Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/13/2012
03:58 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Security Industry Association Submits Comments On FIPS 201-2

SIA’s PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications

SILVER SPRING, MD -- Today, the Security Industry Association (SIA) submitted important new comments to NIST regarding the revised draft of FIPS 201-2, the standard for Personal Identity Verification (PIV). SIA’s PIV Working Group contributed comments and proposed improvements to make the PIV card more usable in physical access control applications, especially those that address the high security objectives of HSPD-12.

NIST released the first draft of the update to the 2005 FIPS 201 over a year ago and has again sought industry input on their latest work product. Though NIST has extensively addressed the comments received on the first draft, they have also introduced a number of new concepts, which have drawn strong reaction from industry. One of the main issues is the need to get the specification fully effective near term, since it will not be changed for at least five years after its anticipated release in early 2013.

There are several issues that are important to SIA and the security industry, including: the ability to achieve technical interoperability in Physical Access Control Systems (PACS); recognition of 3-factor authentication (card, PIN, biometrics), a long time industry practice; and outdoor environmental challenges which necessitate the use of contactless readers. Per the current draft standard, contactless readers cannot be used for “High” or “Very High” confidence assurance levels.

“NIST has come a long way since 2004 when Homeland Security Presidential Directive-12 dictated the first versions of PIV be brought to market. However, the initial implementations often used the basic CHUID reader technology, which is now being deprecated and demoted to low assurance levels, which is appropriate,” according to Rob Zivney, chair of SIA’s PIV Working Group. “Now we need to more fully embrace the cryptographic and biometric capabilities of the card so we can use them securely over the contactless interface for the highest 3-factor authentication -- even when embedded in a mobile phone. We offered suggestions that would bring the new technology to the PIV card much sooner than waiting out current lifecycles of both the Standard and the PIV Card,” Zivney added.

PIV card technology use has begun to spread beyond federal employees and contractors. A range of companies and entities that do business with the federal government -- aerospace and defense contractors, international banks and state governments – use PIV-I (PIV-Interoperable). Seaports and truckers use the TWIC (Transportation Worker Identification Credential) in the private sector and first responders are using the FRAC (First Responder Authentication Credential). All of these and more are based on PIV. As a result, SIA’s comments are as critical to the private sector as they are for the federal sector for which PIV was originally chartered.

The comments can be found on SIA's website at http://www.siaonline.org/government under "Headlines."

The Security Industry Association (www.siaonline.org) is the leading trade group for businesses in the electronic and physical security industry. SIA protects and ­­advances its members' interests by advocating pro-industry policies and legislation on Capitol Hill and throughout the 50 states; producing cutting-edge global market research; creating open industry standards that enable integration; advancing industry professionalism through education and training; opening global market opportunities. As sole sponsor of the ISC Expos, the world’s largest security trade shows and conferences, SIA ensures its members have access to top-level buyers and influencers as well as unparalleled learning and network opportunities.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4682
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVE-2020-4888
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
CVE-2020-13569
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
CVE-2021-20620
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2021-20621
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.