Trust Me

Oct. 27, 2006 marks, to paraphrase Winston Churchill, “the end of the beginning.”

On that day, all federal agencies will have opened at least one facility where employees can go to get personal identification verification (PIV) cards fitted to strict federal information processing standard (FIPS) 201.

Four years in the making, the drive to implement Homeland Security Presidential Directive (HSPD) 12 will at long last begin issuing smart identification cards.

Next year, in 2007, once again on Oct. 27 (or before), federal agencies will begin to activate a massive interoperable system of card readers, in which any agency’s readers will be able to read and process cards presented by any and all federal employees — no matter what agency they work for.

In short, over the next year, the HSPD-12 implementation will revolutionize government security by beginning to install an interoperable access control system that officials from any government agency can trust.

“HSPD-12 is all about common trust and common interoperability,” says David Temoshok, director for identity policy and management with the General Services Administration (GSA) Office of Government-Wide Policy. “The idea is that a PIV card issued by agency X will be read in access control devices, both physical and logical, in agencies Y and Z. When the system behind the card readers validates the card, officials will know that they can trust the cardholder.”

Trust, but verify

What does it mean to “trust” an identification card? “There has been a huge paradigm shift in how identification cards are treated by government,” says Gordon Hannah, managing director of McLean, Va.-based BearingPoint Inc. “We’re moving away from trusting an ID card by its appearance and moving toward more sophisticated ways of verifying credentials.”

The new approach to verifying credentials begins by changing the way credentials are issued. New federal identification cards will be more difficult to obtain. Employees will have to apply for them and undergo background checks and criminal records checks. Employees that pass these tests are then enrolled into a government-wide database and are issued a cardholder unique identification (CHUID) number. Along with their name and other personal information, employees must also provide two biometric identifiers — a photograph and fingerprints.

The ID card system operator then programs some of this information, the CHUID and the biometric identifiers, onto the microprocessor-chip on the smart cards issued to employees.

Before receiving the card, the employee must show identification and have his or her photograph and fingerprints verified — all to prove that the person picking up the card is the person who applied for it.

When the employee presents this card to the interoperable readers that will begin to appear at federal doorways on or before Oct. 27, 2007, a technological verification system will answer up to three questions. The number of questions depends upon the security required at the door being accessed. The three questions are:

• Is the card authentic? (Did approved authorities issue the card? Has any of the information on the card been tampered with?) Readers will connect to systems capable of carrying out public key infrastructure (PKI) tests to authenticate the card.

• Does the card being presented really belong to the person presenting it? This test will compare the fingerprints and photograph recorded on the card with the person presenting the card.

• Does the card remain in good standing in the database? (Does the owner of the card still work for the federal government or has he or she quit or been fired?)

“Because we have established standards for how employees across the federal government have been enrolled, officials at every agency can trust that someone carrying a card that passes these three tests is a federal employee,” Temoshok says.

Establishing and starting up a card-issuing system that can be trusted across the entire federal government has been the goal of this year’s Oct. 27 deadline for PIV cards. During the next 12 months, the goal will be interoperability — upgrading or replacing access control readers, intelligent boards and servers so that the federal government’s physical access control system will be able to read, evaluate, respond to — and trust — the new cards.

Readers that trust federal PIV cards

GSA is already testing and accrediting readers, ensuring that they can read the data on the cards. Approved readers appear on the GSA’s Information Technology Schedule 70 under special item number 132-62.

According to vendors, making readers that can read the new cards presents several tricky technical problems. “The reader must read the cards and then output a certain package of information before it can be accredited,” explains Lars Suneborn, director of government programs with Hirsch Electronics in Santa Ana, Calif., an access control system manufacturer. “The package includes an agency code, system code, credential number, and expiration date.”

While that may not seem like a big deal, it is. Existing readers have almost universally been designed to read a short 26-bit stream of data. The output produced by a GSA-approved reader contains 75 bits, roughly three times as much information as existing readers. An approved reader must deliver the 75 bits to an access control system that can read all of the data and then make decisions about the cardholders presenting the cards.

Given the amount of data that must be read and the FIPS 201 requirement that cards have contactless and contact reading capabilities, most existing readers will have to be replaced.

