Skip to navigation

Important FIPS 201 Deployment Considerations

Ensuring Your Implementation is Future-Ready

When the Homeland Security Presidential Directive 12 (HSPD-12) was issued in August of 2004, some government agencies were already underway with smart card programs. However, for all agencies, the directive to implement a smart card initiative that meets the Federal Information Processing Standard 201 (FIPS 201) - the standard that was developed in response to HSPD-12 - is a challenging project that must be rapidly tackled to meet directive deadlines. The goal of FIPS 201 is to produce a common identification standard for all federal government employees and contractors.

Implementing an HSPD-12 project entails working with multiple vendors and requires a careful selection of the right technology to ensure a proven and scalable solution that can accommodate evolving functionality and compliance requirements. Important topics such as public key infrastructure (PKI) decisions, biometrics integration, identity proofing, card issuance and credential validation involve many different vendors and options. Making the wrong decisions can greatly limit the near-term and long-term effectiveness and functionality of a FIPS 201 deployment. This white paper will quickly review the basics of the FIPS 201 standard, uncover important issues agencies should be prepared to address and recommend how agencies can best meet FIPS 201 requirements in a timely and cost-effective manner.

FIPS 201 Basics

FIPS 201 identifies four primary parties in the personal identity verification (PIV) process for organizations without an existing PIV system:

  • Applicant: The applicant is the government employee or contractor in need of a PIV card to access federal sites or resources.
  • Sponsor: The applicant's request for a PIV card must be sponsored or approved by someone with authority within the agency, such as the applicant's manager.
  • Registrar: The registrar is responsible for processing approved PIV card requests, which includes validating the identity of applicants and initiating background checks.
  • Issuer: The issuer is responsible for personalizing the PIV card and securely delivering it to the applicant.
4 major parties in FIPS 201

Figure 1: The four major parties involved in FIPS 201

In the second stage of FIPS 201, known as PIV II, a digital signatory and an authentication certification authority are added. An issuer may assume the additional role of digital signature authority, which involves digitally signing biometric and cardholder unique identifiers. The authentication certification authority signs and authenticates the applicant's PIV private keys.

FIPS 201 Processes

There are three primary processes involved in FIPS 201 projects: identity proofing and registration, card issuance and maintenance, and access control.

Identity Proofing and Registration

The identity proofing and registration process involves the applicant, the sponsor and the registrar. The applicant must make an in-person appearance at a registrar enrollment station and present two forms of I-9 approved identification, known as breeder documents. Breeder documents may be scanned and must go through a document proofing process that authenticates them. Biometric information is also captured, which includes multiple fingerprints and a facial photograph. The sponsor signs the original PIV card request for verification at issuance.

The registrar also must have background checks performed on each applicant, which include cross-checking applicants against numerous federal databases, such as terrorist watch lists.

Requests for PIV cards, approvals, breeder document images, demographic data, biometric information and other registration data are securely stored in an identity management system (IDMS). The IDMS controls the process flow from registration through issuance and enables administrators to create or cancel privileges associated with each applicant.

Card Issuance and Maintenance

The card issuance and maintenance phase involves the applicant and the issuer. The issuer can personalize and print a card request before issuance or on-demand when an applicant appears at an issuance station. The issuance officer validates the identity of the applicant via identity documents and biometrics, and then activates the card. In a PIV II compliant system, the issuer embeds a cardholder authentication certificate for logical access, signed biometric data and signed physical access credentials on the smart card and issues the card.

Access

Physical Access: When a PIV smart card user presents his or her card at a point of physical access, such as a door, verification occurs to grant entry. If the physical area is being secured with a High Assurance profile, the point of physical access will rapidly communicate with an online certificate status protocol (OCSP) responder to verify the physical access credential signature and grant entry.

Logical Access: When a PIV smart card user presents his or her card for network access to data via interfaces such as Microsoft smart card login, a validation authority rapidly validates the user's logical access certificate with an OCSP responder that confirms the credential is still valid.

Many technology providers and components are necessary to implement the full range of PIV processes from registration to issuance to access. These include certification authority management, biometrics capture, identity proofing, an IDMS, a smart card manufacturer and a validation authority. There are many considerations and choices that HSPD-12 project managers must take into account when planning their deployments.

The Challenges of FIPS 201 Deployments

FIPS 201 implementations are large undertakings. A wide range of issues must be examined to build an infrastructure that can accommodate an uncertain future.

