The Future of Credentialing

June 1, 2007
Security specialist shares what the feds, industry groups are doing

Over the last several years, Steve Howard has participated in some of industry’s leading committees and standards related to security and credentialing — RTCA’s SC-207 working on the DO-230B Aviation Access Control guidelines; Smart Card Alliance’s Physical Access Council and Identity Council, the Government Smart Card Inter-agency Advisory Board committees for FIPS 201 [Federal Information Processing Standard 201], and the Security Industry Association’s PIV Committee and the ANSI B10.9 committee on identity credentials. In this ‘State of the Industry’ update, he offers his insights as to where credentialing is headed, along with some resources.

Starting with physical access, the goal historically was to keep bad guys out and let good guys in, using a badge. Electronic verification of a badge is much stronger than the old World War II scenario:

‘Halt, who goes there?’
‘It’s me, Sgt. Jones.’
‘What’s the password Sgt. Jones?”
‘You may enter.’

Anyone listening in on that challenge and response protocol now knows how to get on base until the password is changed. When a threat is identified, the process is changed (show me your ID card — now that individual must know the secret and have a valid ID). This helps mitigate the risk.

Today, we use a proximity badge that provides a “something you have” level of security: wave it at the door reader, and if the credential is authorized, the door strike opens. Yes, proximity badges have served us well; but times are changing. Clearly more is being done than simple prox badge access, as many facilities already support PIN and automated photographic verification at critical access points. Some are also engaged in biometric methods for access control.

Change in Definition
The very definition of “access control” is changing. Now we see concerns around “Identity Management.” We hear about convergence of ID between physical and logical access in a uniform approach. We are seeing the emergence of “Security Operations Centers” focused on situational awareness, command, and control.

An excerpt from a research report by the Stanford Washington Group might help here: “We believe that the creation of FIPS 201 is a landmark event for the industry. For the first time, a formal standard exists that will allow agencies to purchase biometric and credentialing solutions with the assurance of interoperability and mutual levels of trust.” With solid vetting requirements and rigid smart card and biometric interoperability standards, the ‘ID solutions’ industry is rapidly moving to support it. Other federal ID programs like TWIC, Registered Traveler, and the First Responder Card initiative have pledged to follow the same technical standards, allowing them to be more rapidly and affordably deployed.

Any card that complies with FIPS 201 will be a powerful tool that all public or private agencies should be able to trust and easily authenticate. FIPS 201 establishes a new gold standard for identity documents and credentialing. With this standard in place, companies that build access control systems — in both the physical and cyber world — are quickly adapting their products to accept the new PIV credential.

Moreover, these two worlds are crashing together, as physical and IT security professionals work together to pre-integrate solutions from each world, creating exciting new product combinations and new approaches to security. Some, such as Lenel and AMAG Technology, have gone so far as to integrate their products directly with card and identity management products from vendors like ActivIdentity and Intercede, allowing security managers the ability to provision both logical and physical security credentials from a single identity management system.

Airport-by-Airport Evaluations
There are new threats and risks, and each airport owner/operator must evaluate how their access control and credentialing solution mitigates these threats. At a top level, security managers at an airport want to know exactly who is in a secured area (electronic access at a door/gate with anti-passback); where they are (surveillance, including video); that they have not wandered into areas where they aren’t authorized (intrusion detection, ID challenge programs); and, that they have not gone from the authorized common infrastructure assets, such as Common Use Terminal Equipment (CUTE), to some other IT asset.

This is a critical leap to make: it is not just about building and AOA access. The IT network is critical infrastructure that keeps an airport environment secure. The convergence of identity solutions yielding a common ID credential serving logical and physical access solutions is here today.

A newer concept is the notion of an “all hazards situation.” This is not just about jumping a fence. When a tornado wipes out an area of a terminal, who is near the scene that can help recover from the disaster? When an outbreak of SARS is identified in a terminal, how is lockdown accomplished, and an assessment made regarding who is available to help?

When bad things happen, the goal is to have situational awareness. This is especially true when communications are down and we cannot ask the PACS or LACS system who is allowed to have access. Incident commanders and emergency response officials must be able to rapidly assess on-scene human resource assets in all hazardous situations.

What training and knowledge do individuals — who are responding or are part of an incident — have to help bring the airport back into an operational mode, help save lives, re-establish perimeter security and networks, access control systems, and communications infrastructure?

Standards Rise to the Challenge
Standards are our safety net. They enable trust in solutions by strong review processes and peer evaluation programs; they enable a competitive marketplace and help us avoid a vendor lock-in situation. FIPS 201 is a foundational activity, but other standards are equally important to security professionals in aviation as well — the RTCA Special Committee 207, for one (see box).

Such guidance will be critical to methods and means of access control and compliance within the aviation community. Another critical effort in the march towards unification and federaction includes the Security Industry Association’s OSIPS project — Open System Integration and Performance Standards — for the creation of interoperability of components in security systems. It’s all about communications between components in security systems, making it an ideal standard for federated identity management and access control solutions.

Of particular interest is the work in the Access Control Role (ACR) and Identity and Carrier Management (IDM) standards, since these form the foundation for the communications between the components of interest. These standards are expected to be completed this summer, with a call for comments expected this fall.

