NIST Recommends Best Fits for Federal Access Control

Federal agencies have begun issuing a secure form of government-wide ID known as the Personal Identity Verification (PIV) card, mandated in 2004 by Homeland Security Presidential Directive 12. The Gaithersburg, MD-based National Institute of Standards and Technology (NIST) has released a draft publication outlining best-practice guidelines for making the new cards work with the physical access control systems (PACS) that authenticate the cardholders in federal facilities.

The PIV card is intended to work everywhere across the federal government. Conventional PACS, however, are not fully enabled to work with PIV cards and are not interoperable between agencies. PACS also need to verify the cardholder's identity with an appropriate degree of confidence (either "Some," "High," or "Very High"), depending upon the level of security needed at the particular location in the federal facility. Current PACS, however, may not be tailored to work at these graduated levels of authentication assurance.

The NIST draft publication explores methods for verifying identity in a simple model describing four zones of increasing security in a facility. The zones are unrestricted (outside the fence or walls of the facility, controlled (inside the fence of front door), limited (past a security checkpoint for employees in a facility), and exclusion (secure areas granted to individuals with specific needs).

The draft specifies increasingly sophisticated authentication mechanisms for these zones, from visual and CHUID authentication (inspection of features on the front and back of the PIV card and reading a unique number from the card) to biometrics (the use of distinguishing features in physical features like fingerprints to grant access) and PKI Authentication (exchange of cryptographic information that requires the user to enter a PIN number).

The report takes into account the many different types of federal facilities, from single-agency buildings to multiple-agency campuses. It also explores how PACS systems can work with temporary ID cards for guest employees or visitors.

For more information, visit (www.nist.gov).