FIPS-201 PIV at the Five-Year Mark

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4   5   6  Next  »

A Q&A Status Report from Security Squared

Q. Why spend time looking at the adoption and influence of the FIPS-201 Personal Identity Verification (PIV) of Federal Employees and Contractors standard?   

A. Much of security is very identity-centric: converging physical and logical identities is, well, logical. Being able to strongly link the physical and logical identity of the person accessing facilities, applications and data seems an increasingly intelligent strategy, whether to mitigate risk from single sign-on solutions or to meet compliance requirements or simply provide a high level of physical/logical authentication and security internally or among trading partners.

The PIV credential specified in FIPS-201 eventually should be carried by about two million federal employees. Millions more nonfederal employees conceivably could carry "PIV-Interoperable" or "PIV-Compatible" credentials. Given its potential reach, we wanted to find out how PIV is influencing smart card technology and adoption in general.

Q. In a nutshell, what did you learn?

A. PIV adoption is going more slowly than the Federal government had initially forecast within its own agencies. PIV-I, which essentially is trusted PIV for non-federal agencies, has only recently been well defined. In the interim, some federal contractors have invested in secure, but non-PIV forms of high authentication and data exchange security measures. They'd like to protect those investments.

That said, most sources say PIV and PIV-I will continually gain traction. The standards probably will be adapted to technological changes that have occurred since FIPS 201 was written. PIV compliant equipment and technology could bring down the price of smart card implementation. So businesses that have more limited interaction with the Federal government, and individuals, could see wider use of multiple factors of authentication in many applications in the real and cyber worlds, even if these aren't fully PIV-compliant.

Q. What is the FIPS-201 PIV again?

A. The FIPS-201 PIV standard was a response to Homeland Security Presidential Directive 12 (HSPD-12), which called for a standard for a secure form of identification for use among federal agencies and their contractors for both physical and logical access.

The FIPS-201 PIV document spells out the standards for such a credential. This document specifically calls for a smart card carrying biometric fingerprint data as well as digital certificate technology.

FIPS 201 also details the required processes and procedures for background vetting and identity proofing of individuals before agencies may issue them PIV credentials. Those vetting and proofing standards are critical factors in the value of the credential within and among agencies.

"In this area, it can't be overstated that you can only trust a digital identity to the extent it's been bound to an individual. That's what determines how much access you will grant it," said Mark Joynes, director of product management, at Entrust.

Q. How is PIV adoption coming along among federal agencies?


A.  It's spotty.  FIPS-201 PIV is an unfunded mandate. Federal agencies are complying as their budgets permit, said Geri Castaldo, CEO at Codebench. She noted her company is starting to see more PIV activity among agencies of late.

Based on status reports from the federal Office of E-Government and Technology, the Department of Defense (DoD) is leading the way to PIV compliance, with nearly all of its expected 4.3 million-plus employees and contractors having been issued PIV-compliant cards (the DoD's credential is called the Common Access Card). Similarly, the Department of State is noted as having issued 100% of its total expected number of PIV cards.

By contrast, the Department of Veteran Affairs has issued just 6 percent of the 458,946 PIV cards it expects to, and the Department of Homeland Security, 7% of its total of 251,905 cards.

Page:   1   2   3   4   5   6  Next  »

A Q&A Status Report from Security Squared

Q. Why spend time looking at the adoption and influence of the FIPS-201 Personal Identity Verification (PIV) of Federal Employees and Contractors standard?   

A. Much of security is very identity-centric: converging physical and logical identities is, well, logical. Being able to strongly link the physical and logical identity of the person accessing facilities, applications and data seems an increasingly intelligent strategy, whether to mitigate risk from single sign-on solutions or to meet compliance requirements or simply provide a high level of physical/logical authentication and security internally or among trading partners.

The PIV credential specified in FIPS-201 eventually should be carried by about two million federal employees. Millions more nonfederal employees conceivably could carry "PIV-Interoperable" or "PIV-Compatible" credentials. Given its potential reach, we wanted to find out how PIV is influencing smart card technology and adoption in general.

Q. In a nutshell, what did you learn?

A. PIV adoption is going more slowly than the Federal government had initially forecast within its own agencies. PIV-I, which essentially is trusted PIV for non-federal agencies, has only recently been well defined. In the interim, some federal contractors have invested in secure, but non-PIV forms of high authentication and data exchange security measures. They'd like to protect those investments.

That said, most sources say PIV and PIV-I will continually gain traction. The standards probably will be adapted to technological changes that have occurred since FIPS 201 was written. PIV compliant equipment and technology could bring down the price of smart card implementation. So businesses that have more limited interaction with the Federal government, and individuals, could see wider use of multiple factors of authentication in many applications in the real and cyber worlds, even if these aren't fully PIV-compliant.

Q. What is the FIPS-201 PIV again?

A. The FIPS-201 PIV standard was a response to Homeland Security Presidential Directive 12 (HSPD-12), which called for a standard for a secure form of identification for use among federal agencies and their contractors for both physical and logical access.

The FIPS-201 PIV document spells out the standards for such a credential. This document specifically calls for a smart card carrying biometric fingerprint data as well as digital certificate technology.

FIPS 201 also details the required processes and procedures for background vetting and identity proofing of individuals before agencies may issue them PIV credentials. Those vetting and proofing standards are critical factors in the value of the credential within and among agencies.

"In this area, it can't be overstated that you can only trust a digital identity to the extent it's been bound to an individual. That's what determines how much access you will grant it," said Mark Joynes, director of product management, at Entrust.

Q. How is PIV adoption coming along among federal agencies?


A.  It's spotty.  FIPS-201 PIV is an unfunded mandate. Federal agencies are complying as their budgets permit, said Geri Castaldo, CEO at Codebench. She noted her company is starting to see more PIV activity among agencies of late.

Based on status reports from the federal Office of E-Government and Technology, the Department of Defense (DoD) is leading the way to PIV compliance, with nearly all of its expected 4.3 million-plus employees and contractors having been issued PIV-compliant cards (the DoD's credential is called the Common Access Card). Similarly, the Department of State is noted as having issued 100% of its total expected number of PIV cards.

By contrast, the Department of Veteran Affairs has issued just 6 percent of the 458,946 PIV cards it expects to, and the Department of Homeland Security, 7% of its total of 251,905 cards.

<!--nextpage-->

Q. What are the PIV-Interoperable (PIV-I) and PIV-Compatible (PIV-C) credentials?

A. By definition, a PIV card can only be held by a federal employee (or a contractor working for an agency for more than six months). PIV-I is a credential that follows almost all of the technological requirements of PIV, and enough of the vetting/proofing processes to be accepted as a trusted credential.

Certain technical differences also set the cards apart, such as identification numbers for cardholders. The Federal Agency Smart Credential-Number (FASC-N) that gives each PIV card a unique identifying number is not extendable beyond federal agencies, for example, so PIV-I cards require a different numbering schema.

Despite the differences, the key point is that a PIV-I card is trusted by federal agencies.

By contrast, the PIV-C credential is deemed "of no value to the Federal government because it does not have all the elements needed for Federal government trust," according to the Personal Identity Verification (PIV) Interoperability For Non-Federal Issuers v. 1.0 document issued by the Federal CIO Council in May 2009.

That's mainly because PIV-C does not require the identity proofing steps laid out in FIPS-201 PIV so the strength of the binding of the physical identity of the cardholder to the card and its privileges could vary among card issuers. Ensuring cardholders are proofed equally is essential to establishing communities of trust.

 "If you're going to do something that is interoperable, by definition standards are required. Otherwise it'll be 'you show me yours, I'll show you mine, we agree that they're both tremendous,'" said Sal D'Agostino, president, IDMachines a consultancy specializing in PIV and PIV-I implementation. "If you don't have a standard, that's what it gets to."

