Understand HSPD-12, PIV Card Readers and related requirements now and in the future

Before you select a new PIV physical access system or even specify PIV Readers for your access control requirements, you need to understand the basics.

Homeland Security Presidential Directive -12 (HSPD-12)* established an initiative to secure access to Federal Government networks and facilities by mandating the use of an interoperable secure PIV Personal Identity Cards. There are now three different PIV Cards being issued by the Federal Government that are HSPD-12 compliant:
  • The Common Access Card, commonly known as the “CAC,” which is issued to all DoD employees and contractors.
  • The Personal Identity Verification Credential, commonly known as the “PIV,” which is issued to all Federal Government employees and most contractors.
  • The Transportation Workers Identity Credential, commonly known as the “TWIC,” which is required by TSA for individuals who are authorized to enter most sea port terminals and energy facilities.
In addition to the Federally-issued PIV Cards, the Office of the CIO and NIST have established standards for a new PIV Interoperable Card, known as “PIV-I,” which is designed for non-Federal issuers. The PIV-I utilizes a “global unique identifier” in place of the government identifier. Many PIV Readers and most PACS are not capable of operating with PIV-I Cards, but BridgePoint Readers are.

Creating Interoperable and Secure PIV Credentials

HSPD-12 has successfully eliminated the multiple proprietary badges that government employees were forced to carry to access different buildings. It is now possible for a person from one agency to use their PIV Credential at any other federal building that has installed compliant PIV Readers and PACS.
Another key element of HSPD-12 is the mandate for a “secure tamper proof credential” which can be “rapidly verified electronically.” To support electronic verification by a PIV Reader, the PIV is equipped with electronic digital certificates that are based on public key infrastructure (PKI). These certificates are the basis for secure electronic transactions and they can be used to establish trust in both the card and the cardholder.  Any access system that does not make use of the PKI certificates is vulnerable to attack by counterfeit, copied or cloned PIV Cards. Systems with PIV Readers that do not provide PKI functionality are longer considered to be “HSPD-12 compliant.”
A PIV Reader with PKI capability is a necessary tool in the process to eliminate the potential for non-genuine cards. BridgePoint’s TrustPoint PIV and CAC Readers support PKI challenge-response operations.

Federal Programs are Now Mandating PKI strong Authentication

OMB M 11-1, a jointly published memorandum by the Office of Management and Budget and DHS in April 2012, states “Agency processes must accept and electronically verify PIV credentials issued by other federal agencies.” This requires that a physical access system use PKI validation and verification processes. OMB 11-11 further requires that beginning in 2012, all new access systems being procured must utilize PIV Cards and PIV Card Readers and that all existing systems be upgraded to use PIV credentials.

OMB M-11-11 also requires that all acquisitions be compliant with the FICAM Roadmap and Implementation Guidance [FICAM Roadmap] and that all E-PACS acquisitions be compliant with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-116 [SP 800-116].

In the Fall of 2013, NIST is expected to publish FIPS-201-2 which will deprecate use of the CHUID as the numerical identifier commonly used in conventional PACS. The recommended replacement will be use of the Card Authentication Key (CAK), which requires an active cryptographic operation. This release of FIPS-201 will also put all Agencies on notice that the CHUID will be removed from the standard on the third release which is anticipated to be in 2017.



New Procurement Language from GSA

On June 28, 2013 the GSA Office of Government-wide Policy posted a memorandum providing recommended Procurement Language for RFP’s and SOW’s which requires use of Public Key Infrastructure (PKI) in Enterprise Physical Access Control Systems (E-PACS).
The memorandum makes it clear that “Electronically verify” means that the E-PACS at federally owned or leased facilities must be capable of performing PKI strong authentication methods to establish a high degree of confidence in the binding between the credential and the bearer
What does this mean?  The clock is ticking. Contracts for installation and upgrades to physical access systems will require Agencies to be HSPD-12 compliant by integrating PKI into their PACS. BridgePoint Systems can help. Contact us.