Aviation security personnel will need to consider the operational impact these standards will have. These are the underpinning to successful industry products and services, ensuring that our networks and facilities remain secure — no matter if comms are up or down; no matter if the attack is cyber or physical; no matter if it is a natural disaster or a terrorist incident.

Government: Rising to the Challenge
It’s interesting to watch government. Usually, legislators set the regulations and make us do things that we previously didn’t want to do. It’s rare that the government does this to itself. FIPS 201, however, is definitely making the government “eat its own dog food.”

FIPS 201 is an industry driver. Size is everything and the U.S. government is not small. The Department of Defense has over 3.5 million active ID credentials issued alone, and is migrating its infrastructure to FIPS 201. Early estimates by the General Services Administration (GSA) see a need for some 40 million credentials. (This only addresses the executive branch and its contractors; not judicial or legislative branches.)

All of these individuals will receive a FIPS 201-compliant credential over the next couple years. All will be enabled as a converged ID credential to serve both logical and physical access solutions, and all will provide a common platform for identity verification using biometric identifiers.

FIPS 201 enables internal government operations to be secure and reliable. Given how far this has traveled in such a short time, the successes are getting even better. Consider the First Responder Authentication Credential (FRAC) program. This initiative, driven by the Office of National Capitol Region Coordination (NCRC), has dramatically morphed from a federal program into a state and local initiative where the feds participate.

For airports, in a disaster, partner secondary support organizations have a huge role to play — fire, rescue, police, medical, FBI, you name it. All come together to restore order. The FRAC is a real-world demonstration that industry is ready to help address real-world problems, such as identification and recovery from bad situations.

mplementing the FRAC is the First Responder Partnership Initiative (FRPI). The FRPI was formed among federal and non-federal stakeholders to implement a standards-based Personal Identity Verification (PIV) and FIPS 201-compliant First Responder Authentication Credential. Although only employees and contractors of the executive branch of the federal government are mandated by Homeland Security Presidential Directive 12 (HSPD 12) to implement a FIPS 201-compliant credential, state and local governments are electing to conform to this standard to ensure PIV trust and interoperability in the multi-jurisdictional NCR area. FRPI leverages the Federal Bridge Certificate Authority (FBCA) to map FCBA PIV levels.

By establishing an electronic PIV first responder trust model among partnership members to include federal, state, regional, local, and private sector entities, we enable incident commanders and emergency response officials to rapidly assess on-scene human resource assets in all hazards situations.

The FRPI initiative achieves the mandate for electronic validation to eliminate use of a flash pass, and enables the use of the credential invoked by FIPS 201 every day. It will be the same form of identity tool used on “the day” when an incident occurs.

Put into Action
In February 2006, the Pentagon Force Protection Agency hosted a Winter Fox Interoperability Demonstration that was coordinated by the DHS Office of National Region Coordination. Participants included federal (PFPA), state (Virginia, Maryland), regional (Port of Baltimore), local (Frederick County, MD), and private sector (George Washington University) partners. Test locations were the Federal Office Building II, Virginia DOT’s Smart Traffic Center (STC), the South Marine Terminal in Baltimore, and the Emergency Operations Center of Frederick County.

This identity verification/management demonstration validated the capability to use existing standards and technology to establish a scalable identity trust model throughout multi-jurisdictions. It further demonstrated the ability to electronically manage human resource assets in response to any human-induced incident or natural disaster.

The exercise demonstrated electronic validation of identity cards from six different back-end infrastructures — a DoD Common Access Card, FRAC, Maryland FRAC, TSA’s Transportation Workers Identity Credential, and driver’s licenses from Connecticut and Maryland. Additionally, it provided in-transit visibility of human resource assets via Satellite Communication (SATCOM) manifest tracking of sponsoring agency personnel to relocation sites.

In February 2007, the NCRC and PFPA joined other government and industry partners to co-host the Winter Storm demonstration. Winter Storm took place simultaneously in over 20 locations within Washington, D.C. and throughout the U.S., and included more than 50 organizations. The demonstration validated the functionality of the FRAC and the integration of electronic attributes (qualifications, authorizations, certifications, and privileges) that have been developed and advanced through FRPI.

Additionally, it enabled real-time human resource situational awareness of every first responder participating in the demonstration nation-wide. This was a first in this country. The demonstration received national attention, resulting in government agencies and private sector first response and response recovery communities of interest to contact the NCRC, requesting participation in the partnership and future demonstrations.

Ok, so did it really work this well? The NCRC will provide interested persons with proof positive. Ask them for their videos that show the FRAC in operation during the demonstrations.

It’s surprising how a large enterprise like the U.S. government can move industry. One can find FIPS 201-certified products for access control systems, ID management, professional services, credentials, biometric solutions, enrollment — you name it.

An important point: it is on GSA Schedule 70 under SIN 132-62. This means qualified state and local government organizations may also benefit from the price and volume afforded by the federal government in their acquisition strategies.

From an airport owner/operator’s perspective, real world threats mean we have to be very proactive in security solutions. We must anticipate the bad things that can happen and establish affordable defenses to mitigate known and unknown risks.

It’s rare to see, but the federal government is using its own standards and this is something worthy of attention. It will make airport operations more secure, and will cost less over time. It definitely improves the security posture overall, not just at the door.