Q. What are these other documents being referenced? Isn't everything needed to define PIV and PIV-I credentials is contained in the FIPS-201 PIV document?


A. While the FIPS-201 PIV standard document is very detailed, several other agencies are also defining PIV technical details and practices, says Steve Howard, vice president of operations for CertiPath, a PKI bridge for the aerospace & defense industry.

For example, according to the FBCA Certificate Policy Change Proposal Number: 2010-03, dated May 11, 2010, a PIV-I Tiger Team commissioned by the General Services Administration (GSA) searched "all applicable Federal government documents for requirements pertaining to PIV-I cards. The team reviewed source such as PIV-I for Non-Federal Issuers, FIPS 201, NIST SP 800-63, and NIST SP 800-79. PIV-I requirements across a number of categories were found (e.g., certificates and keys, security, algorithms, ID proofing)."

In practical terms, that means companies wanting to implement PIV-I credentials must keep tabs on technical requirements spread across several sources. To offer some help in pulling these requirements together, the Federal Identity, Credential and Access Management (FICAM) group offers its Road Map and Implementation Guidance V. 1.0.

Q. Who is interested in or is using PIV-I credentials?


A. Most sources tell us they are not seeing a big uptake of the actual PIV-I credential--yet. The three main reasons: No one is compelling nonfederal entities to do so, it's expensive, and unanswered technical specification questions, including a full definition of PIV-I (just released in May 2010).

For example, one might reasonably expect PIV-I to be widespread among the aerospace and defense community because of its ties to the DoD, which has issued more than 4 million of its Common Access Credential to employees and contractors, according to the HSPD-12 Public Report Summary for the first quarter of 2010.  However, sources at CertiPath, the A&D PKI bridge, and at Exostar, which secures A&D supply chain transactions and is recognized by the DoD as a trusted external PKI supplier, say PIV-I is not yet prevalent in that space.

Q. But doesn't the DoD require PIV-I for secure transactions with external partners, per the FIPS-201 requirements?

A. Not right now, said Vijay Takanti, vice president, security & collaboration solutions, at Exostar. A July 2008 memo from DoD CIO John G. Grimes basically said that the DOD would permit members of certain PKIs to do business with DoD information systems. These were Federal Bridge Certificate Authority member PKIs cross-certified at what's known as the "Medium Hardware Level of Assurance"; PKI members of other PKI bridges cross-certified at Medium Hardware and PKIs asserting "Federal PKI Common Policy Medium-Hardware" or greater.  

Q. What's "Medium Hardware" all about? And what are PKI "bridges?"

A. According to the National Institute of Standards and Technology (NIST) Special Publication 800-63-1, "E-Authentication," the Medium Hardware Level of [identity] Assurance maps to NIST's definition of Level 4 assurance, which is "intended to provide the highest practical remote network authentication assurance." It requires "strong cryptographic authentication of all parties, and all sensitive data transfers between the parties. Either public key or symmetric key technology may be used."

At Level 4, the NIST document says only "hard" cryptographic tokens are allowed, and these must comply with another document, FIPS 140-2 "Security Requirements for Cryptographic Modules."

While the PIV card meets Level 4 assurance, so do other hard cryptographic tokens, including certain one-time-password devices.

The PKI bridges validate a digital certificate on a cryptographic token. The Federal Bridge Certification Authority (FBCA or Federal Bridge) performs this task for federal agencies. Other bridges are cross-certified by the Federal Bridge as meeting various assurance levels. CertiPath is the PKI bridge for the A&D industry. It links to the Federal Bridge.

<!--nextpage-->

Q. What's all that mean for PIV-I use?

For the aerospace & defense industry, it means its biggest trading partner, the DoD, is requiring encrypted authentication from trading partners but not that it be done with a PIV-I credential. "Medium Hardware" was the mark set for authentication assurance, and A&D companies thus invested in implementing that, said Exostar's Takanti. "This is still the policy we are trying to follow now," he said.

It is still not completely implemented, either: Takanti explained Medium Hardware levels of assurance must be done service by service, application by application--and A&D companies have yet to see a return on that investment.

Takanti pointed out that NIST 800-63-1 doesn't mention PIV-I, and the industry doesn't know when that document will be updated. "This standard is very important to us because it sets the bar as to what is acceptable from an authentication perspective for relying parties," he said.

Further, Takanti said 70 to 80 percent of Exostar's customers (which include about 70,000 A&D manufacturers and supplier companies) are interested mainly in granting and gaining secure logical access. In addition to digital certificates, PIV and PIV-I call for attributes on smart cards more geared to physical access control, including a photo and biometrics.

"If you're doing logical access, the system doesn't know whether you are connected to a PC by a smart card or a hardware token that's NIST SP 140-2 compliant--you just know I am authenticated by a hardware device that is not attached to my computer," he said.

That separation of authentication device from computer adds a layer of security, and in fact, is what many A&D companies are adopting for their own security purposes, not just to follow a Federal mandate, Takanti said. So they intend to ask FICAM to recognize this.

In fact, the FICAM Roadmap and Implementation Guidance does note that PKI credentials can be implemented in non-PIV environments, and, provided they meet requirements outlined in the Federal PKI Common Policy Framework and the Federal Bridge Certificate Policy, these PKI certificates can be considered trusted.
 
Q. But isn't the point of PIV and PIV-I to converge physical and logical access
?

Yes. At least two issues have an impact on PIV and PIV-I in the physical access space.

One refers back to the "source of authority" issue. Right now, said Howard of CertiPath, most federal agencies are using their PIV cards as flash badges when it comes to physical access. The reason is that the Federal government has yet to define how the PIV card will interact with physical access control systems. The definitions for such will need to be brokered between two federal groups: FICAM, and the Interagency Security Committee (ISC).

The ISC's mandate is to "enhance the quality and effectiveness of physical security in, and the protection of buildings and civilian federal facilities in the U.S." These standards apply "to all civilian federal facilities in the U.S.--whether government-owned, leased or managed; to be constructed or modernized; or to be purchased." The ISC was created by an executive order after the bombing of the Alfred P. Murrah Federal Building  in Oklahoma City in April 1995.

The ISC recommendation documents are available on a "need to know" basis. Howard said that FICAM has made recommendations to the ISC about how the PIV and PIV-I credential should be used for physical access control. But the final decision is up to the ISC.

The other issue about physical access control and PIV-I is demand. While physical/logical access on a single card makes sense for Federal employees routinely going in and out of Federal facilities, it's not so obvious a need for Federal contractors. Many businesses may frequently need to exchange encrypted emails, use digital signatures or access secure government web sites. A more limited employee population might require physical access to federal sites. PKI certificates at "Medium Hardware" levels on hardware tokens meeting FIPS 140-2 requirements might be sufficient for most employees, instead of investing in PIV-I cards for all.

<!--nextpage-->

Q. What's the value of using a PIV-I credential for physical access control?

A. It could be used across facilities belonging to disparate agencies and trading partners, with its PKI certificate being used to verify the validity of the card and the access rights of the person carrying it. CertiPath and FICAM have demonstrated this ability.

"There has been a lot of discussion recently about using the PIV credential for physical access control at a higher level of security than it is operating at today. If those movements are successful, there may be more of a drive to at adopt that as a standard for both physical and logical access. That might give PIV more of the legs it needs to take more hold in the market," said Kevin Graebel, product line manager, HID Credentials.
 
"We're waiting on the ISC to come down from on high and propagate requirements and guidelines for the use of PIV through the federal government," Howard said. "When those regulations come out, we will start to see a greater uplift of the convergence of one badge, where we have logical access covered by the PIV card, and soon, physical access covered by the PIV card as defined by the ISC."

