FICAM Ready vs. FICAM Compliant (S1:E30)

August 25, 2022

FICAM Ready vs. FICAM Compliant (S1:E30) As managing identities continues to become more and more a part of our daily life, the verification of identity and access is mission-critical to U.S. federal government agencies. David Helbock, Director of Product Management at Identiv, joins us to shed some light on the distinction between what it means for these agencies to be FICAM-ready vs. FICAM-compliant.

Full Transcript

Automated Voice (00:01): You're listening to Humans In Tech, our podcast explores today's most transformative technology and the trends of tomorrow bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity, verification, cybersecurity, and IoT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging digital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Your host is Leigh Dow, VP of Global Marketing at Identiv. Leigh Dow (00:43): Thanks for joining us. Today we're talking with the uber talented David Helbock. Dave is the Director of Product Management at Identiv, and he's here to shed some light on the distinction between FICAM-ready versus FICAM-compliant. Hi Dave, it's great to have you with us today. David Helbock (00:58): Hey, Leigh, how's it going? Thanks for having me and inviting me to this session. Leigh Dow (01:02): For sure. So conceptually, maybe we start with you breaking down for everyone what FICAM is. David Helbock (01:08): Yeah. Okay. So the reason FICAM was developed was the government and the identity credential and access management space needed a federal version of how they wanted FICAM to operate between governance, the policies, the tools, and the actual Federation environments between how logical access systems were accessed, how the individuals were authorized to access those systems, and then creating tokens for authentication mechanisms to get into those systems. And what we have been seeing in the market on the FICAM side for the physical access control, or PACS, is a distinction between FICAM-ready PACS and FICAM-enabled PACS. A lot of different agencies have different interpretations of how the systems rely on FICAM requirements. Leigh Dow (02:06): So what does it mean to be FICAM-ready? David Helbock (02:09): So to be FICAM-ready, typically, you would need to go through the site. You would pick out your system. We actually offer two different topologies in our system, a 13.01 topology, a 13.02 topology for the physical access controls, where you're using wired communications. There's also a wireless version of the topology called a 20.01. All three of those systems can make you FICAM-ready. What some systems, depending on how heavy you want the architecture involved or not involved, and that's where each of those different topologies are actually laid out inside of that site, where various PACS are approved by the GSA APL administration team. Leigh Dow (03:07): How does that differ then from being FICAM-compliant? David Helbock (03:11): So once you actually have your FICAM-ready system installed, and you are then harvesting token data out of PIV cards or CAC cards or PIV-I cards those applications then start transitioning from being FICAM-ready to FICAM-compliant. You have your validation paths working in your systems. You're actually revoking different, or monitoring the revocation status of various PKI tokens for systems that can use the authentication methods from the smart cards. So when you have a system that you purchase, and you install that system, you have it FICAM-ready, but until you actually turn on all the authentication techniques between the PIV cards, in this instance, and actually monitoring the status of those cards and doing authentication at the door, not just authorization, that's where you start becoming FICAM-compliant. And a lot of people think that just the authorization piece, hey, does this card have access to the store, is compliance, but that's more on the FICAM-ready state. So typically when you're in a compliance system, you're actually authenticating the card and then authorizing the card for access. Leigh Dow (04:33): How would someone decide, or is it a decision that's made for them, that they need to be FICAM-ready versus FICAM-compliant? David Helbock (04:43): It's generally agency specific criteria. It's based on their security and threat levels and controls and operational methods that drive those decisions. My personal belief would be every door should have some sort of authentication mechanism prior to the authorization. That's how I read FICAM and interpret those installations. And there are various agencies that don't see the need to have that level of complexity at every single door, but the credentials that each of the federal agencies have can support the authentication mechanisms at doors, as long as they have their FICAM compliance systems operational. Leigh Dow (05:29): Is FICAM- a mandate, or is it a mandate depending on the agency that you are in? David Helbock (05:35): FICAM is technically a mandate. That is a requirement for logical systems, physical access control systems. There's OMB documents and guidance around FICAM. That's definitely a mandate. Leigh Dow (05:51): Got it. In talking about cards, can you tell us the different types of PIV-based cards? David Helbock (05:58): There are quite a few different types of cards that are out there that are PIV-based that are technically PIV-based. A lot of times you'll hear about a PIV card that would follow SP 800-73 technology. And then there's also the CAC card. There's also a PIV-I card. There's a TWIC card. Now there's a CIV card. There's some other cards that can follow the PIV-based technical specifications. And that's what NIST houses and writes to those requirements. And NIST has special publications. And the 800-73 series explains how PIV-based cards function. What it comes down to, the government, is the PIV and the CAC cards have very strict vetting requirements, where say a PIV-I card may not have the same strict personnel vetting requirements to receive the same as you would receive your PIV card. So there's actually administration differences between the cards too, not just the technology differences. Leigh Dow (07:08): Do agencies tend to have one type of card or do they tend to have different types of cards depending on what your role is in the agency? David Helbock (07:17): That's what it seems when we're doing some of the specifications and guidance, or criteria, reviews with some of the agencies. There are a mix of cards that they're using. Some agencies trust only PIV cards. Some agencies trust only PIV cards from their own agency, and they don't trust PIV cards from other agencies. Some agencies trust PIV cards and PIV-I cards and CAC cards. So it really depends on the agency mission and how they're validation systems are structured to operate in between each of the different types of cards that are available. Leigh Dow (07:57): So what's your favorite card, Dave Helbock? David Helbock (08:03): I don't have a favorite card. I love all PIV-based cards. Leigh Dow (08:06): Let's discuss