In the wake of 9/11, the Federal Government’s secure-the-fort, big idea was to create an identity credential for all federal employees and contractors. Homeland Security Presidential Directive (HSPD)-12 set it all in motion. Today, we know the smartcard-based credential that arose from HSPD-12 as the Personal Identity Verification (PIV) card.

The PIV card is meant to give employees/contractors physical access to federal facilities and logical access to federal information systems. While using a PIV card for logical access has been largely successful and compliant with HSPD-12, implementing PIV-based, physical access control systems (PACS) has been much more difficult to conquer. As a result, HSPD-12 compliance for PACS has largely eluded the Federal Government. The noncompliance reasons are many, but there is now hope for fully achieving HSPD-12’s mandates.

Interoperability With Any Agency’s PIV

Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planetAll Executive Branch employees and long-term contractors, including the entire Department of Defense, have been issued PIV cards. This has been true since 2013. Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planet.

It seems so simple, where employees/contractors previously used their proximity card to open a federal facility door or go through a turnstile, they should now be able to use their PIV card. However, HSPD-12 took the PIV requirement one step further – compliant PACS must be interoperable with any agency’s PIV. This introduced an entire magnitude of additional complexity.

A compliant, interoperable, PIV-based PACS should work like this: an authorized employee (or contractor) presents a PIV card (contact or contactless) to a card reader to enter whichever federal agency building they have reason to be. Over the last 14 years, in all but a very few cases, the lack of PACS’ HSPD-12 compliance has prevented this from happening.

Secure Credential Policy

Today, less than 1% of the Federal Government’s PACS are HSPD-12-compliant. At most federal facilities, especially those outside the National Capitol Region, a noncompliant PACS works like this: an authorized employee (or contractor) presents a proximity (‘prox’) badge to a proximity card reader to enter his or her agency’s facility. At the fraction of federal facilities with upgraded PACS that work with PIV cards, virtually all such PACS fail to properly use a minimum number of PIV security features before granting access – let alone interoperate with a PIV card from any other agency.

Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 complianceNew federal initiatives frequently suffer from having no policy to enforce their roll-out. That isn’t the case with PACS compliance. Policies have been in place for so long that newer policies like Office of Management and Budget (OMB) M-11-11 (February 3, 2011) remind everyone what the policies said in 2004 and 2006. This year, OMB publicized its proposed OMB M-18-XX (Draft), which will replace M-11-11. OMB M-18-XX’s (Draft) main PACS thrust is, once again, to ensure that everyone understands what the Federal Government’s secure credential policy is. It hasn’t changed since 2004.

It would be tempting to say that PACS technology isn’t mature, but that isn’t the case. In 2013, the Federal Government revamped the PACS portion of the FIPS 201 Evaluation Program and, since that time, all PACS on the General Services Administration’s (GSA) Approved Products List are 100% compliant and interoperable. Yet, on any given day, active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance.

The usual suspects, policy and technology, are not the culprits for this epic delay.

An authorised employee presents a proximity badge to a proximity card reader to enter his or her agency’s facility
An authorized employee presents a PIV card to a card reader to enter whichever federal agency building they have reason to be

Difficulties In Adopting HPSP-12 Compliance For PACS

  • Standards – The Federal Government’s approach to standards is to avoid a great deal of specificity. It’s an unspoken tenet that federal standards must be flexible, promote innovation and avoid disadvantaging any participating market segment. The opposite is true if your goal is interoperability: nearly every detail must be specified. Consider the standards-based success story of chip-based credit cards. When was the last time you used a credit card and it didn’t work? Interoperability failures are nearly unheard of. If you look at the hundreds of volumes of technical specifications that cover minute aspects of every component in credit cards and payment terminals, you quickly realize why it works so well. Nothing is left to chance, nothing is a variable, and there is no optionality.

The Good News: Work to increase viability through deep scrutiny has progressed in recent years. The GSA APL PACS Testing Lab, set up in 2013, annually tests credentials from all PIV issuers against all GSA-approved PACS. This testing has significantly reduced interoperability failures at federal facilities.

  • Collaboration – In the past, physical access practitioners from federal agencies rarely collaborated, unlike their logical access counterparts. This is also true for PACS procurement decision-makers across agencies and facilities.

The Good News: In 2018, an agency trend has emerged where finally physical access, physical security and IT practitioners have begun sitting down to discuss their shared responsibilities. We have already begun to see coordinated budget requests between IT and Security with enterprise architectures positioning PACS as an enterprise service on the network

  • Scale – The Federal Government owns so many buildings that they can’t be counted. Google doesn’t know how many there are and neither does any one government official.
  • Variability – A significant percentage of facilities have unique aspects making a one-size-fits-all approach infeasible.

The Good News: Mature consulting services can now help agencies marry federal requirements with their unique environments to develop robust PACS enterprise architectures. As we see this occurring more and more frequently, a repeatable, achievable, systems-based upgrade of all PACS may be on the horizon.

Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance
The GSA APL PACS Testing Lab annually tests credentials from all PIV issuers against all GSA-approved PACS
  • Provenance – In many cases, different groups own different parts of a single facility, not all of whom might be subject to, or wish to interoperate with, a high-assurance compliant PACS. For example, GSA manages facilities for Legislative and Judicial tenants who aren’t subject to HSPD-12. Policy dictates that GSA manage the PACS for the front doors of these facilities should be HSPD-12-compliant, despite the fact that these tenants likely don’t have credentials that work with this technology. Sure, these tenants could commercially obtain a PIV-I credential, but almost none have.
  • Economics – It’s difficult for agencies to create their annual security budget requests when HPSD-12 PACS upgrades are in scope, because so many unknowns exist at each facility. To assess the cost, the time to complete, and the facility’s existing equipment inventory, it would be logical for an agency to hire a contractor with PACS expertise to perform a site assessment. Having to do capital planning for an assessment phase in advance of making the annual budget request for the PACS upgrade creates a never-ending cycle of delay. Especially at agencies with multi-year capital planning requirements. Many agencies, trying to avoid this delay cycle, have fallen prey to doing site assessments themselves. This results in their integrators doing their walk-throughs after the contract is awarded. This is the leading cause of PACS upgrade cost overruns.
  • Dependence on the agency’s IT department – Historically, PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise, let alone the Internet. High-assurance PACS that validate credentials from other agencies must now communicate with many different systems on an enterprise network and over the Internet – so much so that the Federal Government reclassified PACS as IT systems.

The Good News: With collaboration increasing between Physical Security Officers (PSOs) and Chief Information Officer (CIOs), we expect this to improve in due course.

  • Resistance to change – This is a classic human factors challenge, and it’s a big one. PSOs have spent decades achieving their positions. PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted. When the value proposition is clear, change is adopted more readily. But security value isn’t easily measured or observed. It is often said that the best performance review for a PSO is to note that nothing happened. And when something does happen, it is necessarily kept quiet so the risk can be remediated without calling attention to the vulnerability in the interim. To date, the value proposition of moving to PIV-based PACS has been entirely based on policy (without corresponding funding in most cases) and through the shock value of white hat hackers, showing how easily most proximity badges can be cloned. This is not the stuff of change agents.
PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise
PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted

Are These Challenges A Unique Situation?

No, these PACS challenges are not unique. Cybersecurity initially faced many of the same challenges that federal PACS face today. By 2000, the Federal Government recognized its urgent need to improve cybersecurity practices across its computing infrastructure and issued many policies that required agencies to improve. Improvement was sparse and inconsistent. GSA Schedules were set up to help agencies buy approved products and services to assist them, but this too produced lacklustre results.

The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned a system

Congress enacted the Federal Information Security Management Act of 2002 (FISMA) (now amended by the Federal Information Security Modernization Action of 2014). FISMA mandates an Authority To Operate (ATO) accreditation process for all information systems. The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned (vs. purchased) a system.

