Understand HSPD-12 and related standards now and in the future

Before you select a physical access system and specify HSPD-12 Readers for your access control requirements, you need to understand the applicable standards.

Homeland Security Presidential Directive -12 (HSPD-12)* defined the initiative to secure Federal Government networks and facilities, mandating the use of a secure identity credential. In addition to the commonly known PIV- Personal Identity Verification- other PIV compliant credentials include:

• (CAC), the DoD’s Common Access Card
• (TWIC), the Transportation Workers Identity Credential
• PIV-I Interoperable credential designed for non-Federal issuers

Creating Secure and Interoperable Identity Credentials

HSPD-12 sought to eliminate the multiple proprietary badges that government employees were forced to carry to access different buildings. HSPD-12 made it possible for any person from any agency to have a unique credential that can be accepted by any other agency.

Another primary value of HSPD-12 was the mandate for a “secure tamper proof credential” which could be “rapidly verified electronically.” To establish this degree of security, the PIV is provisioned with digital certificates based on public key infrastructure (PKI). These certificates are the basis for secure electronic transactions. When properly used in a building access system, PKI can eliminate the potential for expired, revoked and even cloned credentials. Using the certificates requires the use of certificate status validation and certificate private key challenge-response. The PIV and CAC support these PKI operations.

Constantly Raising the Bar

The National Institute of Standards and Technology (NIST) recently specified in NIST Special Publication 800-116 that the full personal identifier, known as the FASC-N, be used throughout the system to grant access. NIST 800-116 made many legacy access systems obsolete by eliminating the use of a truncated subset of the FASC-N for access.

The Federal Government is not finished with the effort to ensure that identities can be trusted. By the beginning of FY2012, recent memorandums*** require agencies to upgrade existing physical and logical access control systems to use PIV credentials in accordance with NIST guidelines.

Federal Programs are Mandating PKI strong authentication

OMB 11-11 further states that “Agency processes must accept and electronically verify PIV credentials issued by other federal agencies.” This requires that a physical access system use PKI validation and verification processes.

Two additional Federal Government programs will further mandate the use of PKI strong authentication:

• ICAM (Identity, Credential and Access Management): The ICAM Subcommittee serves under the Federal Government CIO Council and is comprised of executive level security managers from all agencies including DHS, GSA and DoD. The latest version of the FICAM Roadmap for PACS in the “target state” includes the following graphic to drive improvement in PACS security through the use of strong authentication:
• NSTIC (National Strategy for Trusted Identities in Cyberspace): NSTIC is an administration program to improve the security and privacy of on-line transactions for citizens through the use of trusted identities. NSTIC will clearly make strong authentication via use of PKI certificates the backbone of all electronic transactions, including requests to access Federal facilities.
  Coordinating with the FICAM Subcommittee, the DHS, GSA, NIST and the White House, the NSTIC program seeks to improve the security and convenience of sensitive online transactions by electronically authenticating individuals, organizations, and underlying infrastructure.