Puts PIV to use with an eye toward standard's revisions
The mandate to achieve FIPS 201 compliance means that many government departments and agencies must upgrade their access control systems. In 2012, the U.S. Army Reserve Control (USARC) achieved their upgrade with the help of Monitor Dynamics’ FICAM Platform.
Before the upgrade, the Army Reserve relied on proximity and magnetic stripe technologies. This is what most Department of Defense and civilian U.S. federal government agencies still use, says Mike Garcia, vice president of marketing and business development at Monitor Dynamics.
“HSPD-12 and FIPS 201 have been around for seven and five years respectively, and while we have a great number of the high assurance ‘keys’ deployed, we have not seen the same uptick in physical access systems or ‘locks.’ The Defense Department with its physical access control requirements and now the entire federal government with OMB M-11-11 has created a compliance mandate for high-assurance locks–or physical access control systems–and we are beginning to see a huge increase in demand for compliant locks,” says Garcia.
Finding FIPS 201 compliant systems is actually one of the challenges in complying with the mandate. The standard defines the credential and various component parts but it does not define the overall physical access control system.
To answer that question, the Army Reserve started with future proofing in mind, Garcia says. They sought FIPS 201-2 compliance considering potential modifications to the existing standard in their choice of access control systems. The Army Reserve opted for a system that could comply with government mandates requiring electronic validation of PIV credentials and also could meet future standards.
To that end, the Army Reserve chose Monitor Dynamics’ Trusted FICAM Platform.
“The command and control center software manages everything in the field globally,” says Garcia. “From the head-end of the physical access control system, which is usually located at the headquarters on the main server, you have administrator privileges and rights to control the rest of the field hardware, computers and other devices.”
The system enables the Army Reserve to use Defense Department-issued Common Access Cards for logical and physical access control in a unified system delivering PKI at the reader, says Garcia. The multi-factor authentication requirements of the system make it impossible for anyone other than the cardholder to gain access. This prevents security breaches due to lost, stolen, manipulated, invalid, copied and revoked cards or cards that have no trusted path, says Garcia.
The Army Reserve can provision PIV and PIV-I cards from other issuers into their physical access control system, says Garcia. “One of the biggest problems in physical access control system is visitor management. The ability to understand that an individual is who they claim to be and they are still employed is a quantum leap in security over current conditions,” says Garcia. “The access privileges to the building are still granted and managed locally, but it is with a higher assurance.”
The Army Reserve granted contracts on a facility-by-facility basis. During the past two years, Monitor Dynamics has been installing systems in locations across the nation. To date, the Trusted FICAM Platform has been implemented in more than 40 locations.
Upon implementation, the Army Reserve then works with CertiPath to perform a site certification based on CertiPath’s checklist and testing methodology. CertiPath conducts the system level testing on the Trusted FICAM Platform by taking the PIV/PIV-I capable components and testing them as a complete system against FICAM controls encompassing both security and usability. CertiPath tests the head end server, validation client, secure controller, physical access control panels and card readers at the door using both external cards and CertiPath’s proprietary threat-specific cards.
To use the system, a person presents a Common Access Card, PIV or PIV-I- smart card to a two-factor or three-factor FIPS 201 approved reader at the door. The user then inputs a PIN and/or scans an index finger.
The system checks the various factors against the credential and the information on the card’s chip. If one factor doesn’t match, the person is denied entry at the door. If the factors do match, the system verifies the person against the revocation list.
If the Certificate Authority deems the digital certification the card to be invalid, be it expired, lost, stolen or fake, it’s denied. If it’s a valid match, the Certificate Authority sends it on to the physical access control systems head-end to make the entry and exit decision at the door.
The entire authentication and validation process takes 2.5 to 3 seconds on the FICAM system, including the time needed to enter a PIN, says Garcia.
Getting users used to the new system was a bit of a challenge for some. Army Reserve personnel also had to get used to employing two and three factors for authentication. Having to learn this new process and remember a PIN proved to be a complicated adjustment for some who had been using the prior system for many years, says Garcia.
System administrators also had to get used to a new enrollment system with FICAM. The learning curve can cause a bottleneck in the short term but becomes easier over time, says Garcia. Likewise, a more complicated badge means a more involved badging system. In the old system, administrators could take a picture, issue a badge and hand it to the person.
FIPS 201 has more security requirements that administrators must abide by when issuing badges, says Garcia. “These challenges can all be addressed with training and repetition,” says Garcia. “And when compared to prior systems that run two wires to a reader and enroll a proximity card, the benefits and security are much greater.”