Professional Documents
Culture Documents
Product Announcement: Federal Information Processing Standard (FIPS) 201 Solution
Product Announcement: Federal Information Processing Standard (FIPS) 201 Solution
Product Announcement: Federal Information Processing Standard (FIPS) 201 Solution
Federal Information
Processing Standard
(FIPS) 201 Solution
TAC is proud to announce its solution for the U.S.
Government Federal Information Processing Standard:
Literature
CyberStation Installation Guide
P/N: 30-3001-720
and options for the FIPS 201 ready NetController II, AC-1
Resource List
White Paper: US Security Directive FIPS
201 Compliance Strategies
P/N: WP-C-SEC-FIPS201-A4
Feature Blast: Federal Information
Processing Standard (FIPS) Solution
P/N: FB-C-FIPS201-A4
Feature Blast: NetController II
P/N: FB-C-NETCONTROLLER-II-A4
Feature Blast: NetController II v2.1
P/N: FB-C-NETC-II-v2_1-A4
Feature Blast: ACX Series Access
Controller for Ethernet
P/N: FB-C-ACX-A4
Feature Blast: ACX Series v1.1
P/N: FB-C-ACX-v1_1-A4
Is issued only by providers whose reliability has been established by an official accreditation
process
The Secretary of Commerce directed the National Institute of Standards and Technology (NIST) to develop
a new standard. NIST released FIPS 201 on February 25th, 2005, and has released 12 supporting
standards to-date. FIPS 201 was created to answer the Homeland Security Presidental Directive: HSPD-12
which charged all federal agencies to utilize a secure standarized single credential Personal Identity
Verification (PIV) system for both logical (PC log on) and physical security (Access Control). FIPS 201
addresses PIV systems at the issuance and reader level.
PA-C-FIPS201-A4
PA-C-FIPS201-A4
A new PIV Card Issuance system needs to be selected and added to the site which would interact
with the PACS.
2.
The site needs to change its cards and card readers to accept the new card format.
3.
The controllers connected to these card readers need to be upgraded (or changed) for
compatibility with the new card readers.
4.
The access control system (including database) implementation needs to change to include the
new additional data required by FIPS PIV cards.
Physical access requests made by PIV card credentials are read by readers designed to handle the FIPS
PIV cards and are passed to the access control system. The access control system must be able to make
access control decisions using the FIPS data passed to it by the PIV reader.
Preserve the existing customers investment in Andover Continuum by re-using existing hardware
and wiring whenever possible
The Andover Continuum FIPS 201 solution can handle all of the necessary PACS data syncronization and
access control decision making. With the release of CyberStation v1.9 and the latest controller software
versions, the solution is complete to fully implement as the PACS component of a FIPS 201 site.
Note:
Compatible FIPS 201 compliant card readers are required to read the PIV cards.
PA-C-FIPS201-A4
This feature may also be used at non-FIPS sites and does not require the FIPS option when used
solely with non-FIPS credentials.
PA-C-FIPS201-A4
Internet Key Exchange Protocol (IKE) to assure tamper-proof communications over the Ethernet between
IP controllers and workstations.
PA-C-FIPS201-A4
Business Opportunity
U.S. Government agencies are required to comply with HSPD-12 by installing physical and logical security
solutions throughout their sites that meet the FIPS 201 standard. Failure to comply with these mandates
could result in a drop of federal funding to that agency. Therefore, existing and prospective TAC
government customers should be approached during this deployment period. The Andover Continuum
system has a clear path for customers to get their site compliant with the new regulations.
At TAC, we believe that many of the v1.9 features can also be applied to less critical applications. So take
the opportunity to leverage these enhancements to a wide range of installations.
PA-C-FIPS201-A4
v1.9
v1.1
v2.1
v25
v25
v29
* CyberStation, the ACX Series, and the NetController II require add-on options for FIPS 201 functionality.
The next page summarizes the add-on options required for FIPS 201 support.
PA-C-FIPS201-A4
Not Valid:
Once a site is fully converted to FIPS 201 operation, the Badging option -B can no longer
be used. The FIPS 201 standard requires that all badging functionality is handled by the
IDMS/PIV middleware.
ACX Series (Models 5720 & 5740) and NetController II (Model 9680):
Required:
ImageWare Systems: TAC has partnered with ImageWare and has included CyberStation
enhancements to the Personnel Import Utility (PIU) to include a standard XSLT
transformation script that integrates with the PIV middleware from ImageWare.
Note:
Other IDMS/PIV middleware applications (instead of the ImageWare IDMS) can be used
with the Andover Continuum FIPS 201 solution.
PA-C-FIPS201-A4
Card/Credential Readers:
Required:
FIPS 201 compliant readers compatible with Andover Continuum hardware products
o
Note: Degrade mode (e.g. validation via site code only) does not
work with FIPS-PIV cards.
Take the following into consideration when planning your compliant system:
o
There are different levels of assurance. Andover Continuum can be used to provide
a solution for low and medium assurance applications.
Wiegand 75-bit
o
Wiegand 200-bit
o
Recommended:
HID transitional readers support both 125 kHz Proximity and 13.56 MHz FIPS 201
compliant Smart Cards
PA-C-FIPS201-A4
10
Ordering
In order to enable a site for FIPS 201 compatibility, TAC requires that certain procedures are followed and
the specified options are purchased. FIPS enabled products cannot be purchased through regular new
product ordering procedures. FIPS functionality is only available as separate add-on options and must be
ordered through the standard feature upgrade process.
FIPS add-on options are closely managed and require TAC management approval before
ordering. Please be sure to work with your local TAC sales representative for support through the sales
process and to facilitate approval before ordering.
For New Product Orders:
Follow the standard Andover Continuum ordering process for every option except the FIPS F options.
Specifically, exclude the FIPS F, Critical Security C (i.e. Condition Level), and High Encryption H
options. After product receipt, contact the Repair Department to order controller flash files and software
dongle/key cookies to enable the FIPS options. The Repair Department representative will confirm TAC
approval before processing the FIPS option(s) upgrade request.
Refer to the Ordering and FAQ sections of the TAC Product Announcements specified below for information
on how to order the following products. All of these documents are available in the Andover Continuum
Product section of TAC ExchangeOnline. From the ExchangeOnline Global website, navigate to: Product
Zone -> Andover Continuum -> Sales and select the desired document type from the menu on the left.
CyberStation software
o
Note:
web.Client is not part of the Andover Continuum FIPS 201 solution; it does not support
FIPS features/functionality.
NetController II
o
Countries Approved for Product Release of the NetController II and ACX Series Reference:
PA-NETC-II-ACX-EXPORT-COUNTRIES-A4
ACX Series
o
Countries Approved for Product Release of the NetController II and ACX Series Reference:
PA-NETC-II-ACX-EXPORT-COUNTRIES-A4
PA-C-FIPS201-A4
11
features have been implemented. All other Andover Continuum access control products are compatible in
the security/BMS system, but do not adhere to the standard and may need to be replaced or removed in
zones that need to be FIPS 201 compliant.
Existing access control products will need to be upgraded to enable the FIPS add-on options and to meet
the minimum software versions specified in the table in the compatibility section below. Add-on options
may be ordered through the standard feature upgrade process. Contact the Repair Department to order
controller flash files and software dongle/key cookies for upgrades to enable the FIPS options. The Repair
Department representative will confirm approval before processing the FIPS option(s) upgrade request.
Controller flash files for version upgrade are available free of charge from the ExchangeOnline Global
website. Navigate to: Product Zone -> Andover Continuum -> Software -> Continuum and select
the desired product and version from the menu on the left. Note: This only includes new firmware
versions and does not enable options required for FIPS support.