and focus on Identiv's approach to FICAM. Maybe start with the software and then the hardware components. David Helbock (08:13): Okay. Yep. So at Identiv, we have, like I mentioned earlier, we offer all the 13.01, a 13.02, and the 20.01 solutions. The 13.02 solution is our most innovative solution where it's an all-in-one, end-to-end FICAM physical access control system. With the application itself, we have a, since Velocity or Flagship Software has different use cases, it's a COTS product, but we have a plugin that actually transforms Velocity into the FICAM-based PACS system. It's called Velocity Cert Check Services. Once that plugin is applied to the application, you can then scan the PIV card. You can extract all the data that you need off the PIV card. You can extract the portrait, the certificates, and store all of that information inside of the database, and then set exactly how you want to monitor the information that you accepted from the card. So if you wanted to monitor the CAK, the card off key, or the PIV off key, or all of it, you would set that up in a schedule and you could say, hey, have this run every minute, have this run every six hours, as often as you want it to run. And then it'll constantly go back and check the certificate authority that monitors those tokens and the token status. And then you can use the software to automatically disable certain credentials depending on what you have that configured to do. So that's on the software side. It's a really neat application. I'm happy to walk anybody through that wants a demo. On the hardware side, we have about six or seven different readers that are set up for actual OSDP applications to perform the card off and PIV off, authentication and authorization requirements so that the reader would connect via secure OSDP to one of our Mx-8 controllers that are listed on our FICAM approvals. And once that's connected with the controller, we have what's called a SNIB3 board. And that SNIB3 can actually store up to 500,000 PIV credentials inside of that board and perform those cryptographic transactions that need to be done in a FICAM PACS environment. So the software and the hardware is both complimentary of each other and it works really well. Leigh Dow (10:45): It's a lot of complexity in that system, but managing identities is mission critical to all of these agencies. David Helbock (10:53): That's right, that's right. That, and that a lot of agencies have actually decided to start doing different integrations where they're not even plugging and playing on card readers and enrollment stations, but having automated systems feed that data to their physical access control systems on their enterprise. So that way you're not, you don't need to have the person in front of you to actually register their card. You can talk to other authoritative systems that can provide the information from the card before they even get to the site to use the card. So the infrastructure is definitely becoming a lot more intelligent and automated, which is helping these use cases to get systems converted to that FICAM-compliance status. Leigh Dow (11:39): You mentioned live step-by-step demos of our FICAM solution in action. About how long does that take? David Helbock (11:45): We can do it in about five to 10 minutes. Typically it's an introduction, and then we can go into the software. And once we're in the software, we can show a registration. We can show an access granted, show an access denied. The conversations, depending on how interested the stakeholders are on the call, can definitely take, after the first five to 10 minutes, a couple hours, two or three hours. Leigh Dow (12:11): Right. Depending on questions. David Helbock (12:14): But typically we'll schedule 30 minutes to an hour, just to make sure that we covered most of the ground. Leigh Dow (12:21): Okay. And so, like I said earlier, it seems like there's a lot of complexity in that system, but it's actually pretty easy to implement, right? David Helbock (12:29): Yes. Yeah. So with our system, we have, the applications are, as long as you're working with one of our channel partners, you can download the application. You can use it on a Windows 10 machine, a Windows 11 machine, Server 2019, Server 2016. So, as long as you have your machine set up and you load our application and you install the plugin, once the plugin's installed, and both of those systems are licensed, then you can start using the application. Leigh Dow (13:01): Got it. Anything we didn't cover today, any tech tips you want to offer to installers? David Helbock (13:07): Mostly for today, I think if, to look into more of the technical background, like my recommendation, as we mentioned earlier, was just to look through the SP 800-73 documents. I think it'll help people make a lot more sense of what the card's doing. Another really neat document is the AP 800-116 document, is where they actually talked about the PIV credentials and different use cases in federal facilities. And that way people can say, oh, there's a neat use case, or that's how they do it there. Or, hey, maybe this door only needs one-factor. This door needs two-factor. This door needs three-factor. There's a lot of good documentation on the site and the site that can help people understand the PIV cards and the PIV ecosystem, and along with all the different FICAM directives and policies. Leigh Dow (14:01): Excellent. As I said earlier, just managing identities is only going to become more and more a part of our world. And that verification of identity and access is mission critical to these agencies. Thank you so much for joining us today, Dave. It's always a pleasure and you always have such great information to share. David Helbock (14:24): Absolutely. No problem. Thank again for having me. And hope you have a great day. Automated Voice (14:28): The problem isn't security, it's awareness. Velocity Vision is the future of visual surveillance, an intelligent video management solution that delivers real-time situational awareness in an open security platform. Integrate with your existing systems, verify your environment in one pane of glass and increase the efficiency of your security operation. Get full control of your environment when and where you need it. Learn more at Control access anytime, anywhere, and on any device, 24/7. The Freedom Smart Bridge is a leading edge door controller that integrates seamlessly with existing IT infrastructure and management tools. It stores information locally from any server and remains fully functional in the event of a network outage. The freedom smart bridge eliminates complex control panel configurations with technology communicating over encrypted IP network protocols. It meets audit compliance requirements and easily supports on-premises, hybrid, and cloud deployments. Learn more at Physical security, identity verification, the IoT, the hyper connectivity of our lives will only grow more pervasive. As technology becomes more automated, and experiences more augmented, it's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge?