PRODUCT ANNOUNCEMENT

Federal Information
Processing Standard
(FIPS) 201 Solution
TAC is proud to announce its solution for the U.S.
Government Federal Information Processing Standard:
Literature
CyberStation Installation Guide
P/N: 30-3001-720

FIPS 201. The Andover Continuum system from TAC has

CyberStation Access Control Essentials

Guide
P/N: 30-3001-405

and options for the FIPS 201 ready NetController II, AC-1

web.Client Planning & Installation Guide

P/N: 30-3001-835

information on FIPS 201 and an overview of the Card

Plain English Language Reference Guide

P/N: 30-3001-872

features implemented within Andover Continuums

NetController II Operation & Technical

Reference Guide
P/N: 30-3001-995

and complement the solution. To best help with the

ACX 57xx Series Controller Operation &

Technical Reference Guide
P/N: 30-3001-999
Release Notes 1.9
NetController II Sales Datasheet
P/N: SDS-C-NETCONTROLLER-II-A4
ACX Series Access Controller for Ethernet
Sales Datasheet
P/N: SDS-C-ACX-A4

been enhanced in version 1.9 to include optional support

for FIPS 201. This solution includes new controller firmware
modules and the ACX Series.
This Product Announcement provides background
Management and Issuance System.

It also describes the

hardware and software products to support the standard

structure of this announcement, here is a summary of the
sections included:
About HSPD-12 and FIPS 201
o What is HSPD-12 and FIPS 201?
Card Management & Issuance System Overview
o Diagram of a general system as defined by the
standard
o TACs solution satisfies the Physical Access
Control component only
Access Control and FIPS 201
o Access Control requirements for a FIPS 201
system

Resource List
White Paper: US Security Directive FIPS
201 Compliance Strategies
P/N: WP-C-SEC-FIPS201-A4
Feature Blast: Federal Information
Processing Standard (FIPS) Solution
P/N: FB-C-FIPS201-A4
Feature Blast: NetController II
P/N: FB-C-NETCONTROLLER-II-A4
Feature Blast: NetController II v2.1
P/N: FB-C-NETC-II-v2_1-A4
Feature Blast: ACX Series Access
Controller for Ethernet
P/N: FB-C-ACX-A4
Feature Blast: ACX Series v1.1
P/N: FB-C-ACX-v1_1-A4

Andover Continuum and FIPS 201

o TACs FIPS 201 feature implementation in
Andover Continuum
Features and Benefits
Business Opportunity
Technical and Market Opportunities
Andover Continuum Security Architecture

 Andover Continuum FIPS 201 Solution Products and Requirements

o Products that Support the FIPS features
o Required Add-On options
Ordering
o Ordering Instructions
o Software and Firmware Compatibility
How to Approach a FIPS 201 Project
FIPS 201 Solution FAQs

About HSPD-12 and FIPS 201

In August 2004, the Homeland Security Presidential Directive (HSPD-12) was issued. It mandates the use
of one federal standard means of identification for all federal employees and contractors.
This is partially driven by the fact that there are over 100 major govenrment agencies each with its own
unique system for performing background checks and criteria for issuing credentials (e.g. access cards).
Furthermore, there was no defined way to authenticate persons between agencies.
The key requirements for HSPD-12 are for secure and reliable identification that:

Is issued based on sound criteria for verifying an individual employees identity

Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation

Can be rapidly authenticated electronically

Is issued only by providers whose reliability has been established by an official accreditation
process

The Secretary of Commerce directed the National Institute of Standards and Technology (NIST) to develop
a new standard. NIST released FIPS 201 on February 25th, 2005, and has released 12 supporting
standards to-date. FIPS 201 was created to answer the Homeland Security Presidental Directive: HSPD-12
which charged all federal agencies to utilize a secure standarized single credential Personal Identity
Verification (PIV) system for both logical (PC log on) and physical security (Access Control). FIPS 201
addresses PIV systems at the issuance and reader level.

PA-C-FIPS201-A4

Card Management and Issuance System Overview and Major Components

As a result of HSPD-12, every federal employee and contractor will require a new unique identification (i.e.
access card). Below are the major components of the general Card Management and Issuance System
with a summary of each step. TACs solution addresses the Physical Access Control System (PACS)
component.
The Andover Continuum components only address the Physical Access Control System (PACS) component
of the overall system (shown in the upper right section of the diagram).