Compatibility
The following table summarizes the software and controller software versions required to support the FIPS
201 solution add-on functionality. All CyberStation workstations must be upgraded to the same version.
Please make sure the sites operating systems, firmware and SQL servers are all compliant with the matrix
below.
LAN
Configuration
DB Server OS
SQL Version
CyberStation PC OS
Single User
Configurati
on
SQL Version
CyberStation SU
(Cyber / DB Server OS)
1.1
2.1
25
25
29
The complete Andover Continuum Software and Firmware Compatibility Matrix is posted on the TAC
ExchangeOnline Global website. Navigate to: Product Zone -> Andover Continuum -> Software ->
Continuum Compatibility Matrix and download the PDF file.
PA-C-FIPS201-A4
12
Ask if there is a central office of the agency that is creating the specification and if you can meet
with that group.
ImageWare is the preferred and TAC tested compatible solution; others could also work.
PA-C-FIPS201-A4
13
Level 2 requires a level of protection physically. The encryption module should not be
accessible and any physical tamper should be obvious.
PA-C-FIPS201-A4
14
The FIPS 140-2 certification process status can be found on the National Institute of Standards and
Technology (NIST) website - Modules in Process at:
http://csrc.nist.gov/groups/STM/cmvp/inprocess.html.
Click on the FIPS 140-1 and FIPS 140-2 Modules In Process List PDF link to see the table of
products currently in process.
o
The status of the TAC submittal is under Module Name: Continuum Network
Security Module, Vendor Name: TAC, LLC.
AC-1 Plus
Not Valid:
Once a site is fully converted to FIPS 201 operation, the Badging option -B can no
longer be used. The FIPS 201 standard requires that all badging functionality is handled
by the IDMS/PIV middleware.
PA-C-FIPS201-A4
15
ACX Series (Models 5720 and 5740) and NetController II (Model 9680)
Required:
FIPS option F must be added to all units.
11. Are there any specific controller firmware versions required for FIPS 201 support?
Yes, there are new firmware versions required to support features introduced over the last few revs.
In general, it is good practice to upgrade to the latest firmware versions for the best functionality.
Product
v2.1
v1.1
v25
v25
v29
Product version compatibility per CyberStation revision can be checked with the Compatibility Matrix
on the TAC ExchangeOnline Global website. Navigate to: Product Zone -> Andover Continuum ->
Software -> Continuum Compatibility Matrix and download the PDF file.
12. Can I purchase a NetController II or ACX Series controller with FIPS support?
FIPS enabled products cannot be purchased through regular new product ordering procedures. FIPS
functionality is only available as separate add-on options and must be ordered through the standard
feature upgrade process. Please refer to the Ordering section on pages 1011 for ordering
instructions.
FIPS add-on options are closely managed and require TAC management approval before ordering.
Please be sure to work with your local TAC sales representative for support through the sales process
and to facilitate approval before ordering.
13. Can an existing (non-FIPS 201) site be upgraded to be FIPS 201 compliant?
Yes. Existing Andover Continuum systems can be upgraded to support FIPS 201. The following are
some of the steps that are required:
PA-C-FIPS201-A4
16
ACX Series, NetController II, AC-1, AC-1A, and AC-1 Plus units will need to be upgraded to the
FIPS specific firmware files (see Question 10). The FIPS required options will need to be
added as well (see Question 9).
o
If the existing hardware products are not the NetController II or the ACX Series, they
will need to be replaced. Only the NetController II (with the family of AC-1 modules)
and the ACX Series support the FIPS specific features.
The existing cards and card readers will need to be replaced to support the FIPS-PIV format.
o
CyberStation v1.9s Second/Transitional Dual Card support feature will help during
the transition period from one card format to the FIPS-PIV card.
14. What if the workstations (or controllers) at my site already have the -C Critical Security
and/or H High Encryption options enabled? Do I need to pay for the full -F FIPS
option?
