Risk
8/13/2012
03:58 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Security Industry Association Submits Comments On FIPS 201-2

SIA’s PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications

SILVER SPRING, MD -- Today, the Security Industry Association (SIA) submitted important new comments to NIST regarding the revised draft of FIPS 201-2, the standard for Personal Identity Verification (PIV). SIA’s PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications, especially those that address the high security objectives of HSPD-12.

NIST released the first draft of the update to the 2005 FIPS 201 over a year ago and has again sought industry input on their latest work product. Though NIST has extensively addressed the comments received on the first draft, they have also introduced a number of new concepts, which have drawn strong reaction from industry. One of the main issues is the need to get the specification fully effective near term, since it will not be changed for at least five years after its anticipated release in early 2013.

There are several issues that are important to SIA and the security industry, including: the ability to achieve technical interoperability in Physical Access Control Systems (PACS); recognition of 3-factor authentication (card, PIN, biometrics), a long time industry practice; and outdoor environmental challenges which necessitate the use of contactless readers. Per the current draft standard, contactless readers cannot be used for “High” or “Very High” confidence assurance levels.

“NIST has come a long way since 2004 when Homeland Security Presidential Directive-12 dictated the first versions of PIV be brought to market. However, the initial implementations often used the basic CHUID reader technology, which is now being deprecated and demoted to low assurance levels, which is appropriate,” according to Rob Zivney, chair of SIA’s PIV Working Group. “Now we need to more fully embrace the cryptographic and biometric capabilities of the card so we can use them securely over the contactless interface for the highest 3-factor authentication -- even when embedded in a mobile phone. We offered suggestions that would bring the new technology to the PIV card much sooner than waiting out current lifecycles of both the Standard and the PIV Card,” Zivney added.

PIV card technology use has begun to spread beyond federal employees and contractors. A range of companies and entities that do business with the federal government -- aerospace and defense contractors, international banks and state governments – use PIV-I (PIV-Interoperable). Seaports and truckers use the TWIC (Transportation Worker Identification Credential) in the private sector and first responders are using the FRAC (First Responder Authentication Credential). All of these and more are based on PIV. As a result, SIA’s comments are as critical to the private sector as they are for the federal sector for which PIV was originally chartered.

The comments can be found on SIA's website at http://www.siaonline.org/government under "Headlines."

The Security Industry Association (www.siaonline.org) is the leading trade group for businesses in the electronic and physical security industry. SIA protects and ­­advances its members' interests by advocating pro-industry policies and legislation on Capitol Hill and throughout the 50 states; producing cutting-edge global market research; creating open industry standards that enable integration; advancing industry professionalism through education and training; opening global market opportunities. As sole sponsor of the ISC Expos, the world’s largest security trade shows and conferences, SIA ensures its members have access to top-level buyers and influencers as well as unparalleled learning and network opportunities.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web