PA-C-FIPS201-A4

Access Control and FIPS 201

Although the current FIPS 201 standard does not specifically define the details for the Physical Access
Control System (PACS), the access control system needs to be able to synchronize data with the PIV
issuance system, Identity Management System (IDMS), commonly referred to as PIV middleware. The
information received from the PIV middleware is then stored in the access control system.
From an access control specific perspective, the following needs to be implemented at a site to transition it
for FIPS 201 compliance:
1.

A new PIV Card Issuance system needs to be selected and added to the site which would interact
with the PACS.

2.

The site needs to change its cards and card readers to accept the new card format.

3.

The controllers connected to these card readers need to be upgraded (or changed) for
compatibility with the new card readers.

4.

The access control system (including database) implementation needs to change to include the
new additional data required by FIPS PIV cards.

Physical access requests made by PIV card credentials are read by readers designed to handle the FIPS
PIV cards and are passed to the access control system. The access control system must be able to make
access control decisions using the FIPS data passed to it by the PIV reader.

Andover Continuum and FIPS 201

TAC set out to implement its FIPS 201 solution by expanding on the Andover Continuum access control
system using the following goals:

Preserve the existing customers investment in Andover Continuum by re-using existing hardware
and wiring whenever possible

Partner with FIPS PIV Card Issuance System

o

TAC has selected ImageWare PIV Middleware

Utilize the newest/most capable hardware products to support FIPS:

o

Use the NetController II and the ACX Series

Replace readers with FIPS transitional readers

Upgrade software components to support FIPS:

o

CyberStation workstation FIPS software revisions

AC-1 FIPS firmware (Remove Degrade Mode functionality)

The Andover Continuum FIPS 201 solution can handle all of the necessary PACS data syncronization and
access control decision making. With the release of CyberStation v1.9 and the latest controller software
versions, the solution is complete to fully implement as the PACS component of a FIPS 201 site.
Note:

Compatible FIPS 201 compliant card readers are required to read the PIV cards.

PA-C-FIPS201-A4

Features and Benefits

The FIPS support in Continuum v1.9 permits data to be synchronized between CyberStation and the
IDMS/PIV systems and also distributes FIPS compliant data to controllers for access control decisions. FIPS
compliant access control requires all NetController II, AC-1 and ACX Series controllers to be upgraded to
the latest FIPS compatible firmware.

Second/Transitional FIPS Card Support

Until CyberStation 1.81, only one credential could be assigned to a single personnel record. Since the
release of v1.81, a second credential (e.g. Prox or FIPS PIV card) could be assigned to each personnel
object but only the first credential data could be sent down and supported at the controller level. Now
with v1.9, data for both credentials can be downloaded to a controller that supports dual credentials. This
feature is useful for sites transitioning from one card access system to a FIPS-compliant system. Use of
dual credentials may be temporary or indefinite. Once a site is ready to solely use the second credential
(e.g. FIPS PIV card), a simple change can enforce that only the second credential is used to determine
personnel access.
Note:

This feature may also be used at non-FIPS sites and does not require the FIPS option when used
solely with non-FIPS credentials.

Personnel Import Utility (PIU) to PIV Middleware Data Synchronization

Import data from a FIPS approved Identity Management System (IDMS) / Personnel Identity Verification
(PIV) middleware system. The FIPS support in CyberStation v1.9 permits data to be synchronized between
Continuum and the IDMS/PIV systems.

Personnel Import Utility (PIU) Enhancements

The Personnel Import Utility launched in version 1.8 (which supported data import using LDAP) is
enhanced to allow XML as a data source. TAC has included a standard XSLT transformation script that
integrates with the PIV middleware from ImageWare Systems, TACs preferred and tested PIV system for
FIPS installations. The PIU synchronizes import and export of personnel data using XML. The PIU may
exchange data from other systems that utilize XML by editing the XSLT transforms.

Additional Features included with the Andover Continuum Solution

The following features are not specified as required in FIPS 201 but are included in the Andover Continuum
solution and will complement your FIPS 201 configuration for a more comprehensive system.

