Taking FIPS 201 Beyond the Card
Get key insights from GovSummit on the future of federal identity.
Here are some takeaways from a recent SIA GovSummit session examining the evolution of Federal Information Processing Standards 201 (FIPS 201) identity models to support today’s digital-first environments.
FIPS 201 is a proven identity management system developed by NASA and U.S. Department of Defense computer scientists in partnership with industry. It has a strong track record of significantly improving both physical and logical security. Whether you are a senior government executive or part of a corporate C-suite, if you are not part of a comprehensive security program that addresses both physical and logical security, you will, at best, be relegated to someone else’s comprehensive security plan—or become obsolete.
Technology providers and integrators need to stop viewing FIPS 201 as simply a smart card standard and start recognizing it as a full identity management system. While FIPS 201 is written as a very specific standard for issuing high-security credentials to U.S. government employees and contractors, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63 is designed to be scalable and can be used to evaluate any identity management system.
Integrators and consultants need to realize how significant the losses can be from an identity management plan that is not comprehensive, as demonstrated by the $100 million loss experienced by MGM Resorts International. They should apply the criteria outlined in NIST SP 800-63 to evaluate how identities are bound to credentials and how access rights are granted and revoked.
Two major changes are coming to the identity space: mobile identity and quantum computing attacks. Mobile ID is what the modern workforce expects and, contrary to popular belief, it can be implemented using the personal identity verification data model and related technologies. However, several challenges and standards still need to be addressed. The security industry can take multiple actions to secure its future. First, it should develop open standards through the American National Standards Institute (ANSI) process, which the federal government is required by law to review and, if applicable, adopt. The Security Industry Association (SIA), as an ANSI-accredited standards development organization, ensures that all stakeholders in the security industry have a voice, regardless of SIA membership status. This inclusivity is one reason the federal government places such high value on industry-driven standards.
Quantum computing, once operational, will put most current encryption standards and methodologies at risk. This raises critical questions: When will this happen? What will we need to do? No one knows exactly when quantum computing will become operational—or whether its capabilities will remain classified once it does. NIST has already released post-quantum encryption algorithms designed to resist quantum attacks. Additionally, NIST guidelines recommend that any encryption deployed after 2030 be post-quantum capable, and that all legacy cryptography be retired by 2035. These new algorithms will require more computing power and take longer to process than those currently in use. This reality supports shifting security functions to mobile devices, which can leverage higher processing power and support faster key rotation—capabilities likely needed in a post-quantum world.
While these challenges are significant, it is essential for industry to step up and lead the development of new standards that both protect our digital world and enable end users to do their jobs. For something to be an asset, it must be accessible. The skilled security professional considers how the rightful user will access and use the asset—the amateur focuses only on keeping bad actors out.
SIA GovSummit—the nation’s premier government security conference—was presented by SIA on May 20–21 in Washington, D.C.
Learn more about SIA’s advocacy and government relations resources and activities here.
Back to Top