Breeder Documents and Identity Proofing

Breeder documents are presented to the registrar and are used to authenticate a person's claimed identity, known as identity proofing. The proofing process establishes a level of confidence in an individual's identity. If a credential is issued based on a faulty identity proofing process, the credential could be compromised. It is critical to establish and bind a validated claimed identity to a PIV credential at the time it is issued.

Breeder documents must include government-issued forms of identification such as a driver's license, passport, visa or alien registration card. To assure breeder documents are not forgeries, forms of identification must be authenticated as having the necessary inherent security features, such as images appearing under ultraviolet light. An identity proofing solution must be able to examine and authenticate many different forms of identification and should perform checks against governmental and commercial databases to validate that the information presented on the breeder documents corresponds with the applicant's claimed information.

The many types of identification that must be verified can make authenticating breeder documents and identity proofing a time-consuming, manual process. Fortunately, automated solutions exist that scan, detect and cross-reference data against multiple databases to quickly assess the authenticity of breeder documents and enable a registrar to confidently verify identities.

Biometrics Capture

The FIPS 201 standard leverages biometrics at multiple stages including identity proofing, issuance and access. The initial stage of the PIV standard (PIV I) does not require biometrics, but recommends fingerprint biometrics, while the second phase (PIV II) will require two forms of biometrics, a mandatory two fingerprints and optional facial biometrics.

Many agencies already leverage fingerprint recognition technology based on either minutiae patterns or an actual image of an entire fingerprint. However, there is no finalized FIPS 201 fingerprint format standard for use with physical or logical access. Choosing the wrong solution will limit an agency down the road.

The same set of fingerprints captured at enrollment must be used throughout the FIPS 201 process. Also, FIPS 201 recommends that agencies employ biometric verification when an applicant picks up his or her smart card for the first time.

When capturing a facial image for storage in the IDMS and printing on the PIV card, it is important to capture the picture in a way that enables it to be searchable for future facial biometric purposes. If the quality of the image is poor, an agency will need to photograph each cardholder a second time. Recording facial images in formats that enable systems to search images will also reduce long-term costs.

Performing PKI In-House

Implementing the policies, processes, servers and software necessary to issue, maintain and revoke public key certificates is a large undertaking. If an agency is considering operating a PKI in-house, it must be compliant with the Federal PKI Common Policy Framework - the standard policy for the deployment and use of digital certificates for federal employees and contractors - by October of 2005. A key requirement is that agencies must operate a certification authority that is cross-certified with the Federal Bridge at medium assurance or higher.

Many agencies do not have the staffing or budgets to set up such an infrastructure in a short period of time. Because PKI credentials are critical for authenticating an employee or contractor for logical access, they are at the core of a PIV smart card system. Implementing PKI from scratch requires very specialized engineers and a budget in excess of a million dollars. If an agency does not already have a system in place that has been approved by the OMB and is cross-certified with the Federal Bridge, it is unlikely the agency will meet the deadlines mandated by HSPD-12.

Significant challenges include the need to accommodate physical and logical systems controls, high fault tolerance and disaster recovery capabilities. If the PKI system goes down and the ability to validate certificates becomes unavailable, doors do not open and systems cannot be accessed, effectively shutting down an agency. Another important consideration is the ability to set up and maintain PKI for thousands of people.

Fortunately, federal government certified managed or shared service providers exist that enable an agency to outsource the PKI process, speeding implementation and avoiding costly investments.

Card Issuance

The issuance of a PIV smart card is a complicated process involving collecting, configuring, formatting and securely transmitting keys, data and credentials from various sources. FIPS 201 calls for both physical and logical access credentials on a single card. Traditionally, a separate card managed by a facilities group enabled physical access and logical access was the responsibility of the IT group. Today, no single vendor exists that handles both the physical and logical access requirements of FIPS 201. The challenge is finding physical and logical access component vendors that integrate well with one another and support FIPS 201.

Multiple approaches exist for issuing and distributing smart cards. Cards are usually produced on-demand at the issuance station or batched at a central location and then distributed. On-demand issuance is ideal for maintaining and reviewing a PIV card without shipment delays. Centralized issuance allows lower infrastructure costs in principle, but adds logistics constraints.

When producing cards on-demand, important integration and performance issues must be examined. Personalization information is pulled from many sources simultaneously, such as a certification authority, LDAP/Active Directory and databases, making it important that every component provide the performance and scalability necessary to speed on-demand card creation.

Card platform considerations must also be examined. Dual interface chips and dual chip hybrid cards exist for accommodating logical and physical access. It is important to select a card that will meet an agency's long-term needs.

Credential Validation

Quickly validating the status of PIV card credentials before granting access to physical structures or information systems is critical to the access component of FIPS 201. Due to performance concerns with alternative technologies, FIPS 201 recommends OCSP as its preferred validation architecture. It is important to note that there are multiple ways to implement OCSP.

