Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

IntroductionThe expectations and requirements on government contracts for safety and security projects are both specific and complex. The cumbersome nature of government processes means that many potential bidders avoid these projects. Or that those who do bid often misinterpret the scope and/or cannot meet the requirements in the proposal.

But for the well-informed and educated integrator who understands these requirements and has the support of a committed manufacturer, government facilities offer an opportunity to expand into a new market space.

The first steps to understanding the complexity of this market segment begin with examining the current landscape of government-specific security regulations. For Physical Access Control Systems (PACS), that means understanding the requirements for the federal government’s Personal Identity Verification (PIV) standards.

The Birth of Personal Identity Verification Systems The groundwork for a common identification standard for federal government employees and contractors was established on August 27, 2004 with the issuance of Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12 was put in place to strengthen both physical and information security by adopting a common interoperable identification standard.

This common standard was defined by the National Institute of Standards (NIST) agency in the “Federal Information Processing Standards (FIPS) Publication 201 Personal Identity Verification (PIV) of Federal Employees and Contractors”. It defines the identity credential and data contained on it, the infrastructure of the PIV system, as well as the requirements for different security levels at a federal facility or information resource.

The current version of FIPS 201-2, was released in 2013 and mandated the inclusion of most optional features listed in 201-1 and directed its implementation no later than 12 months from the effective date of the standard.

Since all federal agencies are required to conform, this provides system integrators with an opportunity to provide the technology and know-how to increase security of these facilities.

Systems integrators have a unique opportunity to provide the technology and know-how to increase the security of government facilities.

Homeland Security Presidential Directive 12 was put in place to strengthen both physical and information security.

KeyManagement

Card Issuance& Maintenance

Identity Proofing& Registration

AuthorizationData

AuthorizationData

PIV Card Issuanceand Management Subsystem

PIV Relying Subsystem

PIV Cardholder

PKI Directory &Certificate Status

Responder

I&A Authorization

Logical Access Control

Physical Access Control

PhysicalResource

LogicalResource

LEGEND

I&A Authorization

I&A – Identification & Authentication

Direction of Information Flow

PIV Card Issuance and Management Subsystem

PIV Relying Subsystem

Processes Components

Shapes

Shading

PIV Front-End Subsystem PIV Front-EndSubsystem

PIV Card

Card Reader/ Writer

PIN InputDevice

BiometricReader

NIST FIPS PUB 201-2 PIV System Notional Model

Understanding PIV SystemsWith the implementation of FIPS 201, every federal employee and contractor is issued a PIV ID following a thorough background check. That credential then permits physical and logical access to federally controlled buildings and information systems. FIPS 201 also ensures interoperability across departments and agencies, and across installations.

Because of the complexity and enormity of these tasks, PIV systems, as outlined in FIPS 201-2, are divided into the following three major subsystems:

• The PIV Front-End Subsystem is where the card holder physically interacts with the system to gain access to a federal resource (physical or logical). This includes the PIV card, credential and biometric readers, and a PIN input device.

• The PIV Card Issuance and Management Subsystem provides a means to collect, store and maintain all information about the applicants identity and then issue a PIV credential for use by the cardholder.

• The PIV Relying Subsystem makes the logical decision to allow access to federal resources when the PIV credential is presented to a card reader, biometric reader or PIN input.

NIST SPECIAL PUBLICATION 800-116FIPS 201 redefines the requirements for building access in a fundamental way: instead of each facility issuing an access card solely for that facility’s defined PACS architecture, a facility relies on the PIV card that was issued by the same, or a different, agency certified by the federal government. The facility still has control over the user’s access privileges, but the technology has been standardized to optimize inter-agency interoperability.

Get the Details The secure credential is the heart of the PIV system. Employees and contractors use the PIV credential for authentication to resources including physical access to buildings and information systems.

Card readers are located at access points to secure facilities where a cardholder may wish to gain access. The reader communicates with the PIV credential to retrieve the appropriate information, located in the card’s memory, to relay it to the access control systems for granting or denying access. If higher security is required, additional authentication factors such as PIN codes and biometric readers may also be employed.

The physical format of the card must follow guidelines set out by the FIPS 201-2 standard. This ensures consistency across entities and aids in visual inspection of the credential for authenticity. The PIV Card Issuance and Management Subsystem collects, stores, and maintains all information and documentation that is required for verifying and assuring the applicant’s identity.

The PIV relying subsystem includes components—such as card readers, locks and related access control devices—responsible for determining a particular PIV cardholder’s access to a “physical” or “logical” resource. “Physical” resources are secured facilities (e.g., building, room, parking garage); “logical” resources include computers or network systems. The authorization data stored on the card defines the privileges possessed by the employee or vendor who is requesting access.

