With more than 1.6 million secure identification cards in employee and contractor hands, agencies are turning their attention to how best to use them.
Many agencies have pilot programs to use their Homeland Security Presidential Directive-12 cards for either physical or logical access. For instance, the Department Housing and Urban Development is testing logical access control starting in the chief information officer’s office.
The Agriculture and State departments, and NASA are among the agencies taking the lead to use their HSPD-12 cards for physical access control. In fact, the National Institutes of Standards and Technology is receiving a lot of questions about how best to implement physical access control systems.
“Most agencies have physical access control systems in place and those systems need to be integrated with [HSPD-12] card,” says Bill McGregor, NIST’s Personal Verification Identification (PIV) coordinator. “Now is the time for advice.”
NIST issued its advice in a special publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems, last month to give agencies help in implementing these systems.
McGregor says physical access control system is a natural place to start because so many agencies already are using them.
The guidance offers agencies 20 suggestions for how to proceed with implementing these systems.
McGregor says two important recommendations include developing a project management plan to include milestones, cost and performance data.
Agencies also should find a mentor, including State, NASA or USDA, who has some experience in integrating these systems.
“They can offer advice for planning and processes,” he says.
McGregor also recommends starting small with a test or small program and growing the implementation.
To that end, NIST developed a maturity model so can measure their progress.
The model includes five stages:
Stage 1: Test the physical access control system in a lab environment or small scale demonstration to gain familiarity with the process;
Stage 2: Placing HSPD-12 authentication system at the front gate for employees from other agencies and contractors to use;
Stage 3-4-5 are all related: Stage 3 is to use HSPD-12 authentication at the most secure areas, known as exclusion areas;
Stage 4: Use HSPD-12 cards to access medium security, or limited areas
Stage 5: Use the cards for physical access for the entire facility, known as controlled areas.
McGregor says the idea of exclusion, limited and controlled areas is borrowed from the Army.
“We needed a model to make risk or impact based recommendations,” he says. “From controlled to limited to exclusion, you are protecting assets of greater value in each one.”
McGregor says this guidance likely will be updated next year with lessons learned from agency implementations.
“The document really does offer recommendations for particular PIV mechanisms and establishes criteria to choose from,” he says.