With the traditional OCSP model, revocation lists are stored on secure servers located in various secure locations. When an application requests a credential check, it queries the secure server and receives a digitally signed response. There are a number of concerns with this model. The traditional OCSP server contains security keys used to sign each PKI transaction. If a key is compromised or stolen, an invalid credential could be accepted as valid, opening an agency to serious security risks.

In addition to security issues, the traditional OCSP architecture may result in slow performance for large agencies, negatively impacting employee productivity. Deploying multiple expensive secure servers is the only option to combat this.

Fortunately, an alternative to the traditional model exists, known as distributed OCSP. Distributed OCSP provides better performance and higher security at a much lower cost than traditional OCSP.

Suggested FIPS 201 Solutions

The many challenges outlined in this paper can be addressed by making the right decisions early in the FIPS 201 planning process. The following solutions overcome most of the challenges an agency will face:

Breeder Documents and Identity Proofing

Authenticating breeder documents and proofing employee and contractor identities are critical stages of the FIPS 201 process. When examining breeder document authentication, be sure the solution can:

  • Determine if the presented identification document has been tampered with
  • Verify the existence of a wide range of security features that are present on any given form of identification
  • Work with a wide range of government-issued forms of identification and accept non-standard identification documents such as a birth certificate
  • Digitally scan and record copies of all presented identification forms in the IDMS database

A robust identity proofing solution should be able to:

  • Automate the identity proofing process in a paperless manner for a simplified operational workflow
  • Cross-reference multiple internal and online databases, and statistically determine the level of confidence that the applicant is who he or she claims to be
  • Search government and departmental watch lists, and criminal databases
  • Unify the document authentication and broader identity proofing processes in a single workflow
  • Leverage open APIs so information can be shared between systems
  • Provide auditable reports that reveal when and where proofing transactions occurred, who accessed records and whose PIV smart cards were issued

Biometrics

When looking into a biometrics solution, seek a solution that can capture a full set of 10 fingerprints in a single pass and extract the appropriate prints for cross-population to multiple systems for use in FBI background checks, issuance and access. A proper solution will store both minutiae patterns and quality fingerprint images. A minutiae can be derived from a fingerprint image, but not the other way around. Be sure the solution can store full fingerprint images and create minutiae as needed. In addition, seek an IDMS solution that is built with facial recognition for PIV II compliance.

Other important considerations include:

  • Seek a solution that is capable of multi-modal biometric authentication, including facial biometrics for higher security environments
  • Ask about false match and false non-match rates of biometrics systems for one to one verification and one to many identification scenarios
  • Be certain that the image capture is of high quality to ensure more accurate biometric authentication
  • Seek a solution that stores facial biometric images in a format that is easily searchable by facial recognition technology

Managed Service PKI

A managed service provider model for PKI overcomes the cost and implementation challenges of performing PKI in-house. Whether issuance is handled in an on-demand or centralized model, a managed service PKI approach eliminates the million-dollar infrastructure cost associated with establishing an in-house certification authority and can rapidly speed deployment in as few as 60 days. Priced in a number of different ways, including a cost per user, these models eliminate the need to invest in hardware, soft ware licensing, ongoing maintenance, technology upgrades and the multiple on-site personnel needed to maintain an in-house certification authority. Managed PKI services also offer service level agreements and disaster recovery services.

When seeking a managed PKI solution, look for the following:

  • Seek a provider that has met the government certification requirements for issuing FIPS 201 compliant credentials
  • Look for experience operating complex and large-scale managed service environments for governmental and commercial organizations
  • The ideal company must have proven experience integrating PKI with card management systems at government agencies
  • The certification authority should be flexible enough to outsource card management services, domain controllers and validation services
  • Seek a vendor that manages PKI for agencies and organizations as its core business

Issuance

The issuance of physical and logical credentials often involves two distinct procedures that may slow the process of issuing a PIV smart card if they are executed independently. The ideal solution is able to integrate logical and physical access credentials simultaneously in a single process. An integrated system will decrease costs, increase security and enhance productivity. Furthermore, physical and logical integrated issuance reduces the risk of errors common with repetitive processes.

When researching issuance solutions, be sure the solution can:

  • Leverage open APIs to access all necessary databases and biometrics
  • Integrate both physical and logical components
  • Add additional data to cards such as photos, printed information and agency-specific options
  • Work with any smart card provider or platform
  • Support both on-demand and batch card processing

Validation

When compared with the traditional OCSP architecture, distributed OCSP scales to support a large user base and eliminates the high costs associated with deploying multiple secure servers. This is achieved by storing signed, pregenerated status information on unsecured responders, ensuring rapid delivery of validation data and reducing the security threat to keys. Distributed OCSP can be operated over unsecured networks, such as the Internet, because all data traveling over the network is digitally signed.