FISMA and ATO accreditation has been highly successful when implementing new systems. These cybersecurity requirements are the closest thing that the Federal Government has to the ‘PIV Police’ today. However, the PIV requirements in FISMA and ATOs currently apply to only logical access for information systems.

The proposed OMB M-18-XX (Draft) mentions that a FISMA PACS overlay to NIST SP 800-53 is forthcoming. The intent of the PACS overlay is to use the army of ATO accrediting officials in the Federal Government and enable them to assess implemented PACS as fit for purpose. This is the first time an enforcement approach has been brought forward that could reasonably succeed.

How Long For HSPD-12 Compliance?

We know that it won’t take another 14 years to achieve HSPD-12 compliance. Pockets of compliance are popping up. Compliant procurements do exist, and the state of PACS across the Federal Government is better in 2018 than in any previous year. Progress to date has been at a constant rate. The question is: what would take for progress to occur at an exponential rate instead? A major attack or compromise involving PACS would certainly hasten upgrades, but let’s hope that’s not the solution.

The energy distribution sector has been riding a wave of security upgrade demands to retrofit their facilities across the U.S.

The energy distribution sector, under nearly constant Advanced Persistent Threat attacks, has been riding a wave of security upgrade demands to retrofit their facilities across the U.S. The potential threat exists for Federal Government facilities as well.

Looking into the federal PACS-compliance crystal ball, we’re beginning to see the faint outline of a multi-faceted campaign of education, budgetary oversight and accreditation of PACS that will ultimately see us past the tipping point. Consider though, at the current rate of PACS enablement, a 50% compliance rate is still far in the future.

When that day arrives, the PIV card form factor may no longer be the key that fits that future lock. (Are you already using a mobile device’s Bluetooth interface to open the door to your office building?) Taking decades to perform a technology upgrade is the aging elephant in the room no one talks about. By the time critical mass is achieved with an upgrade facing these many challenges, there are typically compelling reasons to start over again with the next generation of technology. That cycle may well prove to be the Federal Government’s biggest PACS challenge of all.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Jeff Nigriny President and Founder, CertiPath

In case you missed it

Motorola Solutions Acquires Pelco For $110 Million
Motorola Solutions Acquires Pelco For $110 Million

Motorola Solutions, Inc. today announced it has completed the acquisition of Pelco, Inc., a global provider of video security solutions based in Fresno, California. Pelco designs, develops and distributes end-to-end video technology, including video security cameras and video management system software. The company’s scalable solutions and commitment to service delivery enables customers of all sizes to mitigate risk, increase operational efficiencies and enhance safety.  “Video continues to play a more powerful role in enabling safer cities and securing businesses around the world,” said Greg Brown, chairman and CEO, Motorola Solutions. “Pelco’s track record of innovation, internationally recognized brand, global channel and customer installed base enable us to further expand our global footprint with enterprise and public safety customers.”

What are the Security Challenges of Protecting the Cannabis Industry?
What are the Security Challenges of Protecting the Cannabis Industry?

The advent of a truly new market for the physical security industry is a rare occurrence. Particularly rare is a new market that is both fast-growing and provides an environment that is not just conducive to application of physical security technologies but that actually demands it. Such is the case with the market for legalized marijuana. We asked this week’s Expert Panel Roundtable: What are the security challenges of protecting the cannabis industry?

