Monday, July 2, 2012
Personal Access Control Systems (PACS)
Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors [HSPD-12] requires a common identification standard for federal employees and contractors, These identity credentials must be interoperable government-wide. This resulted in the Personal Identity Verification (PIV) Card, and associated documents, which technically define it. As of Q3 2011, the federal government has issued 4,270,560 PIV Cards to federal employees (91% of total federal employees) and 846,365 PIV Cards to federal contractors (81% of total federal contractors).
FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.
FIPS 201 together with NIST SP 800-78 (Cryptographic Algorithms and Key Sizes for PIV) are required for U.S. Federal Agencies, but do not apply to National Security systems.
In addition, the federal government has implemented policy for non-federal issuers (NFIs) of identity cards to produce identity cards that can technically interoperate with federal government PIV systems and can be trusted by federal government parties. This resulted in the PIV Interoperable (PIV-I) Card. To-date the Federal Public Key Infrastructure (FPKI) has approved five PIV-I Card Issuers and one PIV-I Bridge. Conservative estimates for the number of active PIV-I credentials to be issued exceeds 25 million, serving non-executive federal, state and local agencies, first-responder organizations and others.
OMB designated GSA as the Executive Agent for government-wide acquisitions for the implementation of HSPD-12. OMB has directed federal agencies to purchase only products and services that are compliant with the federal policy, standards and numerous supporting technical specifications. In support of these mandates, GSA established the GSA FIPS 201 Evaluation Program Approved Products List.
PIV Card – is an identity card that is fully conformant with federal PIV standards. Only cards issued by federal entities can be fully conformant. Federal standards ensure that PIV Cards are interoperable with and accepted by all Federal Government relying parties to authenticate identity.
PIV-I Card – is an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued in a manner that allows federal and non-federal relying parties to accept the card to authenticate identity. PIV-I credentials provide identity proofing. Non-federal issuers make available PIV-I Cards. These must apply proofing process must be comparable with PIV that binds a card to a person. PIV-I does not assert that a background investigation was performed. Additional investigation requirements may be necessary based on actual assignment and asset risk.
In February 2011, OMB issued directives, which are applicable to end-users, integrators, solution providers, and manufacturers/developers, and mandates the following:
1. Effective immediately, all new systems under development must be enabled to use PIV credentials.
2. Effective the beginning of FY2012, existing physical and logical access control systems (LACS) must be upgraded to use PIV credentials.
3. Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and the Federal Acquisition Regulation.
4. Agency processes must accept and electronically verify PIV credentials issued by other federal agencies, and
5. The government-wide architecture and completion of agency transition plans must align as described in the Federal Chief Information Officers (CIO) Council’s FICAM Initiative.
PACS follow a process to authenticate users using one or more of a predefined set of credentials and then makes authorization decisions based on a predefined set of rules governing access. When this card is presented at an electronic reader, the identifier is checked against a proprietary, internal “white list” to make authorization decisions to a facility at an intended point of entry (e.g., door, turnstile, computer, laptop).
PACS are vulnerable to twenty-four cyber attacks that were listed in a table of common threats. The greatest exposure can be found in the communications between the security management system and the Certification Authority.
PIV and PIV-I cards are not applied in a uniform process. Depending on authentication mechanisms the cards can be deployed using a variety of methods. There are eight different versions of PIV and PIV-I cards:
1. Smartcard with crypto key, plus PIN with crypto proof, plus observed fingerprint. Three factor authentication.
2. Smartcard with crypto key, plus PIN with crypto proof, plus fingerprint. Three factor authentication.
3. Smartcard with crypto key, plus PIN with indirect verification assumption, plus observed fingerprint. Three factor authentication.
4. Smartcard with crypto key, plus PIN with crypto proof. Two factor authentication.
5. Card plus observed fingerprint. Two factor authentication.
6. Fingerprint. One factor authentication.
7. Smartcard with crypto key. One factor authentication.
8. Smartcard with printed security feature. One factor authentication.
Physical Access Control Systems (PACS) allow organizations to assign different access requirements based on the risk of the physical asset being accessed. In this way, a PACS is used to mitigate the risk of a physical security breach. This makes PACS the most critical components of cyber defenses.
Over five million PIV cards have been issued plus over twenty-five PIV-I cards, each with twenty-four identified security vulnerabilities and multiples issuers. This makes the PACS the single greatest risk exposure for security compromises.
One important facet of a PACS is its authentication mechanisms. There are eight methods for identifying a PIV or a PIV-I. It is the combination of the widespread distribution of PACS plus the variety of authentication methods that makes the PACS managerially difficult to administer.