FIPS-201 Improvements Reviewed

Author: Brian Rhodes, Published on Jul 19, 2012

A new version of FIPS-201 is being introduced, but does the update make it more relevant to the physical security industry? To a large extent, FIPS-201 has been responsible for issuing large numbers of new credential cards, but has failed to change physical access control systems. Does the update rectify this? In this note, we examine the draft update and analyze what it means for the physical security industry.

Key Changes

One of FIPS-201's coauthors, the National Institute of Standards and Technology (NIST), has hosted several webinars and events circulating the revised standard, named FIPS-201-2. We joined one webinar in a series hosted by NIST that discuss the proposed changes with public participants, and while no agenda or minutes of that webinar were published, we cover the pieces most relevant to physical security below:

  • Credentials can be issued for 6 years, instead of 5.
  • Guidelines for implementing biometrics (fingerprints) into PIV cards are now included.
  • Guidelines for introducing 'E-Authentication' on cellphones or other flexible electronic devices are now included.
  • The physical access FIPS-201 compliant products is limited to a handful of vendors due to poor specifications

While the full impact of proposed changes to existing credential process is being evaluated, the draft changes do not obsolete any currently issued credentials.

History of Update: When FIPS 201 was initially introduced in 2005, its focus was predominantly on standardizing Logical Access credentials first. Supporting the standardization of Physical Access credentials fall under FIPS-201 scope, but the vastness of the effort has delayed much tangible focus. As a result, the importance/implementation of FIPS-201 has been mixed on the physical access side, and to date has primarily focused on issuing new 'PIV compliant' credentials. This update bridges some of the gaps on the Physical Access side by providing guidelines on how to properly issue and administrate biometric and electronic credentials.

Biometrics: This draft tightens up biometrics implementation by describing how they are used in '3 factor' verification, which the standard describes as:

  • "Something You Know": Personal ID Number
  • "Something You Have": Provisioned Access or Clearance by Higher Authorities
  • "Something You Are": Biometric Information, like Fingerprint Scan Information

The draft standard requires at least two fingerprint scans for biometric analysis. While the standard also mentions a 'facial image', this conveys a picture image and not iris or facial biometric scans. New biometric information is to be collected every time a PIV credential is issued, which is a maximum of 6 years.

E-Authentication: The revised standard opens the door for potential NFC style PIV credentials. While the standard does not specifically identify NFC technology, a new section mirroring OMB's 'E-Authentication Guidance' standard is included. This proposed authentication methods include guidelines for issuing E-Credentials with 'Very High Confidence', meaning that the highest level of credential can be extended to this technology.

Criticism

Poor Specification means No Products: During the session, a physical security member criticised the standard, claiming the difficulty manufacturers face when designing FIPS 201 compliant products. The member point out, and the panel validated, that the 'approved product list' for FIPS 201 is limited to only a few vendors. Because the specification is difficult to interpret for many manufacturers, they choose to avoid designing compliant products. Consensus that better design specifications need to be published in order for many physcial security companies to 'enter the game'.

Market Impact

The update does little to change to current implementation of FIPS-201, and requires no new additional equipment or credentials. It does however, expand the current standard to include emerging credentials technologies like NFC. While this new standard has yet to be formally approved, it does not appear to substantially change physical access systems.

Standardizing FIPS-201 between logical and physical access control remains a huge obstacle, apparently to be addressed by future updates. While the overarching guidelines supporting new technology are helpful, this draft does nothing to bridge the gap between logical access and physical access control systems. We expect this change to be received as a minor update by physical security managers and executives.

1 report cite this report:

TWIC Access Credentials Under Fire on Oct 20, 2014
One of the biggest credential formats in the US is barely hanging on. With over 3 million TWIC cards issued, it is one of the most common ID...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Wavelynx Access Control Manufacturer Profile on Jan 10, 2019
Denver-based WaveLynx is not well known as an access reader manufacturer, but OEMs for big industry brands including Amag, Isonas (Allegion),...
Combating Vaping Epidemic - Halo Smart Sensor Profile on Dec 21, 2018
Youth vaping has become an epidemic, according to the US Surgeon General, while the market leader, Juul, just received a $12.8 billion investment...
ACRE-Acquired Open Options Access Company Profile on Dec 17, 2018
Who is the company ACRE is acquiring? In this note, we examine Open Options line for best customer fit, key features, pricing, and main...
Open Options Acquired By ACRE on Dec 17, 2018
ACRE is doing deals again. A year after they sold Mercury, they are buying another access control company - Open Options. In this note, we...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...
Top 2019 Trend - AI Video Analytics on Dec 10, 2018
160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...

Most Recent Industry Reports

The IP Camera Lock-In Trend: Meraki and Verkada on Jan 18, 2019
Open systems and interoperability have not only been big buzzwords over the past decade, but they have also become core features of video...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP alleged that the NYPD was using...
Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Exacq Favorability Results 2019 on Jan 17, 2019
Exacq favorability amongst integrators has declined sharply, in new IPVM statistics, compared to 2017 IPVM statistics for Exacq. Now, over 5 since...
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact