Access Control, the Government Version

The U.S. Government is providing direction for access control users in the United States today. While non-government end-users have generally been happy to be allowed to do what they feel best – the government is finally setting standards. There are significant changes in the way that the Government is managing access control. Let’s count the acronyms.

HSPD-12 (don’t you love government acronyms) is Homeland Security Presidential Directive number twelve. Signed in 2004, HSPD-12 mandates the development and agency implementation of a common security card to be created and issued to all federal employees and contractors. It is designed to be used for computer access, physical access, and as an ID credential. Acronym number two is FIPS-201, which is a Federal Identity Processing Standard that supports HSPD-12. While HSPD-12 is a great idea, it is an unfunded initiative, which means while the government also thinks it’s a great idea, the government is not providing money to make it happen.

The Government process includes Identity Management Systems (IDMS) and Card Management Systems (CMS) to provide a support infrastructure for many local sites, each having one or more doors with physical access control and one or more computers with logical access control. Each site will typically have its own Physical Access Control System (PACS). A Personal Identity Verification (PIV) card is used for access control and will contain information “on the card” such as a photo, name, expiration date, logo, magnetic stripe, bar code or other data storage/transfer mechanism. Contact and contactless smart card technologies are used to contain information “in the card,” the Federal Agency Smart Credential Number (FASC-N) and the Card Holder Unique Identifier (CHUID), biometric fingerprint templates and a Personal Identification Number (PIN). Contact cards require the card to physically touch the reader mechanism in order to transfer data. Contactless cards do not require actual contact between the card and the reader (think prox card). A variety of readers available from a variety of manufacturers are available to support local security levels and strategies.

How Does It work?

Personal and biometric information is obtained from the employee or contractor for “enrollment” into the IDMS. The CMS receives the information from the IDMS to “personalize” the PIV card by printing information on the card and encoding information into the smart card chips. The employee or contractor must verify that he or she matches the identity on the card for “issuance.” Subsequently, the employee or contractor must again verify his or her identity prior to enrollment in a local PACS. The PACS obtains the personal identity information and expiration date, either by reading the data from the PIV card, or obtaining the data via open XML exchange with the IDMS and CMS. In addition to the authentication (identity verification) performed between the smart card chip and the reader on the attack side of the door, the PACS also performs the authentication and authorization (who goes where when) from the secure side of the door.

What About Assumptions?

One of the advancements in this technology is the positive identification that the systems bring to access cards. As currently used, cards are often presented to readers at the access point to a facility. The reader acknowledges that the card is valid (or not), but doesn’t take into consideration who actually presented the card. The assumption is that the person who owns the card presented the card – but you know what they say about assumptions…

In contrast, a PIV card is the physical artifact (the actual identity card or smart card) issued to an individual that contains printed and stored identity credentials (photographs, cryptologic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).

This technology also creates a better “real-time” approach to verifying that a card is active, and that the user is still allowed access at the time the card is presented. The corporate world (and my personal history) is full of tales of employees accessing a facility days (or even weeks) after their access privileges were removed. The corporate world is hoping to attain the “Zero In – Zero Out” model. Zero In states that when a person is hired, they should have all of the tools necessary to work on the day that they report for work. Tools include access cards, phones, passwords and everything necessary to be productive from day one. Zero Out reverses the process, stating that as soon as a person no longer works for a company, all privileges are immediately removed. It’s important to note that Zero Out does not differentiate between reasons that a person is no longer employed. Either you have access or you don’t. It doesn’t matter if you were fired, quit, got promoted or were elected to the Office of President of the United States. If you no longer are allowed access, it is immediately removed. While the private sector strives to make this a reality, the government is actually making it happen, at least on the access side.

Why is this an issue to the companies that provide access systems? Access technology falls into two categories, either disruptive technology or sustaining technology. Disruptive technology is innovation that overturns dominate technology. Sustaining technology is technology that improves the performance of existing technology. The dilemma for traditional access control suppliers is that the adoption of disruptive technology competes against their existing (more profitable) sustaining technology.

The corporate world will do what it thinks is best, while the government is mandating a better, positive approach to access control. It seems clear that for once, the government solution is the direction to go, and private sector will soon follow.

The author would like to thank Hirsch Electronics, Irvine, Calif., for their valuable assistance and knowledge in understanding HSPD-12, and their assistance is deciphering the acronyms. Additional information about HSPD-12 and FIPS-201 can be found at the Smart Card Alliance. The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance invests heavily in education on the appropriate uses of technology for identification, payment and other applications and strongly advocates the use of smart card technology in a way that protects privacy and enhances data security and integrity. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart card technology, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. See them at www.smartcardalliance.org.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?