10/100 Base-T Ethernet with IPsec/IKE Encryption

Communication with the NetController II and ACX Series controllers is not only fast (supporting data
transfer rate up to 100 Mbps) but secure with IPsec/IKE protocols for Network Security. Encryption (up to
168-bit using Triple DES) and authentication may be enabled for communications to and from Andover
Continuum workstations and controllers. Andover Continuum utilizes Internet Protocol Security (IPsec) and

PA-C-FIPS201-A4

Internet Key Exchange Protocol (IKE) to assure tamper-proof communications over the Ethernet between
IP controllers and workstations.

FIPS 140-2 Compliance

Although it is possible to have a site that is FIPS 201 compliant without FIPS 140-2 compliant access
controllers, many specifications also require FIPS 140-2 compliant access controllers. To address this
additional requirement, TAC is in the process of listing the Continuum Network Security Module that is in
the NetController II and ACX Series controllers. These will be certified as Level 2 FIPS 140-2.

Support for Area Lockdown

It is important to be able to contain potential threats when they are detected. The NetController II and
ACX Series controllers can respond to Area Lockdown commands set from Andover Continuum software
providing a quick method for sealing off areas. A simple click of a graphic or an automatic program
response is all that is needed to disable card readers and exit requests in any given area. First responder
personnel can still gain access to the area if their record is marked with executive privilege.

Condition Threat Level-based Access Rights

The NetController II and ACX Series controllers can adapt access rights to a change in condition or threat
levels as the U.S. Department of Homeland Security refers to them. Each personnel record can be
assigned a clearance level for each area to which a person has access. When the condition is more severe
than the persons clearance level, access is automatically denied. The condition level may be set manually
through Continuum software or automatically through a program. A program can even be written to
monitor national threat levels and adjust Andover Continuum Condition Levels accordingly. Although the
U.S. government only calls for five condition levels of threat, Andover Continuum is capable of assigning
up to 255 custom condition levels for local security needs.

PA-C-FIPS201-A4

Business Opportunity
U.S. Government agencies are required to comply with HSPD-12 by installing physical and logical security
solutions throughout their sites that meet the FIPS 201 standard. Failure to comply with these mandates
could result in a drop of federal funding to that agency. Therefore, existing and prospective TAC
government customers should be approached during this deployment period. The Andover Continuum
system has a clear path for customers to get their site compliant with the new regulations.
At TAC, we believe that many of the v1.9 features can also be applied to less critical applications. So take
the opportunity to leverage these enhancements to a wide range of installations.

Technical & Market Opportunities

TAC is among the first companies to offer a HSPD-12/FIPS 201 solution. We believe that the Andover
Continuum solution, which includes a partnership with ImageWare Systems for PIV middleware, is one of
the best. The ImageWare product gives government agencies the flexibility to integrate with enterprise
level Identity Management Systems (IDMS) including IBM Tivoli, customize the data entry workflow and
business logic, and seamlessly exchange this data in a synchronized fashion with Continuum. Furthermore,
ImageWares Biometric Engine provides the most compatibility with biometric devices (e.g. fingerprint,
iris, hand geometry, facial) making it possible to deploy the Andover Continuum solution while supporting
the customers full range of field devices.
The FIPS feature set should really be thought as an elevated security feature set. TAC is already in
discussions with airports interested in the advantages of the new Andover Continuum offering. We believe
that other segments will also be attracted to our new capabilities. Perhaps they wont utilize the entire
FIPS compliant package, but they are likely to employ a subset of the FIPS solution in new ways.

PA-C-FIPS201-A4

Andover Continuum Security Architecture

The architecture below includes the products that make up the Andover Continuum security system; some
of which are part of the TAC FIPS 201 solution. Whereas the Pelco Digital Video Management System
(DVMS) is not part of the FIPS 201 solution, it does natively intergrate with CyberStation and
complements the overall system for added security value.

