Understand why GSA may soon require PKI in PACS
The purpose behind the GSA FICAM requirement for PKI in PACS is to provide a Procurement Guidance and language for use of PKI in PACS. GSA believes this is needed because a conventional legacy access system cannot defend against an attack by a counterfeit, cloned or copied PIV Card. In recent months, apps for Smart Phones have surfaced that can read the identifier data (CHUID) from a PIV and replay that identifier to a PACS reader, gaining access to any facility where that PIV is enrolled. The bottom line is that Federal Government facilities must properly implement HSPD-12 or be vulnerable to attack by simple copies of PIV Cards that are carried by trusted employees.
There is paradigm shift in how the government is looking at the implementation of PIV in physical access systems. The bar has been raised for proper implementation for use of PIV Cards in PACS: physical access system must use PKI mechanisms or it is only a matter of time before they are compromised. PKI mechanisms in a PACS can establish a high level of trust in in a PIV by validating the PIV is genuine, not revoked and is the same PIV that was first issued.