will change. Let’s say we didn’t have HSPD-12. The access control panels and readers standards alone would have a significant impact. But I’m glad they’re coming out at the same time because the manufacturers that are investing research and development dollars can put a development effort toward both,” Zivney offers.
Another technical issue is the amount of data today’s cards can hold. To expedite access to facilities, most of the cards feature a 26-bit Wiegand format, which has been the de facto standard for readers so cards could be recognized quickly. However, because of the limited amount of space for data, only about 65,000 unique cards can be issued, and since many agencies begin their number sequence the same way, the likelihood of duplication is high, Zivney explains.
To solve this problem, NIST revamped the system, and cards must include a globally unique identifier (GUID) number. The GUID is based on Internet protocol version 6, which allows for 128 bits of memory.
But moving to a card with more memory creates new problems: HSPD-12 did not include funding to replace many existing readers that will not recognize them. In addition, when new equipment is available, it must be tested before it is put into place, an enormous task that will take time and resources, Zivney notes.
Zivney points out that the economics issue is exacerbated by the technical differences between physical and logical access systems. Physical access panels are hardened devices that are not supported by the large servers, fans and hard drives of the logical access systems. They are designed specifically to read cards quickly. If the physical access readers are redesigned and a server goes down, personnel may not be able to enter or exit a building. This conundrum is another reason many readers may have to be replaced, again without funding allocated to do so. However, Zivney believes the two-phase implementation process is a very pragmatic approach to addressing the issue.
Despite all the challenges, Zivney and Barker agree that the cooperation and willingness to compromise among government and industry personnel have resulted in significant progress toward a single PIV card. Many of the technical issues are being addressed, and the policy, funding and testing concerns that are arising are being discussed. The question remains whether an interoperable credential and the system to support it can be in place by the 2006 deadline. Barker thinks that the progress made so far indicates that it is possible. Zivney, on the other hand, believes mid-2008 may be more realistic for PIV card use throughout the federal government, but he points out that technology and the practical methodology are moving the effort along quickly.
Personal Identity Verification: http://csrc.nist.gov/piv-program
Homeland Security Presidential Directive 12: www.whitehouse.gov/news/releases/2004/08/20040827-8.html
Security Industry Association: www.siaonline.org