Andover Continuum FIPS 201 Solution Products and Requirements

This section includes a summary of the components required (including add-on options) for TACs FIPS 201
PACS solution.
The following table details the specific products and minimum product software versions required for FIPS
201 support:
Product
CyberStation*
ACX Series (Models 5720 & 5740)*
NetController II (Model 9680)*
AC-1 Module
AC-1A Module
AC-1 Plus Module

Minimum Software Version

(Controllers should be upgraded to the latest revision)

v1.9
v1.1
v2.1
v25
v25
v29

* CyberStation, the ACX Series, and the NetController II require add-on options for FIPS 201 functionality.

The next page summarizes the add-on options required for FIPS 201 support.

PA-C-FIPS201-A4

Add-On Option Requirements per Product:

CyberStation Software:
Required:

FIPS option -F must be added to all CyberStation

software keys/dongles. This option enables all fields and
functionality required to support FIPS-PIV cards.
o

Enabling the F option automatically enables the

Critical Security option -C (i.e. Condition
Level); there is no need to order -C separately.

Data Exchange option -D must be added to at least one CyberStation software

key/dongle for interoperability with the IDMS.

Not Valid:

Once a site is fully converted to FIPS 201 operation, the Badging option -B can no longer
be used. The FIPS 201 standard requires that all badging functionality is handled by the
IDMS/PIV middleware.

ACX Series (Models 5720 & 5740) and NetController II (Model 9680):
Required:

FIPS option F must be added to all units. This option

enables the controllers to support the personnel records FIPSPIV data required for access control validation.
o

Enabling the F option automatically enables the

Critical Security option -C (i.e. Condition Level);
there is no need to order it separately.

Enabling the F option also automatically enables the

High Encryption option H to assure tamper-proof
communications over the Ethernet between IP
controllers and workstations.

Complementary Third Party Components Required

IDMS/ PIV middleware:
Highly Recommended:

ImageWare Systems: TAC has partnered with ImageWare and has included CyberStation
enhancements to the Personnel Import Utility (PIU) to include a standard XSLT
transformation script that integrates with the PIV middleware from ImageWare.

Note:

Other IDMS/PIV middleware applications (instead of the ImageWare IDMS) can be used
with the Andover Continuum FIPS 201 solution.

PA-C-FIPS201-A4

Card/Credential Readers:
Required:

FIPS 201 compliant readers compatible with Andover Continuum hardware products
o

Maximum bits supported:

ACX Series Access Controllers for Ethernet: 260 bits

NetController II (with AC-1, AC-1A, or AC-1 Plus): 240 bits

Note: Degrade mode (e.g. validation via site code only) does not
work with FIPS-PIV cards.

Take the following into consideration when planning your compliant system:
o

Order only FIPS approved devices.

Consult NIST web site for current list: http://www.fips201.com/

Readers that offer transitional support may be the best choice.

There is currently no test for access controllers and software.

There are different levels of assurance. Andover Continuum can be used to provide
a solution for low and medium assurance applications.

Built-in Low-Assurance Formats:

Wiegand 75-bit
o

Wiegand 200-bit
o

Agency + System + Credential + Expiration Date

200-bit FASC-N (No Expiration Date)

All other formats considered a FIPS-PIV Custom Card format and

must be specified by the user via the FIPS-PIV Custom Format
System variable.

Custom Low-Assurance Format Examples:

200-bit FASC-N with embedded expiration date

245-bit FASC-N with appended expiration date

Custom Medium-Assurance Format Examples:

200-bit FASC-N with embedded HMAC

107-bit: 75-bit PIV + 32-bit HMAC

32-bit HMAC + 200-bit FASC-N

Recommended:

HID Transitional Readers

o

HID transitional readers support both 125 kHz Proximity and 13.56 MHz FIPS 201
compliant Smart Cards

PA-C-FIPS201-A4

Each reader comes standard to simultaneous read all card technologies.

Readers may be switched after transition to read only FIPS cards.

Reader mode is changed by recycling power and presenting a programming card.

