The importance of Federal Information Processing Standards FIPS in physical security

While there are a range of standards, the FIPS compliances related to physical security products include FIPS 140-3, FIPS 199, and FIPS 201-3.

One of the most notable is FIPS 140-3, Security Requirements for Cryptographic Modules. This standard specifies the security requirements for cryptographic modules utilized within a security system protecting sensitive information in computer and telecommunication systems.

FIPS 199 is a crucial standard for information security. The purpose of FIPS 199 is to help federal agencies and associated contractors determine the proper level of security controls for their information systems.

Another relevant standard is FIPS 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors, which provides guidelines for the issuance and use of identity credentials.

The Benefits of Adherence to FIPS

Complying with FIPS standards ensures a baseline level of security that can protect sensitive information from unauthorized access and data breaches. This is especially crucial in the physical security domain, where the risks are significant, and data breaches can have far-reaching consequences, potentially impacting millions of individuals. Compliance with FIPS can also open opportunities to work with federal agencies or companies that require FIPS-compliant products and services.

Gallagher’s architecture conforms to this model and utilizes PACS hardware and software developed, designed, built, and supported by Gallagher to natively manage, process, and audit the traditional PACS functions and mandated FIPS 201 PKI requirements.

FIPS-201 PACS System Considerations

The technical requirements, along with the economics of implementing a FIPS 201-3 compliant Physical Access Control Solution (PACS), involve a combination of considerations, including credential registration and verification software, PKI enabled hardware, structured cabling plants, installation, and configuration labor.

When planning a FIPS 201 PACS implementation, the following areas should be considered:

• System architecture and design
• Re-use of existing cabling plant
• Implementation of new cabling plant
• Reader capabilities – ability to support the various assurance levels and use cases
• PKI enabled eco-system
• End-to-end encryption – including data at rest and data in transit
• Disaster recovery and high availability options
• Network and PKI interfaces
• Associated installation and integration labor
• Operation and maintenance requirements
• Sustainment costs

Bolt-on model versus intrinsically compliant model: 13.01 topology vs 13.02 topology 

There are two main models utilized by manufacturers to deliver FIPS 201-3 compliant PACS solutions.

1. Third party bolt-on model - 13.01 topology
2. Intrinsically compliant model - 13.02 topology

Third party bolt-on model – 13.01 topology

This model sees manufacturers leverage third party bolt-on PIV authentication methodology, where the third-party products are inserted into the architecture to meet current government requirements.

Many systems listed on the General Services Administration’s Approved Products List (GSA APL) leverage third party FIPS 201-3 authentication processing hardware and software modules to conform to the mandated authentication requirements. It is common for manufacturers to use third party modules if they are unable or unwilling to invest in their own 13.01 topology with innate registration and certificate management.

Third party bolt-on models can add cost, complexity, additional IT infrastructure, and unnecessary points of failure, and often result in sub-optimal speed, read range, and reliable performance at the door.

Concerns about this approach include:

• Introduction of a duplicate layer of FIPS 201 specific PACS hardware and software, resulting in additional points of failure, increased installation and configuration labor, and increased sustainment costs.
• Complicated interfaces between the duplicate hardware and software elements to provide necessary interoperability, coordinate actions, and exchange information between disparate systems.
• Complication of Information Assurance activities, including system hardening, application of relevant security controls, and impact to time and cost associated with obtaining an Authority to Operate, Certificate of Networthiness (CON), or Certification & Accreditation (C&A).
• Limited ability to implement future technologies and technology lifecycle cost increases.
• Increased number of required Ethernet drops, necessary network switches and switch ports, energy consumption, network traffic, IP address reservations, and bandwidth consumption.

Intrinsically compliant model – 13.02 topology

In this model, manufacturers utilize an intrinsic PIV authentication methodology, in which required authentication and validation functions are woven into the security fabric of their products to provide a compliant end state.

Benefits of this approach include:

• Ability to leverage existing PACS cabling infrastructure and network connections.
• Reduced infrastructure requirements, structured cabling, and associated product and labor costs.
• Simplified installation and reduced number of potential points of failure.
• Reduced likelihood of improper installation by maintaining standard device configurations and connections familiar to system integrators and technicians.
• Reduced software licensing, IT maintenance, and sustainment costs by minimizing the number of end points and software licenses required.
• Simplified Information Assurance activities, including system hardening and application of relevant security controls, and reduced time and costs associated with Certification & Accreditation (C&A).
• Obsolescence resistance and technology future-proofing provided by incorporating native interoperability and PKI functions.
• Reduced energy costs.

