Risk
8/13/2012
03:58 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Security Industry Association Submits Comments On FIPS 201-2

SIA’s PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications

SILVER SPRING, MD -- Today, the Security Industry Association (SIA) submitted important new comments to NIST regarding the revised draft of FIPS 201-2, the standard for Personal Identity Verification (PIV). SIA’s PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications, especially those that address the high security objectives of HSPD-12.

NIST released the first draft of the update to the 2005 FIPS 201 over a year ago and has again sought industry input on their latest work product. Though NIST has extensively addressed the comments received on the first draft, they have also introduced a number of new concepts, which have drawn strong reaction from industry. One of the main issues is the need to get the specification fully effective near term, since it will not be changed for at least five years after its anticipated release in early 2013.

There are several issues that are important to SIA and the security industry, including: the ability to achieve technical interoperability in Physical Access Control Systems (PACS); recognition of 3-factor authentication (card, PIN, biometrics), a long time industry practice; and outdoor environmental challenges which necessitate the use of contactless readers. Per the current draft standard, contactless readers cannot be used for “High” or “Very High” confidence assurance levels.

“NIST has come a long way since 2004 when Homeland Security Presidential Directive-12 dictated the first versions of PIV be brought to market. However, the initial implementations often used the basic CHUID reader technology, which is now being deprecated and demoted to low assurance levels, which is appropriate,” according to Rob Zivney, chair of SIA’s PIV Working Group. “Now we need to more fully embrace the cryptographic and biometric capabilities of the card so we can use them securely over the contactless interface for the highest 3-factor authentication -- even when embedded in a mobile phone. We offered suggestions that would bring the new technology to the PIV card much sooner than waiting out current lifecycles of both the Standard and the PIV Card,” Zivney added.

PIV card technology use has begun to spread beyond federal employees and contractors. A range of companies and entities that do business with the federal government -- aerospace and defense contractors, international banks and state governments – use PIV-I (PIV-Interoperable). Seaports and truckers use the TWIC (Transportation Worker Identification Credential) in the private sector and first responders are using the FRAC (First Responder Authentication Credential). All of these and more are based on PIV. As a result, SIA’s comments are as critical to the private sector as they are for the federal sector for which PIV was originally chartered.

The comments can be found on SIA's website at http://www.siaonline.org/government under "Headlines."

The Security Industry Association (www.siaonline.org) is the leading trade group for businesses in the electronic and physical security industry. SIA protects and ­­advances its members' interests by advocating pro-industry policies and legislation on Capitol Hill and throughout the 50 states; producing cutting-edge global market research; creating open industry standards that enable integration; advancing industry professionalism through education and training; opening global market opportunities. As sole sponsor of the ISC Expos, the world’s largest security trade shows and conferences, SIA ensures its members have access to top-level buyers and influencers as well as unparalleled learning and network opportunities.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.