10

Ordering
In order to enable a site for FIPS 201 compatibility, TAC requires that certain procedures are followed and
the specified options are purchased. FIPS enabled products cannot be purchased through regular new
product ordering procedures. FIPS functionality is only available as separate add-on options and must be
ordered through the standard feature upgrade process.
FIPS add-on options are closely managed and require TAC management approval before
ordering. Please be sure to work with your local TAC sales representative for support through the sales
process and to facilitate approval before ordering.
For New Product Orders:
Follow the standard Andover Continuum ordering process for every option except the FIPS F options.
Specifically, exclude the FIPS F, Critical Security C (i.e. Condition Level), and High Encryption H
options. After product receipt, contact the Repair Department to order controller flash files and software
dongle/key cookies to enable the FIPS options. The Repair Department representative will confirm TAC
approval before processing the FIPS option(s) upgrade request.
Refer to the Ordering and FAQ sections of the TAC Product Announcements specified below for information
on how to order the following products. All of these documents are available in the Andover Continuum
Product section of TAC ExchangeOnline. From the ExchangeOnline Global website, navigate to: Product
Zone -> Andover Continuum -> Sales and select the desired document type from the menu on the left.

CyberStation software
o

CyberStation and web.Client v1.9 Product Announcement: PA-C-CYBER-WEBC-V1_90-A4

CyberStation and web.Client v1.81 Product Announcement

CyberStation and web.Client v1.8 Product Announcement

Note:

web.Client is not part of the Andover Continuum FIPS 201 solution; it does not support
FIPS features/functionality.

NetController II
o

NetController II Product Announcement: PA-C-NETCONTROLLER-II-A4

NetController II Part Numbering Scheme Reference Sheet

Countries Approved for Product Release of the NetController II and ACX Series Reference:
PA-NETC-II-ACX-EXPORT-COUNTRIES-A4

ACX Series
o

ACX Series Access Controller for Ethernet Product Announcement: PA-C-ACX-A4

ACX Series Part Numbering Scheme Reference Sheet

Countries Approved for Product Release of the NetController II and ACX Series Reference:
PA-NETC-II-ACX-EXPORT-COUNTRIES-A4

For Product Upgrades:

Existing sites and products can be upgraded for FIPS 201 compliance, however note that only
CyberStation software, the NetController II, the ACX Series (Models 5720 and 5740), and the AC-1 family
of modules can be upgraded for FIPS 201 compliance. These are the only products in which the FIPS

PA-C-FIPS201-A4

11

features have been implemented. All other Andover Continuum access control products are compatible in
the security/BMS system, but do not adhere to the standard and may need to be replaced or removed in
zones that need to be FIPS 201 compliant.
Existing access control products will need to be upgraded to enable the FIPS add-on options and to meet
the minimum software versions specified in the table in the compatibility section below. Add-on options
may be ordered through the standard feature upgrade process. Contact the Repair Department to order
controller flash files and software dongle/key cookies for upgrades to enable the FIPS options. The Repair
Department representative will confirm approval before processing the FIPS option(s) upgrade request.
Controller flash files for version upgrade are available free of charge from the ExchangeOnline Global
website. Navigate to: Product Zone -> Andover Continuum -> Software -> Continuum and select
the desired product and version from the menu on the left. Note: This only includes new firmware
versions and does not enable options required for FIPS support.

Compatibility
The following table summarizes the software and controller software versions required to support the FIPS
201 solution add-on functionality. All CyberStation workstations must be upgraded to the same version.
Please make sure the sites operating systems, firmware and SQL servers are all compliant with the matrix
below.

Andover Continuum Software and Firmware Compatibility Matrix for v1.9

LAN
Configuration

Last Updated: October 8th, 2008

CyberStation/web.Client Software Version

1.9

DB Server OS

Win Svr 2003 (SP1), Win Svr 2003 R2,

MS Vista Business, MS Vista Ultimate

SQL Version

MS SQL 2000 (up to SP4), MS SQL 20051

Standard & Enterprise Editions

CyberStation PC OS

Win XP Pro (SP3),

MS Vista Business, MS Vista Ultimate,
Win Svr 2003 (SP1), Win Svr 2003 R2
.NET v2.0 & .NET v3.0 (Video Only)

Single User
Configurati
on

SQL Version
CyberStation SU
(Cyber / DB Server OS)

MS SQL Express (SP4)

Win XP Pro (SP3), MS Vista Business, MS Vista Ultimate,
Win Svr 2003 (SP1), Win Svr 2003 R2
.NET v2.0 & .NET v3.0 (Video Only)

Compatible Firmware Versions

ACX Series (5720/5740)
NetController II
AC-1
AC-1A
AC-1 Plus
1

1.1
2.1
25
25
29

Only the Standard Edition of MS SQL 2005 is supported on MS Vista machines.

