Monday, July 2, 2012

Personal Access Control Systems (PACS)


Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors [HSPD-12] requires a common identification standard for federal employees and contractors, These identity credentials must be interoperable government-wide. This resulted in the Personal Identity Verification (PIV) Card, and associated documents, which technically define it. As of Q3 2011, the federal government has issued 4,270,560 PIV Cards to federal employees (91% of total federal employees) and 846,365 PIV Cards to federal contractors (81% of total federal contractors).


FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

FIPS 201 together with NIST SP 800-78 (Cryptographic Algorithms and Key Sizes for PIV) are required for U.S. Federal Agencies, but do not apply to National Security systems.

In addition, the federal government has implemented policy for non-federal issuers (NFIs) of identity cards to produce identity cards that can technically interoperate with federal government PIV systems and can be trusted by federal government parties. This resulted in the PIV Interoperable (PIV-I) Card. To-date the Federal Public Key Infrastructure (FPKI) has approved five PIV-I Card Issuers and one PIV-I Bridge. Conservative estimates for the number of active PIV-I credentials to be issued exceeds 25 million, serving non-executive federal, state and local agencies, first-responder organizations and others.
OMB designated GSA as the Executive Agent for government-wide acquisitions for the implementation of HSPD-12. OMB has directed federal agencies to purchase only products and services that are compliant with the federal policy, standards and numerous supporting technical specifications. In support of these mandates, GSA established the GSA FIPS 201 Evaluation Program Approved Products List.

PIV Card – is an identity card that is fully conformant with federal PIV standards. Only cards issued by federal entities can be fully conformant. Federal standards ensure that PIV Cards are interoperable with and accepted by all Federal Government relying parties to authenticate identity.

PIV-I Card – is an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued in a manner that allows federal and non-federal relying parties to accept the card to authenticate identity. PIV-I credentials provide identity proofing. Non-federal issuers make available PIV-I Cards. These must apply proofing process must be comparable with PIV that binds a card to a person. PIV-I does not assert that a background investigation was performed. Additional investigation requirements may be necessary based on actual assignment and asset risk.

In February 2011, OMB issued directives, which are applicable to end-users, integrators, solution providers, and manufacturers/developers, and mandates the following:

1. Effective immediately, all new systems under development must be enabled to use PIV credentials.
2. Effective the beginning of FY2012, existing physical and logical access control systems (LACS) must be upgraded to use PIV credentials.
3. Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and the Federal Acquisition Regulation.
4. Agency processes must accept and electronically verify PIV credentials issued by other federal agencies, and
5. The government-wide architecture and completion of agency transition plans must align as described in the Federal Chief Information Officers (CIO) Council’s FICAM Initiative.

PACS follow a process to authenticate users using one or more of a predefined set of credentials and then makes authorization decisions based on a predefined set of rules governing access. When this card is presented at an electronic reader, the identifier is checked against a proprietary, internal “white list” to make authorization decisions to a facility at an intended point of entry (e.g., door, turnstile, computer, laptop).

PACS are vulnerable to twenty-four cyber attacks that were listed in a table of common threats. The greatest exposure can be found in the communications between the security management system and the Certification Authority.

PIV and PIV-I cards are not applied in a uniform process. Depending on authentication mechanisms the cards can be deployed using a variety of methods. There are eight different versions of PIV and PIV-I cards:

1. Smartcard with crypto key, plus PIN with crypto proof, plus observed fingerprint. Three factor authentication.
2. Smartcard with crypto key, plus PIN with crypto proof, plus fingerprint. Three factor authentication.
3. Smartcard with crypto key, plus PIN with indirect verification assumption, plus observed fingerprint. Three factor authentication.
4. Smartcard with crypto key, plus PIN with crypto proof. Two factor authentication.
5. Card plus observed fingerprint. Two factor authentication.
6. Fingerprint. One factor authentication.
7. Smartcard with crypto key. One factor authentication.
8. Smartcard with printed security feature. One factor authentication.

SUMMARY
Physical Access Control Systems (PACS) allow organizations to assign different access requirements based on the risk of the physical asset being accessed. In this way, a PACS is used to mitigate the risk of a physical security breach. This makes PACS the most critical components of cyber defenses.
Over five million PIV cards have been issued plus over twenty-five PIV-I cards, each with twenty-four identified security vulnerabilities and multiples issuers. This makes the PACS the single greatest risk exposure for security compromises.

One important facet of a PACS is its authentication mechanisms. There are eight methods for identifying a PIV or a PIV-I. It is the combination of the widespread distribution of PACS plus the variety of authentication methods that makes the PACS managerially difficult to administer.

15 comments:

  1. PACS are mainly designed to access control system or deny the ability to enter the building or any gated area. It utilizes the digital computer technology to eliminate the use of key and lock.
    access control systems Miami

    ReplyDelete
  2. It makes authorization of the individual that has a decisions based on a predefined set of rules governing access.

    ReplyDelete
  3. I am following your website frequently and got great details. I really like the guidelines you have given. Thanks a lot for giving. Will be mentioning a lot of associates about this.

    ReplyDelete
  4. Hello Sir,
    Thanks a lot for sharing such a useful information with us. The basic features of access control systems are that they are very quick and accurate.very nice blog. I like it very much.

    ReplyDelete
  5. Thank you for posting this article on PACS. What exactly is a Personal Access Control System? Your article gave me a lot of information, but I would like to learn more about The PACS themselves. Do you know where I can find more information on this topic? Thank you for your help.

    ReplyDelete
  6. Thanks for the info. I've been told all be using access control systems in Honolulu Hi where I'm starting a new job, and I'm not to familiar with them. Your blog was super helpful, appreciate it.

    ReplyDelete
  7. There are lots of great choices now when it comes on home security system. You can ask for a professional guide when selecting one that would fit to your needs.
    security consulting

    ReplyDelete
  8. Great post! Been reading a lot about access control systems. Thanks for the info!

    ReplyDelete
  9. I'm really impressed with the extensive details here! What are some good things to consider when getting access control installation? Thanks so much for sharing!
    Celine | http://www.ostsystems.com/access-control/

    ReplyDelete
  10. This is really great information for all users.We can exactly get the idea which firm is best for magnetic badges.Great to share this directions.

    magnetic badges & staff badges

    ReplyDelete
  11. Really, awesome and hurt-touching blog ! I want to thanks to share this documents with us and this is so nice and attractive.

    Intruder Alarm System in India | Detection System in India

    ReplyDelete
  12. Thanks a lot for sharing such a useful informative post. The basic features of access control systems are that they are very quick and accurate. nice blog. thank you so much!

    ReplyDelete
  13. I had no idea that personal access control systems had gotten so complicated! I used to work at Honeywell when it was a newer company and we didn't have anything like this. I think it's fantastic that these types of securities are available to corporations now. I think that these protections do a great job of keeping people honest and keeping vital information secure. Thanks for sharing these developments with us! http://www.midwestlockandsecurity.com

    ReplyDelete
  14. Thanks for sharing such informative blog with us.
    Now days there are a lot of choice for Home security systems. You can choose
    door entry systems london

    ReplyDelete
  15. I have just visited your website and I found it very interesting because your blog article is really informative, if we talk about Access Control Systems. Thanks for sharing this update and please keep updating us.


    Vancouver home automation | Home Automation Vancouver

    ReplyDelete

For comments please e-mail paul@strassmann.com