Q. What about the Transportation Worker Identification Credential, the First Responder Authentication Credential and the Aviation Credential Interoperability Solution (ACIS)? Aren't each of these PIV-I credentials?

A. No, yes and maybe, said Howard at CertiPath, who worked to develop the TWIC specifications for Phase III and has followed the FRAC and ACIS work. Though TWIC cards have a full PIV applet, he said the cards cannot be considered PIV-I compliant because their digital certificates are good for five years; FIPS-201 requires certificates to renew every three years. So TWIC is not cross-certified to the Federal Bridge (the Transportation Security Administration (TSA) is not listed as cross-certified either).

The FRAC card will be a PIV-I credential so it can be interoperable. "This is pretty solid," said Howard.

Howard, and other sources, like Castaldo of Codebench, and Vik Ghai, CTO and vice president, products, at Quantum Secure, which is active in airport identity management solutions, all said it would make sense for the TSA to adopt PIV-I for U.S. airports.

"But who pays for the readers [at airports] to be PIV-compliant?" said Ghai, who noted the cost issue is a stumbling block for PIV-I adoption at airports.

If ACIS were PIV-I, FRAC credentials would work in airport card readers, so responders to airport emergencies would theoretically have quick access to sites, yet be secure authenticated via PKI in real time. That would also create an audit trail, so airport authorities would know who had come in and when.

Similarly, PIV-I credentials for flight crews, mechanics, etc. that could be validated and trusted across airports could increase operating efficiencies for airlines and other businesses, Ghai said.

<!--nextpage-->

Q. How much traction is the PIV-I credential gaining outside of federal contractors and heavily regulated spaces?

A. Some sources are very bullish on PIV-I and say certain vertical markets are adopting it today. The bio/pharmaceutical market has its own PKI bridge, SAFE, that's been cross-certified with the Federal Bridge, so participants in SAFE can exchange PKI credentials with federal agencies. Institutes of higher education also are developing a PKI bridge.
 
Other sources say the broader private sector hasn't shown much interest in PIV.

"The interest has been in places like ports and secondary airports who know that they're going to be mandated at some point and are moving in that direction. But not really in the commercial market at all. There seems to be very little interest in moving in that direction. Certainly the push toward smart cards is happening but  [interest in] having any type of compatibility or even implementing the same processes that the FIPS program lays out hasn't been there," said Matt Barnette, vice president of marketing, AMAG Technologies.

Cost and effort are cited as issues. While the infrastructure exists for PIV-I and PIV-C, in the form of certified PKI providers like Cybertrust, Entrust, Exostar, VeriSign, etc., PIV implementation is not turnkey.

"There are companies that are pursuing this but the fact is, it's not something at all like turning on a light switch," says D'Agostino at IDMachines. "You can't walk into a corporation which is not PIV-I today and throw a switch and it suddenly becomes PIV-I. There are certain things that will have to happen. You have to establish a roadmap to get you there."

Q. Who is using the PIV-Compatible, or PIV-C, credentials?


A. That's a good question.  PIV-C cards follow the FIPS 201 technical specifications--but not the identity proofing/issuing requirements. Because they lack that strong binding of physical identity to credential, PIV-C cards aren't trusted credentials by those agencies and parties accepting PIV or PIV-I cards.

So why would an entity issue a PIV-C card? Some sources point out that even though the credential wouldn't be accepted by the DoD or other federal agency, an enterprise would still have access to a large and growing body of standards-based technology and equipment. In turn, that means vendors competing for business, which should equal lower costs.

"The PIV route gives you the option of always having competing vendors and prices I would expect to be more favorable on the basis of volume," said Neville Pattinson, vice president of government affairs at Gemalto.

Further, some industries--finance being mentioned most often--may need or want the level of security built into the PIV specs. Another potential attraction is federating physical access across facilities.

