With every government agency in the U.S. issuing a standardized secure ID, will your campus card feel the pressure to follow their lead?
By Chris Corum, Executive Editor
Every federal government agency is currently issuing a standard ID card to their employees and contractors. Some of the brightest minds from security and IT in the U.S. government have been working on this project for the better part of a decade. Because of the massive scale and perceived national security implications, they had at their disposal input from some of industry’s brightest minds. This work is already in process to be codified as an international standard by ISO, the Organization for International Standardization. If you think your campus card program will not be impacted by this effort, some would call you naïve … others would call you crazy.
It preparing this article, I found it impossible to leave out a bit of editorial bias. Out of fairness, I am admitting it up front. I also know that some of our readers will not like the premise of the article because, despite the adage that change is good, it is usually good for some but not for all. I will be disappointed if this piece does not generate some fervent debate– as I believe the topic is among the most revolutionary changes we could face in campus card circles. I also believe that it presents a tremendous opportunity for us to radically improve certain elements of our campus card industry. Finally, I think it presents a real opportunity for our vendor community to grow new markets for their products. So here it is … let me have it. Don’t hold back as I am ready to take the arrows for the sake of healthy debate.
A bit of history …
The government credentialing effort goes by several names, FIPS 201, HSPD-12, PIV, and soon ISO 24727. The process has been a work in progress at least since the late 1990s when pioneering work was underway by individuals responsible for the Department of Defense’s Common Access Card and the Government Smart Card Interoperability Specification.
But things kicked into high gear in August 2004 when President Bush issued Homeland Security Presidential Directive 12 (HSPD-12). Its purpose was to initiate “a mandatory, government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors.”
HSPD-12 dictated extremely aggressive time lines. Within six-months, a new federal standard was to be in place. Everything was now on the fast track.
This new standard became the Federal Information Processing Standard Publication 201 (FIPS 201). It was created by the National Institute of Standards and Technology (NIST) with input from a host of those ‘brightest minds.’ FIPS 201 was no small undertaking. It would have been impossible to complete it in the prescribed time frame without the years of groundwork that had been laid by the prior government smart card groups and pioneering projects.
By October 27, 2005, agencies had to have procedures in place for issuance of FIPS 201 compliant credentials. These credentials were named Personal Identity Verification (PIV) cards and this first milestone became known as PIV-I. While PIV-I required procedures, it did not mandate that these procedures be up and running.
The requirement to put the procedures into operation was the second step, known as PIV-II, which required that by October 27, 2006, all agencies were to begin issuing the new IDs. That deadline passed with virtually universal success, though many agencies issued only a single card by the deadline.
What does FIPS 201 actually entail?
The process defines more than just a new ID card. It is a revolutionary change in the entire concept of what an employee credential is and does. It is here that the importance emerges for campus card systems, corporate ID offices, and other credentialing bodies.
Pre-issuance identity vetting
Before the first card was issued, FIPS 201 was making its presence felt. A credential can only be as strong as the pre-issuance process, the process of knowing the potential cardholder. As a part of FIPS 201, agencies must perform background checks on cardholders to make sure they are who they claim to be and to identify criminal activity or other history that might compromise security. Federal employees undergo background checks via the National Agency Check and Inquiries (NACI) program. Only after an acceptable NACI check will a permanent FIPS 201 credential be issued.
By the next key compliance date, October 27, 2007, agencies must have completed background investigations of all current employees and contractors.
More than 125 agencies will issue FIPS 201 credentials. A key to the HSPD-12 mandate is the need for cards issued by one agency or site to be accepted by others. In other words, a card issued by the Department of Agriculture should be accepted at the Department of Interior if an employee needs access to facilities for approved reasons such as a joint project. Moreover, it is not enough to visually recognize the card for acceptance. Rather it must be electronically authenticated to make sure the card is current and valid.
To accomplish this goal, the concept of federation or federated identity is essential. It centers on the reciprocal acceptance of credentials issued by participating entities. At the very core of federation is trust. Each entity must trust the credential and the procedural security employed by the issuer. This includes the pre-issuance identity vetting, the issuance integrity and security, the revocation, etc.
But how can 125-plus agencies possibly work with each and every one of the others to create this trust? The only way to do this, short of drafting more than 15, 625 individual agreements (125 to the power of two) is through adherence to an accepted standard. The bankcard industry provides an ideal example of federation. Imagine if each merchant had to enter into a contract with each and every bank that issued a debit or credit card. Each would specify payment terms, dispute resolution procedures, and a host of other elements that could vary from contract to contract. It would require literally hundreds of millions of documents.
Enter the card associations like Visa and MasterCard as the standard of trust for this federated system. A single set of rules is agreed upon by the merchant and by each card-issuing bank, thus eliminating the need for countless bilateral contracts … in favor of trust through standardization and federation.
Standardizing the card and technology
Defining the credential itself was another key element of FIPS 201. At the highest level, the card has both a contact (ISO 7816) and contactless (ISO 14443) interfaced integrated circuit chip. In the initial rollouts, two separate chips can be on a single card but in the future many expect two separate interfaces to a single chip to be the norm (commonly referred to as a dual interface card).
The card has two fingerprint biometrics stored on-card and a full set of fingerprints and facial image for registration and identification off-card. Multiple asymmetric key pairs are enabled for digital signature, key management, physical security, and card management functionality.
