As the SP 800-116-1 says: "… this recommendation provides a technical guide to use the Personal Identity Verification Cards (PIV) in accessing the facilities …". Unless otherwise indicated, compliance with this publication is recommended. However, the general mandate to use a PIV card for physical access to federal facilities is rooted in the principles of Presidential National Security Directive-12 (HSPD-12).
HSPD-12 mandated the establishment of a government-level standard for identity credentials to improve physical security in facilities controlled by the federal government. HSPD-12 required that government employees and contractors receive a new identity card based on the Federal Information Processing Standard (FIPS) -201, Personal identity verification (PIV) for federal employees and contractors, in accordance with the guidance of the Office of Management and Budget of the United States (OMB) and the Office Personnel Administration (OPM).
Revision updates faced many challenges
This revision updates and clearly focuses on the methodology for applying the secure attributes of the PIV card for access to federally owned and controlled facilities. That said, the genesis of this publication had a difficult start. The basic document was based on a migration study that I wrote in 2007. The strategy and plan developed effective and efficient cooperation between the disciplines of physical security and information technology. The convergence of these disciplines was necessary to comply with the mandates of HSPD-12 and to achieve compliance with the desired final status with FIPS 201-1. Many within the physical security community, both within and outside the federal government, felt that this mandate was in the "FOR DIFFICULT TO DO" box. There were many meetings and discussions throughout the government on how the industry could respond to the requirements of FIPS 201.
The Smart Card Alliance The Physical Access Council in collaboration with the Open Security Exchange, the Security Industry Association and the International Biometric Industry Association published in September 2007 the migration options of the Physical Access Control System (PACS) to use credentials compatible with FIPS 201-1. A key conclusion of this report was:
"… In moving to accept the PIV credentials, it is recommended that the safety director first define the end-state identification verification objectives, then decide which team, if applicable, needs the equipment to help achieve this goal and , finally, develop a transition and migration plan that meets the needs and budget of the agency … "
The leadership of the Office of Management and Budget (OMB) requested that the National Institute of Standards and Technology (NIST) prepare a guidance document for federal agencies to use the PIV Card in a PACS. SP 800-116 was the result. NIST, under the leadership of the late William "Bill" MacGregor, organized a team of information technology and physical security analysts to develop this special publication. In my role as Chairman of the Convergence Subcommittee, before the Inter-Institutional Security Committee (ISC) of the Department of National Security, lead the perspective of physical security for the publication. An important contribution to the document was the adoption of the Field Manual (FM) 19-30 of the United States Army, entitled Concept of Restricted Physical Security Area.
This concept is found in the PIV authentication mechanism mapping examples shown in Figure 5-5 on page 25 of SP 800-116-1.
The technical challenges are many. The PIV credential is smart card technology, essentially a computer on a chip embedded in plastic. NIST FIPS 201-1 requires that the PIV credential also includes two technologies compatible with previous versions, magnetic stripe and bar codes. However, FIPS 201-1 did not include the most common technology in use today for PACS with low frequency wireless proximity technology.. This technology (in 2007) was implemented in approximately 70 percent of existing government facilities.. By adding low frequency proximity technology to the PIV card for initial implementations, the utility of the existing installed PACS could be expanded. This will provide a smoother migration to end the PACS state enabled for PIV. It was understood that this was a temporary short-term strategy that allows an agency to take advantage of its investment in its existing PACS installed base, which uses proximity technology. The inclusion of low frequency proximity technology is not necessary if the existing PACS of the agency uses the technologies already included in the PIV credential (magnetic stripe and / or bar code). It is also understood that the interoperability of inter-agency credentials, a key objective of HSPD-12 / FIPS 201-1, probably does not exist during this transition phase with any of the technologies compatible with previous versions. Adoption of the proximity of 125 kHz in the PIV card saved agencies thousands of dollars by not having to "lift the fork" replaces the thousands of proximity readers of 125 kHz with high frequency proximity technology of 13.56 MHz required by FIPS 201-1.
Reach the Nitty Gritty
Now, let's go to the basics. Bill MacGregor, provided to the federal government in SP 800-116, a robust methodology with multiple trusted applications. All PIV electronic authentication mechanisms are based on the trust of public key infrastructure (PKI). As suggested in Smart Cad Alliance 2007, "… the Director of Security should Define access requirements … "This definition, of course, must be based on the sensitivity of the area. In short, each PIV card has a certificate that must be validated. This validation reinforces confidence.