GSA has not written standards for the access control systems. Instead, the agency has decided to leave the details up to the access control vendors. “It is up to the manufacturers to compete and to do as much as possible with that data,” Suneborn says. “Our challenge is to make sure that all the systems that government agencies have bought from us over the past 20 years or so won’t have to be replaced — that they can be upgraded to read the 75-bit data stream.”

Suneborn adds that Hirsch has developed an upgrade plan for its systems. “We’ve worked out a way to upgrade these systems with new firmware and software,” he says. “The goal is to preserve as much of the installed base of hardware as possible, including the readers, the intelligent controllers, and the cabling.”

In practice, Hirsch’s plan is to prepare upgrade regimens for its various systems and to wait for the telephone to ring. “Shortly after the new cards begin showing up in facilities where our access control systems are installed. We will start hearing from agencies, “ Suneborn says. “We might get a call from an agency’s office located anywhere in the country. The security director there will want to make sure that people will be able to use their new cards to get into the building We’ll need to make sure that the agency’s readers have come from the approved GSA list and that our system can receive data from that reader.”

Hirsch has already begun to train and certify local integrators across the country to inspect this equipment, to recommend new equipment when necessary, and to install firmware and software upgrades. Hirsch-certified integrators would also be able to install any special reader interfaces that may be required.

Building the system of trust

Some departments of the federal government have developed access control systems that will meet the requirements of HSPD-12 without too much trouble. The Department of Defense (DoD), for example, developed and implemented its own smart card system several years ago. In fact, the DoD system reportedly served, to some extent, as a model for the government-wide access control system being assembled now.

At the other extreme, some agencies have never done much more than have a security guard look people over as they walk through the doors. These agencies are starting from scratch.

How will these agencies install enrollment stations and card issuing stations by then? GSA recently named BearingPoint a “qualified HSPD-12 System Integration Service Provider” that will design and implement systems for individual agencies or shared systems serving a number of agencies.

“Our role is to help agencies be successful with HSPD-12,” says BearingPoint’s Hannah. “For smaller agencies with only a few employees, shared service is a very good option.”

Temoshok agrees. “It doesn’t make sense for small agencies to install the infrastructure,” he says. “They don’t have the technical capability, let alone the time.”

GSA also plans to lease space to house card offices with enrollment stations in hundreds of locations across the country. The first four locations were scheduled to open in Atlanta, New York, Seattle, and Washington, D.C., before Oct. 27. “Virtually all of the 150 federal agencies are within a seven-block radius of one of those locations,” Temoshok says.

Agencies can sign up to use this large shared services operation. Some of the departments — Interior, for example — will also begin offering shared service systems to smaller agencies.

As these systems come on line with readers and access control devices upgraded to communicate with the new cards, four million or so federal employees and members of the armed services will begin to discover that their credentials are trusted by readers, access control systems, and people across the entire federal government.

SideNote

A System That State And Local Governments Can Trust

Does the federal ID card system offer a more secure access control system to state and local governments as well? “Yes,” says David Temoshok, director for identity policy and management with the General Services Administration (GSA) Office of Government-Wide Policy. “I am getting calls from state and local officials asking this question all the time.

“My answer is that anyone can use the system. Read the standards published by NIST (National Institute of Standards and Technology). Read the policies issued by OMB (Office of Management and Budget) and GSA. You can adopt those standards and policies for your own use.”

GSA has published its list of approved interoperable products that meet the standards set for the federal system on Information Technology Schedule 70, a GSA Multiple Award Schedule under special item number 132-62.

According to Temoshok, a provision in the E-Government Act of 2002 allows state and local governments to buy directly off of that schedule.

Biometrics and FIPS 201 Standards

The Alphabet Soup

HSPD-12

Homeland Security Presidential Directive requires a uniform way to authenticate government employees

PIV

Personal Identity Verification Standard defines how to do HSPD-12. Version 1 deals with contact smart cards. Version 2 deals with contactless smart cards.

FIPS 201

Federal Information Process Standard defines the information on the PIV card.

SP 800-76

Provides guidance on biometrics for PIV usage.

TSA’s Biometric Guidance for Airport Access Control

Details biometric usage in airport environments — M1 and ISO doing similar profiles.

SOURCE: IR Security Technologies