The Advantages to Working with a Best-of-Breed Alliance

Because implementing FIPS 201 requires working with multiple vendors and solutions, it is important to select industry leaders that work well together and have proven interoperability in government agency deployments. Because no single company can provide an end-to-end solution with its own technology, it is critical that products have been designed, tested and field-proven to integrate well.

Table of Vendor Offerings

ActivIdentity, Lenel, CoreStreet, Cybertrust and Viisage are five market leaders that provide a full range of products and services necessary to implement the FIPS 201 processes outlined in this white paper. Each has proven market experience in implementing its respective solutions in government agencies. The companies have collaborated with a wide variety of Cabinet, civilian, defense and smaller agencies. They have developed automated systems that leverage open interfaces to simplify implementation costs and speed deployment. The combined research and development efforts of all five companies are setting the stage for future advancements in the identity solutions marketplace.

Business Advantages Beyond HSPD-12

HSPD-12 serves as a foundation for enabling future e-government services. The smart card platform that will result from a FIPS 201 implementation can extend to future functionality, including:

  • Secure remote access
  • Single sign-on
  • Additional card-based applications
  • Government and enterprise integration
  • Investigative capabilities

About ActivIdentity

ActivIdentity provides smart card solutions and related technologies that secure and automate key FIPS 201 issuance processes. The company's solutions issue, leverage and maintain digital identities in a secure, manageable and reliable manner. ActivIdentity designs, develops, and markets complete solutions for secure remote access, single sign-on services and multifunction smart card-based enterprise access cards. ActivIdentity's soft ware and hardware solutions facilitate logical authentication via smart cards, granting access to computer networks and applications. As a global provider of identity assurance solutions, ActivIdentity has more than 7 million users at government agencies and corporations. For more information, visit http://www.actividentity.com.

About CoreStreet

CoreStreet provides highly scalable validation products for identity management and access control, available directly and through leading systems integrators. CoreStreet's distributed OCSP solution can be deployed anywhere in the world without having to set up a costly secure infrastructure. The solution enables a FIPS 201-compliant single card system for access to buildings and computer systems while providing centralized control. CoreStreet's distributed OCSP solution is utilized to support the Department of Defense's global Common Access Card program, a precursor to HSPD-12. CoreStreet is also working with other agencies, as well as commercial and industry groups. For more information, visit http://www.corestreet.com.

About Cybertrust

Cybertrust enables agencies to outsource the costly PKI process using a shared service provider (SSP) model. Certified by the Federal Identity Credentialing Committee, the Cybertrust SSP solution issues credentials on smart cards, validates credentials and provides full auditing and reporting. Leveraging either its own UniCERT™ certification authority technology or the Microsoft certification authority, Cybertrust provides FIPS 201 compliant authentication, signing and encryption certificates with key recovery services. Cybertrust is the leader in PKI for identity cards and has developed identity solutions for hundreds of corporations and governments including the first epassports, which are helping a major government transform and integrate its data issuance process through secure digital certificates. For more information, visit http://www.cybertrust.com.

About Lenel

Lenel® Systems International, Inc.'s OnGuard® solution aids with card issuance and physical security integration. Lenel's OnGuard ID CredentialCenter produces PIV cards that support PKI for PIV I and PIV II compliance and both contact and contactless smart cards. Through strong partnerships with logical security providers, Lenel offers seamless integration of both physical and logical security, including the ability to manage and issue a PIV card from a single application. Lenel is a global leader in the development and delivery of scalable, integrated systems for the commercial security market with more than 10,000 system implementations in 75 countries. For more information, visit: http://www.lenel.com.

About Viisage

Viisage provides advanced identity solution technology that authenticates breeder documents, performs identity proofing, conducts facial recognition, verifies fingerprint biometrics and names, provides a data store for transactions and prints secure credentials. Viisage offers these capabilities through Viisage iA-thenticate®, Viisage PROOFTM, Viisage FaceEXPLORER®, Toppan and Fargo printing products. Viisage also offers an IDMS database solution and card issuance solutions with experience delivering these solutions to its current 16 US state drivers' license system contracts. With over 3,000 installations worldwide, leading government, law enforcement agencies and businesses use Viisage's identity solutions. For more information, visit http://www.viisage.com.

Other Resources