The complete Andover Continuum Software and Firmware Compatibility Matrix is posted on the TAC
ExchangeOnline Global website. Navigate to: Product Zone -> Andover Continuum -> Software ->
Continuum Compatibility Matrix and download the PDF file.

PA-C-FIPS201-A4

12

How to Approach a FIPS 201 Project

The Andover Continuum FIPS 201 solution presents a great opportunity for new business as government
agencies are mandated to adhere to the standard. However, as with any new standard (or protocol), it
will require researching and learning the details to comply and meet customers needs. FIPS 201 will not
make customer sites more efficient or productive; it is costly and the defined procedures will slow them
down. It will, however, make them more secure. Furthermore, not implementing a FIPS 201 compliant
system could result in budget cuts for your customers.
Now with the release of v1.9, the Andover Continuum FIPS 201 solution is complete and fully available.
However, projects must be approved to enable FIPS add-on options (required for compliance) on
Continuum products. Ordering FIPS features is restricted and will only be possible with TAC approval.
Work in conjunction with your local sales management to discuss and plan your approach for government
customers.
TAC recommends the following steps and discussion points in your FIPS 201 sales process:

Work with your TAC sales representative.

Ask if there is a central office of the agency that is creating the specification and if you can meet
with that group.

Ask which areas need FIPS and at what level of assurance.

Ask who will provide the PIV middleware software.

o

ImageWare is the preferred and TAC tested compatible solution; others could also work.

Ask what their timeline is.

Ask what their transition plan is.

Ask who will purchase and print the badges.

Use only FIPS approved devices.

o

Consult NIST web site for current list: http://www.fips201.com/

PA-C-FIPS201-A4

13

Federal Information Processing Standard (FIPS) 201 Solution FAQs

1. How do I find out more about FIPS 201?
The website http://www.fips201.com contains more information. You can specifically browse through
the Resources section on the right.
Note: The products included on this site (e.g. cards, card readers) can be used to complement the
Andover Continuum FIPS 201 solution. The Andover Continuum solution (e.g. controllers, software)
only applies to the Physical Access Control System (PACS) portion of the overall FIPS defined process.
2. Is there any TAC material that can help me learn more about the TAC FIPS 201 Solution?
TAC created the U.S. Security Directive FIPS 201 - Compliance Strategies white paper to better help
you understand the standard. It is available on the TAC website http://www.tac.com and can be
found by clicking on White Papers link and navigate down to the US Security Directive FIPS 201
link. Or, browse directly to this white paper by typing in the following direct link:
http://www.tac.com/Content?contentId=document/24244&node=11105.
3. Is the Andover Continuum FIPS 201 solution certified?
Although the National Institute of Standards and Technology (NIST) certified certain FIPS 201
components, there is no FIPS 201 test or certification for a PACS system.
4. What is FIPS 140 (or FIPS 140-2)?
The Federal Information Processing Standard 140 (FIPS 140) is the U.S. government computer
security standard that specifies requirements for cryptographic modules. It specifies the security
requirements that need to be satisfied by a cryptographic module that is utilized within a security
system protecting sensitive but unclassified information. FIPS 140-2 is for encryption only. In order
to cover the full range of potential applications and environments in which cryptographic modules may
be employed, four levels of security are defined: Levels 1 4.
5. Does FIPS 140-2 have a certification process?
Yes, FIPS 140-2 does have a certification. It is certified by NIST.
There are different levels of 140-2 certification; our products are being tested for certification as a
level 2 cryptographic module.

Level 1 only tests encryption from a software point of view.

Level 2 requires a level of protection physically. The encryption module should not be
accessible and any physical tamper should be obvious.

6. Are the Andover Continuum products FIPS 140-2 certified?

TAC is in the process of listing the cryptographic module that is in the NetController II and ACX Series
controllers. These will be certified as Level 2 FIPS 140-2.

