FIPS-201 Failure

Author: Brian Rhodes, Published on May 28, 2012

The security market is hungry for money. With security budgets shrinking worldwide, any glimmer of untapped sales sends manufacturers and integrators scrambling. Nothing carries more impact that sweeping government regulations, and as a result, when FIPS-201 (PIV) demanded government entities reform their identity credential use, many providers jumped at the chance. Unfortunately, more than a decade later, the security industry is still waiting for race to begin.

In this update, we examine FIPS-201 intent, identify where it has gotten sidetracked, and discuss if it will ever be a significant source of security spending.

History

FIPS-201 aims to standardize physical and logical credentials into a single format:

  • Applies to over 5.7 million Federal Workers and Contractors
  • Provide official response to requirements defined in HSPD12
  • It is a joint US Department of Commerce / NIST project

When introduced, the US Government gave everyone 5 years to comply. After multiple deadline moves and delays, it still has not been universally adopted. This begs the question: "What went wrong?"

Barriers

The difficulty in pushing through FIPS-201 changes is not due to lack of awareness of the regulation itself. Rather, a host of other barriers have sidetracked adoption efforts:

  • Mass confusion understanding what FIPS-201 means: most people are waiting to be told how to be compliant.
  • Difficulty converging physical and logical identities: Getting parties to agree on compliance plans is tough.
  • Adoption required undeveloped technology: Compliant credentials and readers had to be designed first.
  • Unfunded mandates: Despite hard compliance deadlines, money was not budgeted to fund changes.
  • No enforcement beyond threats: While funding can be cut by non-compliance, real penalties are nonexistent.

Market Impact

A large integrator at PSA-TEC explained how his company geared up a major push for compliance in the government vertical, but various barriers prevented it from being a real market driver.

For example, a practical 'update' required to bring a 'legacy access control' system current to FIPS-201 standards is adopting credentials that meet ISO14443 communication standards. At the present time, this requires a type of card that mandates a 'read' range under 2 inches. In addition, FIPS-201 credential compliance requires a cryptographic 'self test' feature defined by FIPS-140. At current processing speeds, this activity takes almost a full second of continuous interface to 'read' a credential.

These requirements mean that government entities must replace all medium or long range proximity or magstripe technology readers protecting secured areas. In terms of real changes, this means a huge percentage of all installed card readers must be replaced. This does not even address the more specific data protection requirements applicable to the access control system itself, which may need to be substantially updated or forklift replaced to become compliant.

In spite of its far reaching impact, FIPS-201 compliance has not precipitated anything beyond incremental changes to most applicable access control systems. It is therefore difficult to gauge the overall effectiveness of FIPS-201. While directive's intent is smart, the case can be made that more fragmentation and confusion exist in the identity market now than before.

Future Market Driver?

The answer is: No, not it the way it was once expected. The lesson learned from this is that 'the cart cannot lead the horse'. No matter how sensitive the security market is in addressing these directives, if funding and enforcement are not concurrently made available they will be relegated into the heap of spineless legislation. Quite simply, government entities will not choose to spend money unless they are forced to or shown a tangible return on the expense. For many, FIPS-201 compliance simply becomes another check box on the '5-Year Strategic Plan' to be addressed at a later date.

Comments : PRO Members only. Login. or Join.

Related Reports

Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Wavelynx Access Control Manufacturer Profile on Jan 10, 2019
Denver-based WaveLynx is not well known as an access reader manufacturer, but OEMs for big industry brands including Amag, Isonas (Allegion),...
Combating Vaping Epidemic - Halo Smart Sensor Profile on Dec 21, 2018
Youth vaping has become an epidemic, according to the US Surgeon General, while the market leader, Juul, just received a $12.8 billion investment...
ACRE-Acquired Open Options Access Company Profile on Dec 17, 2018
Who is the company ACRE is acquiring? In this note, we examine Open Options line for best customer fit, key features, pricing, and main...
Open Options Acquired By ACRE on Dec 17, 2018
ACRE is doing deals again. A year after they sold Mercury, they are buying another access control company - Open Options. In this note, we...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...

Most Recent Industry Reports

The IP Camera Lock-In Trend: Meraki and Verkada on Jan 18, 2019
Open systems and interoperability have not only been big buzzwords over the past decade, but they have also become core features of video...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP alleged that the NYPD was using...
Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Exacq Favorability Results 2019 on Jan 17, 2019
Exacq favorability amongst integrators has declined sharply, in new IPVM statistics, compared to 2017 IPVM statistics for Exacq. Now, over 5 since...
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact