The U.S. Government is providing direction for access control users in the United States today. While non-government end-users have generally been happy to be allowed to do what they feel best – the government is finally setting standards. There are significant changes in the way that the Government is managing access control. Let’s count the acronyms.
HSPD-12 (don’t you love government acronyms) is Homeland Security Presidential Directive number twelve. Signed in 2004, HSPD-12 mandates the development and agency implementation of a common security card to be created and issued to all federal employees and contractors. It is designed to be used for computer access, physical access, and as an ID credential. Acronym number two is FIPS-201, which is a Federal Identity Processing Standard that supports HSPD-12. While HSPD-12 is a great idea, it is an unfunded initiative, which means while the government also thinks it’s a great idea, the government is not providing money to make it happen.
The Government process includes Identity Management Systems (IDMS) and Card Management Systems (CMS) to provide a support infrastructure for many local sites, each having one or more doors with physical access control and one or more computers with logical access control. Each site will typically have its own Physical Access Control System (PACS). A Personal Identity Verification (PIV) card is used for access control and will contain information “on the card” such as a photo, name, expiration date, logo, magnetic stripe, bar code or other data storage/transfer mechanism. Contact and contactless smart card technologies are used to contain information “in the card,” the Federal Agency Smart Credential Number (FASC-N) and the Card Holder Unique Identifier (CHUID), biometric fingerprint templates and a Personal Identification Number (PIN). Contact cards require the card to physically touch the reader mechanism in order to transfer data. Contactless cards do not require actual contact between the card and the reader (think prox card). A variety of readers available from a variety of manufacturers are available to support local security levels and strategies.
Personal and biometric information is obtained from the employee or contractor for “enrollment” into the IDMS. The CMS receives the information from the IDMS to “personalize” the PIV card by printing information on the card and encoding information into the smart card chips. The employee or contractor must verify that he or she matches the identity on the card for “issuance.” Subsequently, the employee or contractor must again verify his or her identity prior to enrollment in a local PACS. The PACS obtains the personal identity information and expiration date, either by reading the data from the PIV card, or obtaining the data via open XML exchange with the IDMS and CMS. In addition to the authentication (identity verification) performed between the smart card chip and the reader on the attack side of the door, the PACS also performs the authentication and authorization (who goes where when) from the secure side of the door.