Modernizing Physical Access for US Federal Agencies and Military Bases

ymassard@hidglobal.com's picture

With PIV and CAC credentials, US federal agencies and military bases have issued the most powerful ID credential for their employees and contractors.  PIV/CAC credentials provide a secure, standardized identification that can be trusted across US government organizations thanks to the use of US Federal Bridge Certificate Authority.  PIV/CAC credentials are used to login to computer, network and applications; digitally sign emails and documents; encrypt/decrypt data; provide visually identification and physical access to secure sites.

The physical access itself is more secure and more interoperable than traditional physical access solutions thanks to the use of digital certificates and PKI (Public Key Infrastructure).  There are more than 5 million active PIV/CAC credentials in use across the US Federal Government.  However, by design, the PIV/CAC credentials do not cover all people that need access to federal facilities. For example, federal employees and contractors that need access to a government site for less than 180 days are not eligible to be issued a PIV credential.  The population that is not PIV-eligible covers short-term employees/contractors (e.g.: seasonal workers) as well as visitors that may be at a site for short term (from a day visit to a few weeks).

This creates a challenging situation for security teams where they have high assurance credentials in the form of the PIV/CAC credential for long-term employees/contractors but still have to rely on traditional physical access credentials for the rest of their population.  Mixing technologies can make things more complex and does not provide a uniform security posture.  In addition, agencies are being encouraged to modernize their physical access systems and discontinue traditional physical access control badges and only rely on PKI type credentials for physical access.

To address those challenges, agencies have a few options available to them:

Option #1  If they already have a PIV/CAC issuance system, they may be able to configure the PIV/CAC issuance system to also issue short term credentials that are PIV-like (that is, behaves like a PIV/CAC credential from an interoperability standpoint, even though they would not be recognized as proper PIV or CAC). A very large number of agencies do not have a PIV issuance system and instead rely on a managed service, like USAccess, to provide PIV credentials to their users.  The DoD issues CAC credentials from a central location as well. In these cases, standing up a PIV/CAC issuance system may not be economically realistic due to the cost of deploying and manning a PIV/CAC issuance system.

Option #2  Issue PIV-I credentials to short term employees and visitors. PIV-I credentials are very similar to PIV/CAC credentials but can be issued to personnel that are not PIV-eligible. The challenge with this approach is that PIV-I credential’s cost is comparable to PIV credential’s and this may not be economically viable for the short-term population, since those credentials are personalized with the user information and cannot be reused after the user complete his short term visit.

Option #3 Issue a temporary card credential solely for the physical access control system that does not require the identity proofing of a PIV or PIV-I card, but still rely on the PIV standard for technical interoperability.

Option #3 could be the most cost effective by far. The HID Crescendo Temporary Access Card is the first trusted credential available on the market that can be used for option #3. The Crescendo Temporary Access Card comes pre-initialized from the factory with digital certificates and can simply be registered into FIPS 201 compliant physical access systems and is ready to use right away.  A PACS that is tested in the GSA’s FICAM lab will fail should it recognize an access card that is not created using the FIPS201 standards.   By using the Crescendo Temporary Access Card for visitors, the same security features of a PIV/CAC, including PKI @ the Door, can be maintained by the physical access control system.  Because the Crescendo Temporary Access Card does not contain user information, the Crescendo Temporary Access Card can be reassigned to a different visitor and reused many times over, lowering costs for agencies.  And Since the Crescendo Temporary Access Card comes pre-initialized from the factory; agencies do not need to deploy additional software.  No need for additional PKIs, credential management systems or hardware security modules.

Those new Temporary Access Card options provide ways for federal agencies and military bases to:

  • Modernize their physical access systems
  • Retire traditional physical access credentials and focus on PKI/PIV-like credentials
  • Increase their physical access security posture
  • All the while, doing it in a cost conscious way by avoiding the need to deploy and manage additional software