A tightly structured data model defines how the unique identification number and other elements are stored in the chip. Certain data elements to be printed on the front and back of the card are also specified. A magnetic stripe is optional.
With tens of millions of users, hundreds of purchasing points, and likely billions of taxpayer dollars at stake, the need to certify products to work with FIPS 201 was paramount. NIST established test procedures and the Government Services Administration (GSA) established a lab to oversee product evaluation and approval. This Approved Product List (APL) has become the industry bible for product selection. To date, about 200 products have been certified for use in categories ranging from cards and card readers to biometric devices and cryptographic modules. Qualified system integrators must also be approved.
Shared service provision
The HSPD-12 mandate created a veritable frenzy in government circles. Literally days prior to the October 27, 2006 deadline, key product categories in the APL still remained empty, leaving agencies wondering how to meet the mandate. Large agencies and those with a history in advanced card issuance seemed confident of their ability to comply, while small and less card-experienced agencies expressed concern.
Two organizations, the GSA and the Department of Interior established outsourced services to handle HSPD-12 compliance for agencies. Because of the standardized processes, these shared service providers were able to handle vetting, issuance, and post-issuance services for client agencies. Reliance on the shared service providers was high. The GSA offering already serves 40 agencies with a user count of 420,000.
Reaching beyond the federal government
So, all federal agency personnel will soon have a FIPS 201 card. But who else will have the card?
Following this first wave of likely FIPS 201 groups, the list is expected to expand, not just for mandated reasons, but for voluntary efficiency and security as well.
Why? Because from the inception, the vendor community has lined up to create product for the program – partly for patriotic reasons perhaps – but mainly for economic gain. The pie is huge and the race to build product to get a piece of it is ongoing. Growing markets and increasing competition for compliant cards, readers, and applications is almost certain to continue reducing prices for approved products.
From the security and applicability perspective, never before has a solution with such widely tested and deployed security – both logical and physical – existed.
As evidenced by the movement in the ISO committee toward international standardization, the eventuality of FIPS 201 as either the real, or de facto, standard for secure identity credentials is more than simple speculation.
What does this mean on campus?
Campus cards have PINs … FIPS 201 has RSA 1024-bit and 2048-bit asymmetric cryptography as well as on-card biometrics. Campus cards have barcodes and mag stripes … FIPS 201 has dual interface contact and contactless integrated circuits. Campus cards have vendor-specific systems … FIPS 201 has an approved product list with hundreds of certified products based on defined standards.
But what the campus card world does well, the FIPS 201 world has yet to address. Campus cards handle money, track privileges, have web-enabled systems, and build applications to support the enterprise issuer and the cardholder.
The campus card community is, at the same time, both way behind and well in front of the federal government and the larger FIPS 201 world.
What can campus card programs learn from FIPS 201?
There are many lessons that card issuers – including campus card program administrators – can take from FIPS 201. Simply looking at the five characteristics touched on in this article can provide a wealth of insight.
Pre-issuance identity vetting – Individually, a campus can evaluate how it vets the identity of students and staff prior to issuing a new or replacement credential. Are multiple forms of ID required for identity verification? Is current status checked at issuance? Should there be security screening of any kind? From an industry perspective, a best-practices document could be developed to guide all institutions toward attaining at least a base level of procedural control.
Federation – Is there value in a federated credential among educational institutions? Perhaps not on a nationwide basis, but maybe it is necessary among satellite campuses or within a geographic or administrative region.
Standardization – Are there areas of the campus card industry that could benefit from a standards-based approach? Is it possible that one-day we may see a standard contact interface chip that handles logical security (e.g. digital signatures, network logon, file encryption) on campus IDs from any vendor? You could still buy your system of choice from your vendor of choice, but opt for the version with the FIPS 201 logical security capability. It would require a card with both a standard chip and the magnetic stripe for the campus-centric applications, but it needn’t necessitate a radical shift in the current business model.
Product certification – Imagine if there was an approval process that vendor products could go through to be certified as “campus-capable.” This could enable third-party offerings (e.g. peripheral applications, handheld readers, parking solutions) to be approved by an independent body making it easier for campuses to identify applications that will work with their program.
Shared service provision – Could some campuses benefit by outsourcing some of their program’s functionality to an outside entity? Certainly the answer is yes … as this is already happening via system sharing (e.g. the University of Vermont), outsourced card office management (e.g. CardSmith), and off campus merchant programs (e.g. BbOne). But these are merely the tip of the iceberg. The day may well come when a central issuing office, – such as a new GSA-supported network, the Department of Motor Vehicles, or the US Postal Service, – actually issues FIPS 201 cards for any government agency, corporation, or program. Could such a model work for campus cards, enabling instant issuance but from the campus card office? Or might our campus card offices one day become the issuing centers for government and corporate users of FIPS 201 technology? Card offices understand issuance and are staffed to handle ongoing requirements.
Only time will tell …
In the future, it may be that cost efficiencies and enormous volumes drive the price of a FIPS 201-approved card so low that money is not a deterrent to migration on campus. It may also be that the wealth of available applications and the mounting requirements for security make the cost irrelevant when compared to need.
But keep in mind that campuses don’t have to deploy FIPS 201 cards to benefit from the process retooling for FIPS 201 details. There are lessons to be learned right now and progressive card program administrators can lead the way.
As FIPS 201 continues to revolutionize government identification and spread into corporate and other markets in the years to come, campus card issuers will have a decision to make … stand aside or get on board.