PA-C-FIPS201-A4

14

The FIPS 140-2 certification process status can be found on the National Institute of Standards and
Technology (NIST) website - Modules in Process at:
http://csrc.nist.gov/groups/STM/cmvp/inprocess.html.

Click on the FIPS 140-1 and FIPS 140-2 Modules In Process List PDF link to see the table of
products currently in process.
o

The status of the TAC submittal is under Module Name: Continuum Network
Security Module, Vendor Name: TAC, LLC.

The PDF itself can be found directly at:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

7. Which software version of CyberStation supports the FIPS 201 solution?

CyberStation v1.9 (or greater) supports the full Andover Continuum FIPS 201 solution feature set
implementation.

8. Is web.Client included as part of the FIPS 201 solution?

No, web.Client is not included as part of the FIPS 201 solution.

9. Which hardware products support the FIPS 201 solution?

The FIPS features are only supported by the following hardware products:

ACX Series Access Controllers for Ethernet

NetController II
AC-1
AC-1A

AC-1 Plus

10. Are any special options required for FIPS-related functionality?

Yes, the FIPS features are paid add-on options on the CyberStation workstations and the controllers.
The following summarizes the required and recommended add-on options.
CyberStation Software
Required:

FIPS option -F must be added to all CyberStation software keys/dongles.

o

Enabling the F option automatically enables the Critical Security option

-C (i.e. Condition Level); there is no need to order it separately.

Data Exchange option -D must be added to at least one CyberStation software

key/dongle for interoperability with the IDMS.

Not Valid:
Once a site is fully converted to FIPS 201 operation, the Badging option -B can no
longer be used. The FIPS 201 standard requires that all badging functionality is handled
by the IDMS/PIV middleware.

PA-C-FIPS201-A4

15

ACX Series (Models 5720 and 5740) and NetController II (Model 9680)
Required:
FIPS option F must be added to all units.

Enabling the F option automatically enables the Critical Security option

C (i.e. Condition Level); there is no need to order it separately.

Enabling the F option also automatically enables the High Encryption

option H to assure tamper-proof communications over the Ethernet
between IP controllers and workstations.

11. Are there any specific controller firmware versions required for FIPS 201 support?
Yes, there are new firmware versions required to support features introduced over the last few revs.
In general, it is good practice to upgrade to the latest firmware versions for the best functionality.
Product

v1.9 Compatible Firmware Version

NetController II (Model 9680)

v2.1

ACX Series (Models 5720 and 5740)

v1.1

AC-1 IOU Modules

v25

AC-1A IOU Modules

v25

AC-1 Plus IOU Module

v29

Product version compatibility per CyberStation revision can be checked with the Compatibility Matrix
on the TAC ExchangeOnline Global website. Navigate to: Product Zone -> Andover Continuum ->
Software -> Continuum Compatibility Matrix and download the PDF file.

12. Can I purchase a NetController II or ACX Series controller with FIPS support?
FIPS enabled products cannot be purchased through regular new product ordering procedures. FIPS
functionality is only available as separate add-on options and must be ordered through the standard
feature upgrade process. Please refer to the Ordering section on pages 1011 for ordering
instructions.
FIPS add-on options are closely managed and require TAC management approval before ordering.
Please be sure to work with your local TAC sales representative for support through the sales process
and to facilitate approval before ordering.

13. Can an existing (non-FIPS 201) site be upgraded to be FIPS 201 compliant?
Yes. Existing Andover Continuum systems can be upgraded to support FIPS 201. The following are
some of the steps that are required:

CyberStation software will need to be upgraded to v1.9 (or greater).

PA-C-FIPS201-A4

16

ACX Series, NetController II, AC-1, AC-1A, and AC-1 Plus units will need to be upgraded to the
FIPS specific firmware files (see Question 10). The FIPS required options will need to be
added as well (see Question 9).
o

If the existing hardware products are not the NetController II or the ACX Series, they
will need to be replaced. Only the NetController II (with the family of AC-1 modules)
and the ACX Series support the FIPS specific features.

The existing cards and card readers will need to be replaced to support the FIPS-PIV format.
o

CyberStation v1.9s Second/Transitional Dual Card support feature will help during
the transition period from one card format to the FIPS-PIV card.

