Incorporating stronger authentication technologies in an Agency Physical Access Control System (PACS), such as PIV and PIV-I cards, is a critical aspect of mitigating the risk of physical security breaches. FICAM recently published the "Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS)" (PDF) document which provides detailed technical and security guidance for leveraging PIV and PIV-I authentication mechanisms in a federal agency PACS.
This is a comprehensive document that covers:
- The current PACS landscape
- The current standards and guidance that directly or indirectly affect PACS
- Enterprise PACS security functions, which describe specific and measurable security controls that impact the successful operation of PACS as a security countermeasure
- A comprehensive list of common authentication patterns that illustrate both proper and improper use of PIV and PIV-I authentication
The Enterprise PACS security functions are broken down into:
- Technical Controls
- Identification and Authentication
- Access Control
- Audit and Accountability
- System and Communications Protection
- Operational Controls
- Configuration Management
- Contingency Planning
- Physical and Environmental Protection
- System and Information Integrity
- Awareness and Training
- Management Controls
- Security Assessment and Authorization
- Planning
- Risk Assessment
The authentication patterns, which include both good and not-so-good patterns, are one of the more informative parts of this document. They in turn align with the NIST SP 800-116 (PDF) authentication mechanisms as they pertain to gaining access to security areas.
The patterns themselves are provided using a standard format:
- Use Case Diagram
- Description
- Unmitigated Threats
- Pros, Cons, Issues
- Considerations
This document, which was produced by the FICAM Architecture Working Group, was a significant undertaking and reflects the many perspectives that go into deploying an effective PACS. The newly established FICAM Modernized Physical Access Working Group (MPAWG) will manage updates and changes to this document.
- Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS) v2.0.2 DRAFT (PDF) @
:- by Anil John