Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Information Systems

HSPD-12 and FIPS

advertisement 
HSPD-12 and FIPS-201 Compliance
As a result of the September 11, 2001 attacks, President Bush ordered, in August 2004,
the Homeland Security Presidential Directive -12 (HSPD-12).
HSPD-12 entitled “Policy for a Common Identification Standard for Federal Employees
and Contractors,” directed the promulgation of a Federal standard for secure and reliable
forms of identification for Federal employees and contractors.
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the
National Institute of Standards and Technology (NIST). NIST is the body responsible for
specifying the technology requirements to implement government policy. The FIPS-201
document entitled “Personal Identity Verification (PIV) of Federal Employees and
Contractors” captures the technical standards to implement HSPD-12. This document
covers all aspects of identity management from verifying a person is who they say they
are to card data types to card use. Figure 1 below is a diagram showing all the
components for FIPS-201.
Figure 1
At the heart of the diagram is the physical access control system (PACS) which controls
access to buildings. Although FIPS-201 affects many different systems to ensure the
security of critical infrastructure, this document will focus on PACS. To understand the
implications of FIPS-201 on a PACS, we must first describe how a typical PACS works.
The PACS is made of several components; a server, a controller, a reader, and a local
user console. Figure 2 below shows a diagram of a typical PACS.
________________________________________________________________
NovusEdge, Inc.
5918 West Courtyard Drive, Suite 110, Austin, TX 78730 / Phone: (512) 874-7500 / Fax: (512) 874-7505
Web: www.novusedge.com
Page 1 of 4
HSPD-12 and FIPS-201 Compliance
Figure 2
The PACS Server is where the database of all credentials allowed in a building is stored.
The PACS Server gets its data from a valid identity management system (labeled in
Figure 1 as IDMS). The PACS Controller is where the database of credentials for a
specific door is stored. The PACS Server feeds the PACS Controller the appropriate
database for the door. The Reader will get data from the Card and feed it to the PACS
Controller. The PACS Controller will look up the card in its database and decide if the
user is granted access through the door. A typical PACS provider will manufacture the
controller and the software for the user console but will be capable of using many
different manufacturers’ servers and readers based on the needs of end users.
Agencies of the United States Federal Government are pervasive users of physical
access control systems (PACS). With a common credential mandated by HSPD-12
comes the opportunity to promote interoperability among PACS across federal agencies.
FIPS-201 determined that the procurement of PACS and components requires a
standardized approach to ensure that agencies deploy equipment that meet both their
specific needs and, at the same time, facilitate cross-agency interoperability. The
Physical Access Interagency Interoperability Working Group (PAIIWG) within the
Government Smart Card Interagency Advisory Board (GSC-IAB) is charged with
creating and documenting guidance for such an approach.
________________________________________________________________
NovusEdge, Inc.
5918 West Courtyard Drive, Suite 110, Austin, TX 78730 / Phone: (512) 874-7500 / Fax: (512) 874-7505
Web: www.novusedge.com
Page 2 of 4
HSPD-12 and FIPS-201 Compliance
In the PAIIWG guidance, it is specified that the FIPS-201 card, shall have a standardized
token identification scheme called the Card Holder Unique Identifier (CHUID) which is to
be used as the individual identifier for all PACS. Physical Access Control card readers
must, at a minimum, extract unique token identifier information from the smart card.
Readers are required to perform validation checks on that information through
cryptographic verification and/or challenges with the card. The FIPS-201 compliant card
readers made by HID (iClass readers R10, R30, R40) meet this requirement.
The reader is required to read the Agency Code, System Code and Credential Number
from the FASC-N on the FIPS-201 card as the basis of the unique token identifier. The
System Code and Credential number should be concatenated together forming a
combined 10 BCD digits (40 bits). The PAIIWG guidance states that PACS should not
rely solely on the 6 BCD digits Credential Number (26 bits).
Any PACS capable of reading at least 40 bit cards from a FIPS-201 compliant reader
(such as the HID R10) and using the entire 40 bits for granting access through a door is
compliant with the FIPS-201 standard. The Facility Explorer Asset Protection (FX-AP) is
such a PACS. A typical PACS uses 26 bits for granting access through a door. These
PACS are not FIPS-201 compliant even though they may be capable of reading a FIPS201 card.
The FX-AP has been FIPS-201 capable since it’s inception, therefore anyone who
has deployed FX-AP with FIPS-201 compliant readers is FIPS-201 compliant.
________________________________________________________________
NovusEdge, Inc.
5918 West Courtyard Drive, Suite 110, Austin, TX 78730 / Phone: (512) 874-7500 / Fax: (512) 874-7505
Web: www.novusedge.com
Page 3 of 4
HSPD-12 and FIPS-201 Compliance
Glossary
Term
BCD
CHUID
FASC-N
FIPS PUBS
FIPS-201
FX-AP
GSC-IAB
HSPD-12
IDMS
NIST
PACS
PAIIWG
PIV
Description
Binary Coded Decimal
Card Holder Unique Identifier
Federal Agency Smart Credential Number
Federal Information Processing Standards Publications
Federal Information Processing Standard Number 201
Facility Explorer Asset Protection System
Government Smart Card Interagency Advisory Board
Homeland Security Presidential Directive -12
Identity Management System
National Institute of Standards and Technology
Physical Access Control System
Physical Access Interagency Interoperability Working Group
Personal Identity Verification
________________________________________________________________
NovusEdge, Inc.
5918 West Courtyard Drive, Suite 110, Austin, TX 78730 / Phone: (512) 874-7500 / Fax: (512) 874-7505
Web: www.novusedge.com
Page 4 of 4
Related documents
Interest Groups
Interest Groups
Peace and Conflict Studies (PACS) welcomes requests for funding for... and attendance at workshops/conferences that are related to the PACS... PEACE AND CONFLICT STUDIES PROGRAM FUNDING REQUEST GUIDELINES
Peace and Conflict Studies (PACS) welcomes requests for funding for... and attendance at workshops/conferences that are related to the PACS... PEACE AND CONFLICT STUDIES PROGRAM FUNDING REQUEST GUIDELINES
Download
advertisement