HSPD-12 team building front-door standards
Interagency group is looking to ensure data on PIV II cards will mesh with physical access control systems
- By Jason Miller
- Jun 02, 2006
The system has to know if a card holder's status changes. ... Somehow, information has to be pushed out to the physical access control systems.'
' Chris Niedermayer, Executive Steering committee chairman
GSA's John Sindelar
If physical access control under Homeland Security Presidential Directive-12 is going to be moved out from under 'guns and badges' and to the network, it has to start with a set of standards agencies can agree on.
These standards must address how card readers and control panels at agency doors read the information that will be contained on Personal Identity Verification II cards.
The administration has mandated that agencies must be ready to issue and accept interoperable PIV II cards by Oct. 27.
With 1.8 million employees scattered throughout the country and a host of disparate access control systems already in place, the Office of Management and Budget's HSPD-12 Executive Steering Committee has put together an interagency architecture team to tackle this effort.
'We need to develop an interface standard from physical access control systems to a broader set of information to share changes about the card holder,' said Chris Niedermayer, Agriculture Department associate CIO and chairman of the ESC. 'The system has to know if a card holder's status changes, whether they are invalidated, or they are not a CIO anymore or whatever. Somehow, information has to be pushed out to the physical access control systems.'
Under HSPD-12 and Federal Information Processing Standard 201-1, the main identifier on a PIV card will be the Federal Agency Smart Credential Number, which can be up to 32 bits or 25 bytes, based on the encoding technique.
Experts say this is a lot of information for physical access control systems to handle.
The amount of data is only part of the problem. Where the information resides is the other issue the interagency team, which is made up of logical and physical access control experts and led by the General Services Administration, is looking at, Niedermayer said.
He said a lot of data is held in agencies' human resources systems, and the team is trying to figure out how it can be used securely and privately.
Niedermayer said the architecture team's goal is to finish the first draft of the physical access control standards by early July. It then would be vetted throughout the agencies, and possibly industry.
After the architecture team figures this piece out, GSA's Public Buildings Service said, it will install card readers that meet HSPD-12 requirements at the entrances of all federal buildings.
John Sindelar, GSA's acting associate administrator in the Office of Governmentwide Policy, said PBS will coordinate with each building security committee to install outside access card readers once GSA and the National Institute of Standards and Technology approve products that meet FIPS-201-1.
'PBS will do a survey at the end of May to identify what they are looking at in terms of requirements,' Sindelar said at a luncheon sponsored by the Association for Federal Information Resources Management in Washington. 'Anything above the card readers at the entrance will have to go through the normal reimbursable request process with PBS.'
A lot of this depends on how fast GSA and NIST can approve products and services.
Sindelar also said GSA should have the requirements for the new Federal Supply Service schedule number ready soon.
Once the requirements are finished, GSA will issue the solicitation, and companies with NIST- and GSA-approved products and services can submit offers to get on the schedule.
GSA has approved criteria for 10 of the 20 products and services and is in the process of coming up with the others, Sindelar said.
'We were shooting to release the schedule by the end of May, but it will probably slip into June,' he said last month. 'We are working with the Federal Acquisition Service to get the acquisition strategy done.'
Sindelar said GSA anticipates agencies buying off the schedule in three ways:
- Individual components for systems
- Managed services
- Using existing systems and adding piecemeal.
'We already have 11 vendors in the queue who want to be approved, and at least two want to offer managed services,' he said.
Niedermayer added that another option would be bulk buying, such as what OMB, GSA and the Defense Department have been pushing under the SmartBuy enterprise software licensing initiative.
'If we buy public-key infrastructure certificates in lots of 5,000 or 10,000, it will cost more than if we buy them in lots of 100,000 or 500,000,' he said. 'We are looking to see if this is a possibility.'