How FICAM Revisions Enable New Security Solutions in the Government Sector

Face biometrics now equivalent to fingerprints under FIPS standards

David Smith headshot
David Smith is the CEO of Identity One.

For government facilities and civilian organizations alike, establishing an effective physical access control system (PACS) is a top priority.

Given the sensitive nature of the resources and information contained within many U.S. government facilities, though, designing a PACS that complies with the latest updates to Federal Information Processing Standards (FIPS) 201-3 is of vital importance.

The Importance of FICAM-Approved Technology

Nearly all applications that deal with financial, privacy, safety or defense deploy some form of identity authorization systems at their entry points. In the government space, the Federal Identity, Credential and Access Management (FICAM) architecture establishes standards that determine the allowed activities of legitimate users and mediate every attempt by a user to access a resource in the system.

The latest revisions to FIPS 201 lay the foundation for PACS to incorporate recent advances in both biometric recognition technology and derived credentials to ensure that new and existing FICAM deployments can take advantage of these developments. This third revision to the standard—FIPS 201-3—makes the best PKI-based high assurance access control and biometric identity technology available to federal government facilities by codification.

Important Changes Included in FIPS 201-3

Published in January 2022, revision 3 of FIPS 201 introduces several important changes to FICAM’s common set of standards, best practices and implementation guidance for federal agencies. Included among them is the elevation of face biometrics to be equivalent to fingerprint biometrics for the highest assurance level, in addition to a further definition of derived personal identity verification (PIV) credentials and their appropriate use cases.

PIV credentials, as defined by FIPS 201, are secure and reliable forms of identity credentials issued by the federal government to its employees and contractors. Their purpose is to authenticate both the identity of the person and the authenticity of their credential for access to federally controlled facilities, information systems and applications. As part of an industry-wide push to adapt to touchless technology in the aftermath of COVID-19, the elevation of facial recognition technology for identity verification means that the most advanced contactless biometrics technologies are now supported for systems that use common access cards (CAC), PIV and transportation worker identification credentials (TWIC).

Another significant change involves the use of derived credentials, including the potential for PIV-derived credentials to be loaded onto phones for logical, physical and mobile access control for CAC, PIV and TWIC-based security solutions. As the use of these methods of identity authentication continues, so will the relevance of FIPS 201 in an increasingly digital world.

FIPS 201-3 specifically allows the use of the face image from the PIV applet on the PIV card to be used. However, this image is typically small, low quality, and lacks special data elements – such as infrared and 3D – that make modern face biometrics work.

The combination of the approval of face biometrics for high assurance levels and face biometrics with infrared and 3D elements being categorized as derived credentials results in the potential for a fully FIPS 201 FICAM-compliant system that performs to the same level as the latest face biometrics technologies. 

To streamline access control for government facilities, integrators should prioritize integrating both hardware and software that incorporate the latest updates to FIPS 201 and are designed for frictionless access.