Wireless Technology Is Transforming Motion Detection
Wireless Technology Is Transforming Motion Detection

Motion detection is a key feature of security systems in residential and commercial environments. Until recently, systems have relied heavily on closed circuit television (CCTV) and passive infrared (PIR) sensors, which both require significant investment and infrastructure to install and monitor. Developments in wireless technology are increasing home security possibilities. Few years ago, these developments led Cognitive Systems to discover that the wireless signals surrounding oneself can be used to detect motion. Known in the wireless industry as WiFi sensing, this technology brings many benefits that other motion detection solutions have not been able to provide. The working of WiFi sensing At Cognitive Systems, the company has used WiFi sensing technology to develop a motion detection solution called WiFi Motion™, which measures and interprets disruptions in RF signals transmitted between WiFi devices. When movement occurs in a space, ripples in the wireless signals are created. WiFi Motion interprets these ripples and determines if an action, such as sending a notification, is needed. Enabling this functionality in a space is incredibly simple. With a software upgrade to only one’s WiFi access point (or mesh router), motion sensing capabilities are layered into one’s WiFi network. Existing connected WiFi devices then become motion detectors without detracting from their original functions or slowing down the network. Using artificial intelligence (AI), WiFi Motion establishes a benchmark of the motionless environment and learns movement patterns over time, which could be used to predict trends. This allows unusual movement patterns to be detected with greater accuracy while decreasing the potential for costly false alerts. WiFi Motion requires no line-of-sight or installation WiFi sensing and other home monitoring solutions All of these capabilities are made possible by WiFi sensing and together create a motion detection system that provides unparalleled accuracy, coverage, privacy and affordability compared to other solutions on the market. PIR integration is far more complex and imposes electronic and physical design restrictions compared to WiFi sensing. In terms of placement, PIR systems are difficult to install, requiring line-of-sight and a device in every room for localization. WiFi Motion requires no line-of-sight or installation and is also a scalable solution compared to PIR. Much like cameras, PIRs can only cover so much space, but WiFi Motion can cover the entire home and even detect motion in the dark and through walls, without adding additional devices to the home. WiFi Motion detects less distinguishing context than cameras and microphones, but more context than regular PIR sensors for the perfect balance of privacy and highly accurate motion detection. Privacy solution While cameras have been the security solution for years, WiFi Motion offers a more affordable solution that can rival the privacy and coverage capabilities of even the most high-end cameras. With such a wide coverage area, one might think that WiFi sensing infringes on privacy, but actually, the opposite is true. With WiFi Motion, the contextual information collected cannot be used to identify a specific individual, unlike cameras which can clearly identify a person’s face or microphones, which can identify a person’s voice. It is different from other smart home security options that use cameras and microphones because it only senses motion using WiFi signals - it doesn’t “see” or “listen” like a camera or microphone would. This provides opportunities for added security in spaces where privacy might be a concern and installing a camera may not be a comfortable solution, such as bathrooms and bedrooms. The data collected is also anonymized and highly encrypted according to stringent industry privacy standards. Existing connected WiFi devices then become motion detectors Additional WiFi sensing applications Since WiFi sensing technology requires no additional hardware or subscription fees, it is much more affordable than other motion detection solutions. It can be used as a standalone solution, or it can be easily layered into more complex systems. This ease of integration, scalability and relatively low cost brings a lot of potential for various applications. Motion detection can trigger other smart devices in the network to turn lights on or off In eldercare, for example, WiFi sensing can be used to help seniors live comfortably in their homes for as long as possible. With the increasing aging population and high costs associated with care homes, the market for this application is considerable. Caregivers can use an app to monitor movement in their loved one’s home and be alerted about unusual movement patterns that could indicate a concern. For smart homes and other environments that have a network of smart devices, the artificial intelligence (AI) component of the technology allows for improvements to automated features. Motion detection can trigger other smart devices in the network to turn lights on or off or make adjustments to the temperature in a room. Security for the commercial sector For office buildings and other commercial properties, it is easy to see how all of these features could be scaled up to offer a highly accurate and cost-effective motion sensing and smart device automation solution. Cognitive Systems is closely involved with the development of WiFi sensing technology, working with various industry groups to establish standards and help it reach its full potential. WiFi Motion is merely the tip of the iceberg in terms of motion sensing possibilities, but its applications in the world of security are undeniably compelling. It is an exciting time for the wireless industry, as one works with stakeholders in the security space to explore everything this technology can do.