FIPS-201 Failure

By: Brian Rhodes, Published on May 28, 2012

The security market is hungry for money. With security budgets shrinking worldwide, any glimmer of untapped sales sends manufacturers and integrators scrambling. Nothing carries more impact that sweeping government regulations, and as a result, when FIPS-201 (PIV) demanded government entities reform their identity credential use, many providers jumped at the chance. Unfortunately, more than a decade later, the security industry is still waiting for race to begin.

In this update, we examine FIPS-201 intent, identify where it has gotten sidetracked, and discuss if it will ever be a significant source of security spending.

History

FIPS-201 aims to standardize physical and logical credentials into a single format:

  • Applies to over 5.7 million Federal Workers and Contractors
  • Provide official response to requirements defined in HSPD12
  • It is a joint US Department of Commerce / NIST project

When introduced, the US Government gave everyone 5 years to comply. After multiple deadline moves and delays [link no longer available], it still has not been universally adopted [link no longer available]. This begs the question: "What went wrong?"

Barriers

The difficulty in pushing through FIPS-201 changes is not due to lack of awareness of the regulation itself. Rather, a host of other barriers have sidetracked adoption efforts:

  • Mass confusion understanding what FIPS-201 means: most people are waiting to be told how to be compliant.
  • Difficulty converging physical and logical identities: Getting parties to agree on compliance plans is tough.
  • Adoption required undeveloped technology: Compliant credentials and readers had to be designed first.
  • Unfunded mandates: Despite hard compliance deadlines, money was not budgeted to fund changes.
  • No enforcement beyond threats: While funding can be cut by non-compliance, real penalties are nonexistent.

Market Impact

A large integrator at PSA-TEC explained how his company geared up a major push for compliance in the government vertical, but various barriers prevented it from being a real market driver.

For example, a practical 'update' required to bring a 'legacy access control' system current to FIPS-201 standards is adopting credentials that meet ISO14443 communication standards. At the present time, this requires a type of card that mandates a 'read' range under 2 inches. In addition, FIPS-201 credential compliance requires a cryptographic 'self test' feature defined by FIPS-140. At current processing speeds, this activity takes almost a full second of continuous interface to 'read' a credential.

These requirements mean that government entities must replace all medium or long range proximity or magstripe technology readers protecting secured areas. In terms of real changes, this means a huge percentage of all installed card readers must be replaced. This does not even address the more specific data protection requirements applicable to the access control system itself, which may need to be substantially updated or forklift replaced to become compliant.

In spite of its far reaching impact, FIPS-201 compliance has not precipitated anything beyond incremental changes to most applicable access control systems. It is therefore difficult to gauge the overall effectiveness of FIPS-201. While directive's intent is smart, the case can be made that more fragmentation and confusion exist in the identity market now than before.

Future Market Driver?

The answer is: No, not it the way it was once expected. The lesson learned from this is that 'the cart cannot lead the horse'. No matter how sensitive the security market is in addressing these directives, if funding and enforcement are not concurrently made available they will be relegated into the heap of spineless legislation. Quite simply, government entities will not choose to spend money unless they are forced to or shown a tangible return on the expense. For many, FIPS-201 compliance simply becomes another check box on the '5-Year Strategic Plan' to be addressed at a later date.

Comments : Members only. Login. or Join.

Related Reports

Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Access Control Time & Attendance Guide on Sep 24, 2019
Access control systems can do more than lock doors. With little or no extra equipment, they can be used to track labor hours for employees...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
Mobile Access Usage Statistics 2019 on Jul 18, 2019
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new...
Poor OSDP Usage Statistics 2019 on Jul 09, 2019
OSDP certainly offers advantages over decades-old Wiegand (see our OSDP Access Control Guide) but new IPVM statistics show that usage of OSDP, even...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe. They have already released their Gatekeeper Halberd...
How China's Pay By Facial Recognition Works on Apr 02, 2019
Many social media posts have variously celebrated or warned about the growing use of facial recognition for payments in China. An example of one...
Silicon Valley Access Startup Proxy Raises $13.6 Million on Mar 28, 2019
This mobile-credential based access startup just raised $13.6 million in funding.  Further, they claim that their technology can free businesses...
Large Hospital Security End User Interview on Mar 21, 2019
This large single-state healthcare system consists of many hospitals, and hundreds of health parks, private practices, urgent care facilities, and...

Most Recent Industry Reports

Dahua Faked Coronavirus Camera Marketing on Apr 01, 2020
Dahua has conducted a coronavirus camera global marketing campaign centered around a faked detection. Now, Dahua has expanded this to the USA,...
Video Surveillance Trends 101 on Apr 01, 2020
This report examines major industry factors and how they could impact video surveillance in the next 5 - 10 years. This is part of our Video...
USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former FLIR employees is offering a thermal temperature system for the...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts, Convergint is touting 'extensive research' that is either grossly incompetent...
The IPVM New Products Online Show April 2020 Opens With 40+ Manufacturers on Mar 31, 2020
IPVM is excited to announce the first New Products Online show, with 40+ manufacturers, to be held April 14 to the 16th, free to IPVM members,...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and branding itself as a "COVID 19 - AI BASED NON CONTACT THERMAL...
JCI Coronavirus Cuts on Mar 31, 2020
JCI has made coronavirus cuts, the company told employees in an email that IPVM has reviewed. Inside this note, we examine the cuts made, the...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door operators to fight the spread of coronavirus. This delivers...
Video Surveillance Business 101 on Mar 30, 2020
This report explains the fundamental elements of the video surveillance business for those new to the industry. This is part of our Video...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection systems being marketed for coronavirus, as an explosion of such devices...