Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, August 16, 2006

United States of Access Control

The nuptials are set for Oct. 27, 2006.

That’s the day by which every agency in the U.S. government is supposed to be issuing smart cards that will marry physical access control and logical access control.  The plan, mandated by Homeland Security Presidential Directive 12 (HSPD 12), is that all 5 million-plus federal employees and contractors eventually be given a common identification card that can be used anywhere a   nd everywhere.  At the front door of the federal building where the employee works. 

“It’s a good idea, and we’ve got to do it,” says Bruce Brody, former CISO for the U.S. Department of Veterans Affairs and before that the Department of Energy, who’s now VP for information security at the consultancy Input.  “Getting off of passwords and getting to multifactor authentication, that’s where the government has to go” to improve security in the long run.” 

The much-anticipated day could be the shiny, happy moment in security convergence history, with the government unveiling a system that improves not only security but also efficiency, thus driving adoption by the private sector.  Instead, however, the looming deadline has federal agencies in agony, the physical security community in chaos and the White House on the defensive.  Both vendors and federal agencies are complaining that policy-makers are providing too little, too late in terms of guidance.  According to a survey released by Input in June, almost half of federal IT security executives still did not have a complete plan in place or feel that the government was providing enough clarity for them to comply.  Another pain point: They can’t find funding for the mandate, which could cost millions.

At Veterans Affairs, which is an early adopter of smart card technology, HSPD 12 Program Manager Joseph Bond is so far from being able to set up standardized physical access control that he still has facilities where employees need multiple cards to enter different parts of one building.  “Our legacy system is really unwieldy at this point, and I have no influence over when those legacy systems will be brought up to speed,” he says.

At the U.S. Department of Interior, CIO Hord Tipton is no more encouraging.  Despite the fact that HSPD 12 specifically references physical access, Tipton wrote in an e-mail to CSO, “Physical access is not clearly on the scorecard.”  Meanwhile, physical access control vendors are struggling to create products that simply didn’t exist before, while at the same time transforming themselves into businesses governed by standards—-this when the U.S. General Services Administration has left them waiting for technical specs and approval.  “The cart is before the horse,” says Mark Visbal, director of research and technology at the Security Industry Association, which represents dozens of access control vendors.  As of early June, he says, “We have a good idea what [GSA is] asking for, but it’s not finalized.”  To add to the confusion, GSA arcana initially made it unclear even whether these emerging products must be classified as security or IT products, lengthening an already tangled procurement process.

Through a spokeswoman, the Office of Management and Budget’s Karen Evans—-the Bush administration’s top administrator for e-government and IT—-insists that the deadline is not changing and that missing it is not an option.  But observers indicate that many agencies missed an earlier deadline.  According to a Government Accountability Office report released in February, agencies studied were still struggling to meet last October’s supposedly easier HSPD 12 deadline, meant to standardize background check processes.  The GAO went on to say that product testing may not be completed within the deadlines, further delaying progress.  And because agencies are supposed to find funding within their existing budgets, the OMB has little leverage on those that fall behind.

The directive puts OMB in charge of issuing guidance and ensuring compliance, and the U.S. Department of Commerce in charge of creating the standards.  The second part of FIPS 201 is more complicated.  Part two of FIPS 201 lays out not only the physical format of the credit card-sized cards but also cryptographic, biometric and card reader specifications.  This setup assuages privacy concerns about, say, the image of a fingerprint being stolen from someone’s card as he walks by.  It also means that in any situation where biometrics are used, there is three-factor authentication: something the individual has (the card), something he knows (the PIN) and something that’s part of him (a fingerprint).

The government decides it wants to make a change, codifies it and pushes it forward—-causing pain along the way but eventual improvements.  People like Visbal, from the Security Industry Association, could wax poetic for hours about the difference between, say, the 125 kilohertz proximity cards in wide use and the 13.56 megahertz smart cards specified in FIPS 201.  Or about why one common protocol for proximity cards supports only 64,000 unique ID card numbers, not the millions required by FIPS 201.  Or about how fire safety issues in the physical security world slow down the product development process.

But the writing is on the wall.  Standardization—-and along with it access control convergence—-is coming.  “They’re making us go to TCP/IP, LAN, WAN deployable systems, not just for access control but also for digital systems,” Visbal says of what the government is doing. 

Back at federal agencies, though, the changes are no less daunting.  Butler says it’s only been within the past year that the Department of Defense has started to overcome the cultural challenges of bringing together the teams responsible for physical access control and logical access control.  “When I used to go to my physical security meeting, I used to sit down with my physical security team members who’d say, ‘Oh, the geek has showed up.’”  While the directive refers matter-of-factly to a combined card for physical access and logical access, the reality is that this kind of converged access control project has simply never been done on any broad scale.  And one of the particular ironies is that the agencies that are perhaps in the best position to actually issue FIPS 201compliant cards don’t have to—-at least not right away.  That’s because OMB decided that agencies that had already made significant investments in smart card deployments could issue “transitional” cards, rather than FIPS 201 cards.

Both the Department of Defense and Veterans Affairs, along with a handful of other agencies, are getting what one vendor calls a “get out of jail free” card from OMB for the October deadline.  At Veterans Affairs, for instance, Bond says the agency had already invested millions of dollars in a system that, among other things, doesn’t support the new biometric requirement.  “If we were to become FIPS 201 compliant, we would have to literally throw away millions of dollars of equipment and card stock,” Bond says, “and OMB says that it doesn’t make sense to throw away that stuff.”  What’s more, the new cards at Veterans Affairs will be compatible with maybe 60 percent of the existing physical access control systems throughout the agency.  “Anytime we go to upgrade a facility, we will make sure that the system is in compliance,” Bond says.  “In the interim, you will have noncompatible systems which will require separate badges to exit and enter different parts of the facility.”

Some other agencies that do have to start issuing FIPS 201compliant cards by October are likely to find a different workaround—-incorporating their legacy technology onto the new smart cards.  This might involve, say, slapping an old magnetic stripe onto a new card.  That makes the new card not so much one card that does everything but two cards in one.  “It becomes a migration strategy,” Klinefelter of the Open Security Exchange says.

The OMB has not set a deadline for how long either the transitional cards or those that incorporate legacy technology can be used.  As far as actually issuing the cards, an emerging approach involves a shared service model, in which agencies can sign up to outsource card issuance to a common provider.  Initially, USDA’s Niedermayer said that the federal government’s Executive Steering Committee was looking for agencies who were able to issue cards for other agencies.  Then, the government issued an RFP for contractors who could do the work.  Vendors were asked to submit plans to start issuing cards to 30 agencies in multitenant facilities in Atlanta, New York City, Seattle and Washington, D.C., by the October deadline.  At press time, Niedermayer said the government was still waiting to see who would submit bids by the deadline, which had been extended.

With this development, it remains to be seen whether the government has created one big headache, instead of dozens of small ones.  Observers say there is a risk that the cards will not be interoperable or that deadlines will not be met.  Indeed, agencies that sign up for the shared service model but are not part of the 30-agency pilot are not likely to have one card issued by the deadline.  “The degree of difficulty is high, and time frames are short,” says Linda Koontz, GAO’s director of information management issues, who wrote the February GAO report.  “You can’t, in some respects, fault the OMB for wanting to move aggressively on this, but at the same time there are questions about whether the agencies will be able to meet these deadlines.”  To hear Niedermayer describe it, however, those who say the task is insurmountable are simply misinterpreting the deadline.  “We make it a lot more difficult than it is,” he says pragmatically.  “If your expectation is that 1.9 million people are going to have a badge on Oct. 27, that’s not achievable.”

Posted on 08/16