Still, smart card standards with widespread application support, including Microsoft's Base CSP and the PKSC#11, compete with PIV, said HID Global's Graebel. Steve Howard at CertiPath, in an email follow-up, said PKSC#11 can work with PIV. Further, he noted Microsoft's heavily promoted .NET platform exists for creating applications, while PIV is about solving identity verification problems.

<!--nextpage-->

Q. If millions of people eventually carry PIV or PIV-I or even PIV-C credentials, how could other entities leverage the ubiquity of those?

A. It depends. Used as a flash badge, a PIV or PIV-I credential hasn't much more value than any other photo ID. The only way to tell if a PIV or PIV-I credential is still valid is by querying the certificate authority that issued the PKI certificate attached to the card. To do that, the entity checking the credential would need to belong to a PKI bridge cross-certified by the Federal Bridge or be cross-certified itself to the Federal Bridge. More of those may come, but the Federal CIO list of cross certified bridges and entities is still largely limited to federal agencies, the A&D and bio/pharma bridges, the State of Illinois and Wells Fargo.

Certainly there's precedent, in European and PacRim countries, for private citizens to carry government-issued smart cards that can be utilized by private businesses that are part of the overall "trust fabric." For example, the Spanish government worked to get businesses involved in its Spanish ID project up front to help develop use cases with customer-citizens who would carry the card, explained Nora Cox, senior product manager, at Entrust.

What FIPS 201 might do is provide a framework for private entities that want to issue for-profit credentials to individuals who are willing to pay to be vetted and proofed in return for having a credential that gets them through airports faster and perhaps validates online transactions more securely.

Q. Will PIV and PIV-I always be smart card based?


A. FIPS 201 right now specifies a smart card, as does the PIV Interoperability for Non-Federal Issuers document. But those documents could change--might have to change, because technology is outpacing the standards.

"It's important to think of it as a credential, not a smart card. It is form-factor agnostic," said D'Agostino of IDMachines. "There's no reason this could not be a phone, a USB or a piece of plastic. Your phone has a SIM, your phone has radios that can communicate wirelessly with devices. It can function exactly like a smart card."

"We're definitely seeing the need for stronger identity validation," said Brian Skiba, president, MaxID Corp US. "That might be done with PIV; it might be done with something else." He pointed out the national identity project under way in India is card-less, being based totally on biometrics and unique identifier numbers.

Still, others are sure the future is PIV and PIV-I.

"PIV-I will be the next HID prox card," said CertiPath's Howard. He's looking at a five-year time frame toward ubiquity that assumes the federal government will start using PIV widely and to its full capabilities.

Q. So will PIV and PIV-I credentials issued by federal and private entities will be "reusable" in other spaces? That is, could a person with a PIV-I credential open a bank account or establish an online account securely, using the PKI certificate?
 

A. That's not clear. Graebel at HID suggested PIV and PIV-I are meant to be very secure credentials and not opened up to other applications. Yet if smart phones became PIV and PIV-I carriers, that could foster some interesting cross pollination among apps and a very secure identity verification.

If the "trust fabric" being woven today for PIV and PIV-I (PKI bridges, standards-based equipment and software) grows wider, more entities out of regulated spaces might participate. That could include vendors selling PIV-I credentialing services to individuals and small businesses.

(Anecdotally, several frequent flyers told us they'd pay more than $100 for a credential that would get them through airports faster. A PIV-I trust fabric might succeed where other efforts have failed because of lack of critical mass.)

Q. Any conclusions?

A. PIV and PIV-I may be going slowly, but they aren't going away. The key value of these credentials, which should be portable regardless of whatever form factors emerge as dominant, will be the strong and continuous binding of identity to the credential. That will offer value that reaches beyond people working with top secret documents and intellectual property, as individuals recognize the importance of safeguarding their identities personally and professionally, online and in the real world.

# # #

Be sure to see the transcripts from many of our background interviews under "related links" below. If this piece was helpful, please support Security Squared by taking a moment to sign up for our free weekly newsletter. We'll keep your data secure and private.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/225

Leave a comment