This revision improved the orientation to federal agencies. The essence of HSPD-12 and FIPS 201 was to strengthen the protocols necessary to access physical and logical resources. The directive and the norm ordered the development of a safe, verifiable and interoperable "medium". That would be used throughout the federal government. The people of information technology went ahead in the authentication process for secure access. PACS architectures were outdated, patented, with stove and lacked secure access attributes. To highlight this to the physical security community, SP 800-116 provides a comprehensive section on the threat environment.
Prior to the issuance of HSPD-12, the preponderance of federal government facilities used the "Flash-Pass or Flash-then-Pass" access system, which led to visual counterfeiting and duplication of cards. and social engineering. In addition, many agencies used electronic access using proximity technology of 125 KHz. This technology is susceptible to friction, inhalation, social engineering and electronic cloning. The guideline recognizes the complexities of PACS. It proposes the use of the cryptographic algorithms of the PIV card reducing the probability of a successful unauthorized physical access.
Require the characteristics of the card
To achieve this, the guide is compatible with the authentication functions required by FIPS 201 of the PIV card. The main authentication functions are known as K-H-A. The "K" refers to something you know. Each PIV card has a personal identification number or PIN. This PIN is a 6-digit number generated by the PIV cardholder or can be given to the cardholder by the issuing organization. The "H" refers to something you have. Each PIV card has a unique certificate of Public Key Infrastructure (PKI). This certificate is issued by the organization and is administered by an approved certification authority (CA). The CA must comply with strict common policy requirements. Finally, there is the "A." "A" means something that you are. This is the biometric of the cardholder. The latest FIPS 201-2 allows two types of biometrics. They are fingerprints and iris. Therefore, the use of these features of the card will provide the organization with the option of physical access according to the sensitivity of the area. In Chapter 4, PIV Authentication Mechanisms in PACS applications, an extensive use case describes how to apply these mechanisms within a facility with several sensitivity locations.
To implement SP 800-116-1, the guide suggested that organizations integrate these concepts with the Identity, Credentials and Access Management (ICAM) program. Given that organizations operate in an environment of constantly changing threats, such as data breaches are all too common, growing incidents of identity theft and inconsistent compliance of trust relationships, cybersecurity must be addressed comprehensively throughout the company to face the growing threats.
The threat of cybersecurity is compounded by the growing need to improve physical security at the sites of the organization's owned and leased facilities. The ICAM Construct is a collection of functions and programs that support the intersection of identities (with associated attributes), credentials and access (cybernetic and physical) and control in an integral management approach for making organizational decisions. Use of the ICAM construction "… An integrated PACS allows the exchange of information between systems and agencies with common access controls and policies. The agency's ICAM infrastructure would serve as the central identity trust chain that many applications can rely on and consumer authorization decisions, specifically applications that take advantage of the PIV for physical and logical access … "
Countries that implemented smart cards similar to PIV as their national identification card should take advantage of the ICAM Construct along with the guidelines established in SP 800-116-1 for their installed base, as they could count on secure means to provide government services. For private industry, this could be a costly enterprise. However, companies must weigh these measures to the value of their holdings and organizational operations.
About the Author: Ron Martin, CPP, has business relationships with a diverse mix of businesses. Ron retired from the United States Army in 1999 and from the US Government. UU In 2011. Among his visits to the Federal Service, he served for five years as a civilian police officer in the state of Virginia. During his Federal Service, he served in the US Department of Commerce. UU., Where he led the initial implementation of Presidential National Security Directive 12 (HSPD-12). In the US Department of Health and Human Services. UU., He served as Director of the Program for the development and implementation of the Identity, Credentials and Access Management Program (ICAM) of the Department. Ron is an adjunct professor at Capitol Technology University at Laurel MD, where he teaches a graduate course in Identity, Credentials and Access Management (ICAM).
 Now known as the Safe Technology Alliance
 Proximity technology: also known as 125 kHz, low frequency proximity. This is different from the high frequency 13.56 MHz proximity technology required by the NIST required by FIPS 201-1 as a smart card chip port. Proximity functionality of 125 kHz is enabled by incorporating a chip and antenna separately into a PIV card.
 The medium is used to represent the protocol of use in "Derived credentials" See: https://www.nccoe.nist.gov/projects/building-blocks/piv-credentials
 A stove-tube is a structure that greatly or totally restricts the flow of information within the application. Inhibits or prevents interoperability between systems.
 The person who claims the lost, stolen and / or destroyed card. They use the "extra" card or pass it on to someone to use it.
 Play the attributes of the card that are not protected by a Personal Identification Number (PIN).