Draft Still Needs Tuning for High Security and Physical Access Systems Interoperability
August 10, 2012
Manager of Communications
Security Industry Association
SILVER SPRING, MD -- Today, the Security Industry Association (SIA) submitted important new comments to NIST regarding the revised draft of FIPS 201-2, the standard for Personal Identity Verification (PIV). SIAs PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications, especially those that address the high security objectives of HSPD-12.
NIST released the first draft of the update to the 2005 FIPS 201 over a year ago and has again sought industry input on their latest work product.Though NIST has extensively addressed the comments received on the first draft, they have also introduced a number of new concepts, which have drawn strong reaction from industry.One of the main issues is the need to get the specification fully effective near term, since it will not be changed for at least five years after its anticipated release in early 2013.
There are several issues that are important to SIA and the security industry, including: the ability to achieve technical interoperability in Physical Access Control Systems (PACS); recognition of 3-factor authentication (card, PIN, biometrics), a long time industry practice; and outdoor environmental challenges which necessitate the use of contactless readers. Per the current draft standard, contactless readers cannot be used for High or Very High confidence assurance levels.
NIST has come a long way since 2004 when Homeland Security Presidential Directive-12 dictated the first versions of PIV be brought to market. However, the initial implementations often used the basic CHUID reader technology, which is now being deprecated and demoted to low assurance levels, which is appropriate, according to Rob Zivney, chair of SIAs PIV Working Group. Now we need to more fully embrace the cryptographic and biometric capabilities of the card so we can use them securely over the contactless interface for the highest 3-factor authentication -- even when embedded in a mobile phone. We offered suggestions that would bring the new technology to the PIV card much sooner than waiting out current lifecycles of both the Standard and the PIV Card, Zivney added.
PIV card technology use has begun to spread beyond federal employees and contractors.A range of companies and entities that do business with the federal government -- aerospace and defense contractors, international banks and state governments use PIV-I (PIV-Interoperable). Seaports and truckers use the TWIC (Transportation Worker Identification Credential) in the private sector and first responders are using the FRAC (First Responder Authentication Credential). All of these and more are based on PIV.As a result, SIAs comments are as critical to the private sector as they are for the federal sector for which PIV was originally chartered.
The comments can be found on SIA's website at http://www.siaonline.org/government under "Headlines."
The Security Industry Association (www.siaonline.org) is the leading trade group for businesses in the electronic and physical security industry. SIA protects and advances its members' interests by advocating pro-industry policies and legislation on Capitol Hill and throughout the 50 states; producing cutting-edge global market research; creating open industry standards that enable integration; advancing industry professionalism through education and training; opening global market opportunities. As sole sponsor of the ISC Expos, the worlds largest security trade shows and conferences, SIA ensures its members have access to top-level buyers and influencers as well as unparalleled learning and network opportunities.