OPINION / Security convergence: federal government is leading the way with PIV credentials

Chris Broderick

By Chris Broderick
 
Homeland Security Presidential Directive 12 (HSPD-12), is a “policy for a common identification standard for federal employees and contractors,” and was issued on August 24, 2004.  Under the HSPD-12 mandate, all federal employees and contractors must be issued a Personal Identity Verification (PIV) card, a smart card with contact and contactless interfaces to be used as their identity credential.
 
Today more than 3.5 million cards, or over 60 percent of the required total, have been issued.  Notwithstanding some initial delays due to the need to define and set-up processes, such as the ones for vetting card recipients and for card issuance, critical mass has now definitely been reached.
 
Furthermore, earlier this year, the Federal CIO Council released a document on “Personal Identity Verification Interoperability for Non-Federal Issuers.” The document details how non-federal organizations can issue identity cards which are not only technically interoperable with the federal government PIV system, but which can also be issued in a manner that provides federal government relying parties the option to trust the cards.
 
As FIPS 201, the PIV card standard, is limited in scope to the federal government, the guidelines in the above mentioned document are welcome to ensure credentials such as the First Responder Authentication Credential (FRAC), the Transportation Worker Identification Credential (TWIC), or the ones issued by government contractors to achieve interoperability.
 
Although common access card usage used to be considered for logical access to information systems, it is important to note that the HSPD-12 directive also mandates their use for physical access to federal government facilities.
 
However, using the new PIV smart cards with many of the older, installed Physical Access Control Systems (PACS) is not an easy task. Indeed, most of the installed PACS systems are not equipped to function with the certificate infrastructure underlying the PIV system.
 
During 2009, CoreStreet experienced a substantial spike in interest for our FIPS-201 enabling technology, with many PACS manufacturers taking the steps required to make their systems compatible with the new federal access requirements in the long term.  In the meantime, agencies are taking steps to implement solutions to PIV-enable their existing PACS systems with technology which requires some minor changes, but without the need for wholesale rip and replace of the installed base.
 
In fact, in parallel with the Smart Cards in Government conference, the Interagency Advisory Board (IAB) organized a visit to the offices of CertiPath to demonstrate the viability and effectiveness of a single-credential system that can provide secure access for both physical and logical assets, and provide interoperability for employees, customers and partners.  The demo’d federated PACS system, funded in part by the General Services Administration (GSA), which operates the U.S. Federal Bridge, showcased an architecture conforming to the principles of NIST SP 800-116.
 
In summary, 2010 promises to be the year when an initial set of federal employees will enjoy the benefits of security convergence, both at a lower cost and with better overall security, and be able to use a single strong credential (their PIV smart card) not only for logical access to their information systems, but also for practical day-to-day physical access to their facilities.
 
 
Chris Broderick is the CEO of CoreStreet, an ActivIdentity company. He can be reached at: cbroderick@corestreet.com.