In the case of door openings, the Physical Access Control System (PACS) grants or denies access to a particular resource. However, PACS in federal facilities had several challenges before FIPS 201 was implemented across facilities. These challenges included:

» Many PACS were facility-centric and card access to one facility did not translate to card access at another

» Some systems could not process government credential numbers based on length

» Lower security credentials like mag stripe and prox are easily copied

» Revocation of a credential in one facility did not migrate to other sites

The secure credential is the heart of the system.

To help understand and implement the use of PIV cards with PACS, the National Institute of Standards and Technology’s Special Publication 800-116 provides specific technical guidance and recommendations. It describes a strategy for agencies to PIV-enable their PACS, migrating to government-wide interoperability as well as assist with managing physical access to facilities and assets.

SP 800-116 assigns risk levels to different areas of a facility: Unrestricted, Controlled, Limited and Exclusion. Utilizing specific authentication(s) for each level provides a framework for security. These authentication types include:

• Visual (VIS)

• Cardholder Unique Identifier (CHUID)

• Card Authentication Key (CAK)

• PIV Authentication Key (PKI)

• Biometric (BIO)

• Biometric attended (BIO-A)

A factor number can be assigned depending on how many authentication types are used to gain access at an opening. For instance, BIO-A is considered a two-factor authentication as it verifies identity based on a biometric fingerprint read as well as a visual inspection of the card by a guard.

As the door openings lead to higher security areas, the authentication factor rises.

But what if the facility would like to extend the PACS to secure interior door openings using a single credential even if they do not require the higher security required at other openings?

Front Door

Office

Conference Room

Side Door

Government Facility with Multiple Access Levels

BIO: Biometric; CAK: Card Authentication Key; CHUID: Cardholder Unique Identifier; FASC-N: Federal Agency Smart Credential Number; PIN: Personal Identification Number; PIV: Personal Identity Verification (PIV) Authentication Key; VIS: Visual

’Exclusion’ Area

’Limited’ Area

’Controlled’ Area

’Uncontrolled’ Area

AUTHENTICATION MODES AUTHENTICATION FACTORS SP 800-116 SECURITY AREA

Legacy and FASCN Readers None Uncontrolled

CHUID + VIS 1 Controlled

CAK 1 Controlled

PIV + PIN 2 Limited

PIV + PIN + BIO 3 Exclusion

For each assurance level, specific authentication modes are needed, each requiring one or more physical access control components:

As the door openings lead to higher security areas, the authentication factor rises.

This often creates a bit of a challenge for government facilities in two ways:

• They have to budget and spend more for a hardwired PACS system, regardless of whether it must meet FIPS 201-2 criteria or not

• They face massive infrastructure upgrade work if they wish to implement the credentialing standards to doorways other than the main entryways

This extensive gap in doorway security can now be filled more cost effectively thanks to a new breed of wireless locks that connect to building control systems via secure WiFi network infrastructure. These intelligent WiFi locks have the ability to simply read these enhanced identification credentials without the requirements of meeting the traditional FIPS 201-2 mandated strong authentication protocols.

PIV-capable wireless locks are the perfect solution for interior spaces where government employees and contractors want to leverage their secure PIV credentials in the most cost-effective manner, where they have previously been authenticated at a perimeter entry point.

When used in conjunction with the FIPS 201-2 hardwired access control system architectures delivering strong authentication, PIV-capable WiFi-based wireless locks enable a Federal facility to implement facility-wide, one-card PACS without adding expensive infrastructure and without compromising on necessary security requirements.

Where utilizing existing WiFi architecture for this PIV-enabled application may create owner concerns, there are Power-over-Ethernet options available in the marketplace as well.

Extending Access Control Using Wireless PIV-Enabled Locks

The Opportunity in Securing Federal Facilities There are approximately 6 million PIV credentials currently being used at federal facilities today. And each one is an opportunity for an integrator and service provider who understand the needs of the sector. Every PIV credential can be used not only for access to building entries, but for interior openings, file storage, server racks and more, giving them much greater utility.

Capitalizing on this space requires developing partnerships with committed manufacturers who both provide the appropriate products and understand the nuances of the solution. That applies not just at the federal level, but also at state and municipal governments that also have complex requirements.

ASSA ABLOY Door Security Solutions 110 Sargent Drive New Haven, CT 06511 1.800.DSS.EZ4U (377.3948)www.assaabloydss.com Copyright © 2018 ASSA ABLOY Sales and Marketing Group Inc.; all rights reserved. Reproduction in whole or in part without the express written permission of ASSA ABLOY Sales and Marketing Group Inc. is prohibited. Effective 2/2018

2500-3886

To learn more about the types of PACS systems available to meet the needs of government facilities, contact a government solutions expert at ASSA ABLOY.

ResourcesNational Institute of Standards and Technology, Federal Information Processing Standards Publication Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013.http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf

National Institute of Standards and Technology, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), November 2008.http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-116.pdf