The upgrade process for FIPS options are like any other upgrade. The upgrade price will be
determined as the difference in current prices of the newly desired configuration and the existing
current configuration per controller (or workstation). For example, if a NetController II has the H
High Encryption option already enabled, the F FIPS option upgrade price is the current F option
price minus the current H price for that controller.
15. Can the original NetController be upgraded to support FIPS 201 functionality?
No, the original NetController (i.e. CX9900, CX9940) cannot be upgraded to support the FIPS
functionality. These units will have to be replaced with NetController IIs. To ease the transition,
CyberStation does support upgrading the NetController up to a NetController II. From a Continuum
database perspective, you will be allowed a one-time model number change from your current
NetController up to the NetController II model number 9680. Note that this process cannot be
reversed.
16. Can the ACX 78x or the CX9702 be upgraded to support FIPS 201 functionality?
No, only the ACX Series, NetController II, and AC-1 family of modules support the FIPS functionality.
17. What happens if my workstations are FIPS (F) option enabled but not my controllers?
Whereas the CyberStation software and Continuum database will support the FIPS specific data per
personnel record, this information will not be downloaded down to the controller level. This means
your access controllers will not have the necessary credential data per personnel object and thus will
not support FIPS-PIV cards.
18. What happens if my controllers are FIPS (F) option enabled but not my workstations?
If the workstations are not FIPS (F) option enabled, the CyberStation personnel dialogs will not
support FIPS specific fields nor will the Continuum database support FIPS-PIV data.
PA-C-FIPS201-A4
17
19. Does the FIPS (F) option need to be enabled on all workstations and controllers?
FIPS compliance is system-wide; the FIPS (F) option must be added to all CyberStation workstations,
NetController IIs, and ACX Series controllers. As described in the previous two FAQs, failure to do so
results in lack of functionality and compliance.
20. What does it mean that degrade mode is not supported?
Degrade mode in the AC-1, AC-1A, and AC-1 Plus modules is access validation based on lesser
information depending on how the system is configured e.g. site code only (when communication to
the NetController has been lost). This violates the FIPS 201 standard. Therefore, this functionality
has been changed and degrade mode functionality does not work with FIPS-PIV cards. The degrade
mode feature is still supported when using non-FIPS-PIV cards.
21. Is the High Encryption (H) option required to be FIPS 201 compliant?
Encryption is not specified for the FIPS 201 standard, however, it may be requested by a particular
customer site. FIPS 140 (which is a common requirement at FIPS sites) does require the High
Encryption (H) option for compliance.
Note: The High Encryption (H) option is automatically included when the FIPS option is enabled.
22. Do I have to use the ImageWare Systems IDMS/PIV middleware with the Andover
Continuum FIPS 201 solution?
TAC has selected ImageWare Systems IDMS as its preferred PIV middleware solution, however, it
is not required for use with the Andover Continuum FIPS 201 solution. CyberStations Personnel
Import Utility (PIU) can import data using XML or LDAP from other systems that support these
formats.
To ease integration with ImageWare Systems, TAC has tested and included a standard XSLT
transformation script that integrates with the PIV middleware from ImageWare Systems.
23. Do I have to add-on the Data Exchange (-D) option to my workstation if I am not using the
ImageWare Systems IDMS/PIV middleware?
Yes, the Data Exchange (-D) option is required to enable the Personnel Import Utility application to
import personnel information from any IDMS system. It is the only way to ensure tamper-proof
import of personnel data from an IDMS as required by FIPS 201. However, the Data Exchange (-D)
option is not required on all workstations; it is only required on the workstation(s) which are
importing personnel data into Continuum from the IDMS.
24. Does TAC offer Andover Continuum compatible, FIPS 201 compliant Card/Credential
Readers?
Yes, TAC Field Devices Division offers a range of FIPS 201 compliant product, including readers from
HID and Bioscript.
www.tac.com