Gallagher's simplified FICAM architecture for FIPS 201-3 environments includes an intrinsically secure ecosystem with native device PKI and credential authentication mechanisms. It utilizes native end-to-end FIPS 140-2 Level 3 encryption, without the need for expensive third-party authentication or cryptographic modules.

Gallagher’s Competitive FIPS 201 Differentiation

The Gallagher PIV solution offers a simplified architecture and is the most efficient, cost-effective PIV solution for physical access control on the GSA APL today. Gallagher provides natively designed and developed hardware, firmware, and software platforms that are easy to implement, configure, upgrade, and maintain.

Secure authentication and FIPS 140-2 Level 3 encryption between all system components is standard in the Gallagher PIV hardware and software platform. Our system includes central device management services, providing the capability to easily implement firmware changes and upgrades to controllers and readers without the need to individually visit each controller or reader. Upgrading components is as simple as broadcasting firmware updates to readers and controllers from the powerful software at the heart of the Gallagher solution, Command Centre, eliminating the need to physically touch each controller and/or reader. Our upgradable field hardware ensures that FIPS 201 standards-based changes are easily implemented without the need for expensive hardware retrofits or costly labor, while protecting your investment.

Providing real time, secure certificate-based authentication of PIV, PIV-I, CAC, and CIV credentials, Gallagher offers a single platform for the management of access control, alarms, and perimeter security with administrator configurable, periodic certificate validation. With fewer components required for the Gallagher PIV solution, points of failure are minimized, and the system is easy to install, configure, and maintain. This architectural efficiency provides a cost-effective solution for both new and retrofit sites.

The Gallagher PIV solution consists of a Registration Engine, 6000HS PIV controllers, Command Centre Software, and T-Series readers to meet the various use cases required in validating PIV certificates at the door.

Credential holders are registered and enrolled in Command Centre using a native registration and validation engine, allowing PIV certificates to be validated at the point of registration and automatically on-boarded along with the cardholder’s identity attributes, image, and other data for ongoing validation status checks through Gallagher’s native OCSP/CRL.

Gallagher Command Centre software then provides ongoing OCSP or CRL validation of each user’s certificate status. Command Centre periodically checks the revocation status and trust path of each card’s PIV Authentication Key, Card Issuer Signature, and Card Authentication Key. The period between validation checks is user configurable in increments ranging from every hour up to every 24 hours.

The 6000 High Spec PIV Controller is securely and periodically updated by the Gallagher Command Centre OCSP server with full credential details including the status of each PIV cardholder’s certificates.  This data is used to facilitate the required certificate validation checks at time of access.

In conjunction with Gallagher T-series readers, the Controller 6000 is responsible for performing all contactless PIV smart card authentication checks, enforcing the revocation status of PIV smart card certificates and access control decisions at time of access without the need for constant server connectivity.

The Controller 6000HS PIV comes equipped with dual 1 GB Ethernet ports, allowing for failover and redundancy configuration. The 6000 controller uses a fully distributed processing architecture where all decisions are made locally at the controller and are never host dependent. There is no degraded mode of operation and each controller supports 150,000 cardholder records while buffering 80,000 alarms/events. All Gallagher high-security devices, including the 6000HS PIV series controllers, are equipped with FIPS 140-2 Level 3 certified encryption modules and support secure cryptographic key storage. Each Gallagher device is issued a certificate and is digitally signed at the point of manufacture.

The Gallagher T-Series PIV reader multi-tech variant reads PIV/PIV-I/CAC/TWIC Mifare Classic, DESFire EV1, DESFire EV2, and Plus, as well as 125 kHz frequencies. An optional Bluetooth LE module is available. All readers offer configurable illumination and audio to accommodate ADA requirements and user preferences. T-Series readers surpass mandated read range requirements (3.5 cm) without the need for additional power, reducing human error associated with contactless reads while improving performance and the end-user experience at the door.

Gallagher T-Series card readers utilize industry standard encryption for all communications via the Gallagher HBUS protocol. All PIV T-series readers are equipped with FIPS 140-2 Level 3 encryption modules and support secure cryptographic key storage.

With Gallagher’s intrinsically secure end-to-end PKI bus-based ecosystem, even third-party systems and sensors can be enabled with PKI-based FIPS 140-2 Level 3 cryptographic protection.

Wrapping Up: Why FIPS Matter in Physical Security

FIPS compliances play a critical role in ensuring the integrity and security of information systems, including those used in physical security. By setting a clear standard for security practices, FIPS standards helps organizations protect their most sensitive data while also enabling them to work effectively with government agencies.

In the rapidly evolving landscape of information and physical security, adherence to standards like FIPS is not just a compliance issue, it's a necessary part of doing business.

Contact our team today to learn how we can help deliver you easily meet the FIPS 201-3 requirements with one smart central management platform.