FIPS-201 Improvements Reviewed

By: Brian Rhodes, Published on Jul 19, 2012

A new version of FIPS-201 is being introduced, but does the update make it more relevant to the physical security industry? To a large extent, FIPS-201 has been responsible for issuing large numbers of new credential cards, but has failed to change physical access control systems. Does the update rectify this? In this note, we examine the draft update and analyze what it means for the physical security industry.

Key Changes

One of FIPS-201's coauthors, the National Institute of Standards and Technology (NIST), has hosted several webinars and events circulating the revised standard, named FIPS-201-2. We joined one webinar in a series hosted by NIST that discuss the proposed changes with public participants, and while no agenda or minutes of that webinar were published, we cover the pieces most relevant to physical security below:

  • Credentials can be issued for 6 years, instead of 5.
  • Guidelines for implementing biometrics (fingerprints) into PIV cards are now included.
  • Guidelines for introducing 'E-Authentication' on cellphones or other flexible electronic devices are now included.
  • The physical access FIPS-201 compliant products is limited to a handful of vendors due to poor specifications

While the full impact of proposed changes to existing credential process is being evaluated, the draft changes do not obsolete any currently issued credentials.

History of Update: When FIPS 201 was initially introduced in 2005, its focus was predominantly on standardizing Logical Access credentials first. Supporting the standardization of Physical Access credentials fall under FIPS-201 scope, but the vastness of the effort has delayed much tangible focus. As a result, the importance/implementation of FIPS-201 has been mixed on the physical access side, and to date has primarily focused on issuing new 'PIV compliant' credentials. This update bridges some of the gaps on the Physical Access side by providing guidelines on how to properly issue and administrate biometric and electronic credentials.

Biometrics: This draft tightens up biometrics implementation by describing how they are used in '3 factor' verification, which the standard describes as:

  • "Something You Know": Personal ID Number
  • "Something You Have": Provisioned Access or Clearance by Higher Authorities
  • "Something You Are": Biometric Information, like Fingerprint Scan Information

The draft standard requires at least two fingerprint scans for biometric analysis. While the standard also mentions a 'facial image', this conveys a picture image and not iris or facial biometric scans. New biometric information is to be collected every time a PIV credential is issued, which is a maximum of 6 years.

E-Authentication: The revised standard opens the door for potential NFC style PIV credentials. While the standard does not specifically identify NFC technology, a new section mirroring OMB's 'E-Authentication Guidance' [link no longer available] standard is included. This proposed authentication methods include guidelines for issuing E-Credentials with 'Very High Confidence', meaning that the highest level of credential can be extended to this technology.

Criticism

Poor Specification means No Products: During the session, a physical security member criticised the standard, claiming the difficulty manufacturers face when designing FIPS 201 compliant products. The member point out, and the panel validated, that the 'approved product list' for FIPS 201 is limited to only a few vendors. Because the specification is difficult to interpret for many manufacturers, they choose to avoid designing compliant products. Consensus that better design specifications need to be published in order for many physcial security companies to 'enter the game'.

Market Impact

The update does little to change to current implementation of FIPS-201, and requires no new additional equipment or credentials. It does however, expand the current standard to include emerging credentials technologies like NFC. While this new standard has yet to be formally approved, it does not appear to substantially change physical access systems.

Standardizing FIPS-201 between logical and physical access control remains a huge obstacle, apparently to be addressed by future updates. While the overarching guidelines supporting new technology are helpful, this draft does nothing to bridge the gap between logical access and physical access control systems. We expect this change to be received as a minor update by physical security managers and executives.

1 report cite this report:

TWIC Access Credentials Under Fire on Oct 20, 2014
One of the biggest credential formats in the US is barely hanging on. With...
Comments : Members only. Login. or Join.

Related Reports

Genetec Security Center 5.9 Release Examined on Feb 06, 2020
Genetec released the next major version of Security Center, less than a year...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection...
FDA Defines Correct Operation of "Fever Cameras" on May 26, 2020
The US FDA has now defined the correct operation of "Thermal Imaging...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Converged vs Dedicated Networks For Surveillance Tutorial on Feb 12, 2020
Use the existing network or deploy a new one? This is a critical choice in...
Avigilon Open Analytics Tested on Apr 16, 2020
After years of effectively closed analytics, Avigilon decided in late 2018 to...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of...
Hanwha Wisenet X Plus PTRZ Tested on Feb 14, 2020
Hanwha has released their PTRZ camera, the Wisenet X Plus XNV-6081Z, claiming...
FLIR A Series Temperature Screening Cameras Tested on Jun 04, 2020
FLIR is one of the biggest names in thermal and one of the most conservative....
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...