Interoperable Identification & Access Control Cards Are in the Works

Steve Howard Steve Howard brings more than 25 years of frontline experience in identity management and information assurance to his role as vice president of credentials at CertiPath. His charter: create and deploy aerospace and defense's first platform with identity and credential assurance defined for physical and logical access control solutions

When it comes to identity credentials, today's airports are like islands. Each issues its own airport-specific credentials for physical access control. The credentials don't interoperate with anything else and don't support the concept of multiple use. Specifically, they don't address broader issues like cybersecurity and visitor management for cleared officials from FAA, TSA or other airports.

The need for high-assurance interoperable credentials, however, is there. Born from the 9/11 attacks and the clear need for cooperative efforts across jurisdictions, standards for federal-level credentials that can also be used on a local level have been defined and are in production.

The good news is that interoperable credentials may decrease costs and increase security for airport operators. The even better news is that federal airport regulators have already made the leap to secure, high-assurance interoperable identification cards in many respects. The multi-use cards address both physical and logical security needs. And they significantly improve the government's overall cybersecurity posture across logical and physical access systems.

The Chief Information Officer Council of the federal government has established the Identity, Credentialing and Access Management subcommittee (commonly referred to as FICAM). Its role is to establish common methods and access control models for identity credentialing, network and systems control, (i.e. logical access control systems, or LACS) and physical access control systems (PACS). There is a plethora of information about FICAM's work at http://idmanagement.gov.

FICAM Roadmap and Implementation Guidance, published in June 2009, is a strategic document that came from this subcommittee. It discusses the overall ICAM segment architecture for all federal agencies and departments. Section 2 of the document is very telling. It lays out how identity and credentialing impact provisioning, privilege management and access control for both logical and physical access systems. It provides critical insight into the use of FIPS 201 conformant Personal Identity Verification credentials (often called PIV cards) across the federal enterprise.

There are many indications that critical infrastructure such as airports will be migrated to harmonized ICAM approaches that strategically leverage standardized, high-assurance interoperable identity credentials and access control methodologies. Well over 80% of the entire federal enterprise employees and contractors now have PIV cards, and the government seems to be driving toward additional use.

Consider FAA's use of PIV cards according to FICAM guidance. Ed Ebright, FAA division manager, ID Media Division, presented some very interesting cases, including a full visitor management solution that leverages PIV cards, at the Government Smart Card Interagency Advisory Board in May.

Another interesting area is the FAA's deployment of PACS based on this common card. The FAA has 1,100 facilities -100 of which are already PIV compliant; 500 others are currently in process; and the remaining 500 are low-risk facilities that may not require the access control solutions. A single standardized, high-assurance interoperable credential used across the entire agency is a substantial leap forward in cybersecurity and cost reduction in acquisition of systems.

As agencies like the FAA move forward in the implementation of high-assurance interoperable credentials for both physical and logical access, these experiences will affect the organizations they regulate. The FAA is not idle in this respect. It works with the RTCA (a non-profit organization that focuses on communications, navigation, surveillance and air traffic management system issues) to develop guidance for airport systems. The RTCA DO-230B (soon to be DO-230C) was a major update to provide guidance for integrated security systems for airports. This document is harmonized with Airport Planning, Design and Construction Guidelines.

In looking at RTCA DO-230B, it presents a unified view for using interoperable identification credentials across the physical access control systems environment. Recent activities in FICAM are consistent with this and fully support moving in this direction for identification, credentialing and access environments. Leveraging the guidance from these initiatives across the aviation community is strategic to protecting airports as part of the nation's critical infrastructure.