14. What if the workstations (or controllers) at my site already have the -C Critical Security
and/or H High Encryption options enabled? Do I need to pay for the full -F FIPS
option?
The upgrade process for FIPS options are like any other upgrade. The upgrade price will be
determined as the difference in current prices of the newly desired configuration and the existing
current configuration per controller (or workstation). For example, if a NetController II has the H
High Encryption option already enabled, the F FIPS option upgrade price is the current F option
price minus the current H price for that controller.

15. Can the original NetController be upgraded to support FIPS 201 functionality?
No, the original NetController (i.e. CX9900, CX9940) cannot be upgraded to support the FIPS
functionality. These units will have to be replaced with NetController IIs. To ease the transition,
CyberStation does support upgrading the NetController up to a NetController II. From a Continuum
database perspective, you will be allowed a one-time model number change from your current
NetController up to the NetController II model number 9680. Note that this process cannot be
reversed.

16. Can the ACX 78x or the CX9702 be upgraded to support FIPS 201 functionality?
No, only the ACX Series, NetController II, and AC-1 family of modules support the FIPS functionality.

17. What happens if my workstations are FIPS (F) option enabled but not my controllers?
Whereas the CyberStation software and Continuum database will support the FIPS specific data per
personnel record, this information will not be downloaded down to the controller level. This means
your access controllers will not have the necessary credential data per personnel object and thus will
not support FIPS-PIV cards.

18. What happens if my controllers are FIPS (F) option enabled but not my workstations?
If the workstations are not FIPS (F) option enabled, the CyberStation personnel dialogs will not
support FIPS specific fields nor will the Continuum database support FIPS-PIV data.

PA-C-FIPS201-A4

17

19. Does the FIPS (F) option need to be enabled on all workstations and controllers?
FIPS compliance is system-wide; the FIPS (F) option must be added to all CyberStation workstations,
NetController IIs, and ACX Series controllers. As described in the previous two FAQs, failure to do so
results in lack of functionality and compliance.
20. What does it mean that degrade mode is not supported?
Degrade mode in the AC-1, AC-1A, and AC-1 Plus modules is access validation based on lesser
information depending on how the system is configured e.g. site code only (when communication to
the NetController has been lost). This violates the FIPS 201 standard. Therefore, this functionality
has been changed and degrade mode functionality does not work with FIPS-PIV cards. The degrade
mode feature is still supported when using non-FIPS-PIV cards.
21. Is the High Encryption (H) option required to be FIPS 201 compliant?
Encryption is not specified for the FIPS 201 standard, however, it may be requested by a particular
customer site. FIPS 140 (which is a common requirement at FIPS sites) does require the High
Encryption (H) option for compliance.
Note: The High Encryption (H) option is automatically included when the FIPS option is enabled.
22. Do I have to use the ImageWare Systems IDMS/PIV middleware with the Andover
Continuum FIPS 201 solution?
TAC has selected ImageWare Systems IDMS as its preferred PIV middleware solution, however, it
is not required for use with the Andover Continuum FIPS 201 solution. CyberStations Personnel
Import Utility (PIU) can import data using XML or LDAP from other systems that support these
formats.
To ease integration with ImageWare Systems, TAC has tested and included a standard XSLT
transformation script that integrates with the PIV middleware from ImageWare Systems.
23. Do I have to add-on the Data Exchange (-D) option to my workstation if I am not using the
ImageWare Systems IDMS/PIV middleware?
Yes, the Data Exchange (-D) option is required to enable the Personnel Import Utility application to
import personnel information from any IDMS system. It is the only way to ensure tamper-proof
import of personnel data from an IDMS as required by FIPS 201. However, the Data Exchange (-D)
option is not required on all workstations; it is only required on the workstation(s) which are
importing personnel data into Continuum from the IDMS.
24. Does TAC offer Andover Continuum compatible, FIPS 201 compliant Card/Credential
Readers?
Yes, TAC Field Devices Division offers a range of FIPS 201 compliant product, including readers from
HID and Bioscript.

Copyright 2008, TAC

All brand names, trademarks and registered trademarks
are the property of their respective owners. Information
contained within this document is subject to change
without notice. All rights reserved.
PA-C-FIPS201-A4
2009 May 15

www.tac.com