Information on new biometric augmented CAC requested from industry by DOD
A Request for Information for an effective and reliable biometric enterprise “to expand [The Pentagon Force Protection Agency’s (PFPA)] access control capabilities to include biometric authentication of tenants” using augmented existing common access cards (CAC) has been issued by PFPA’s Acquisition Directorate.
PFPA’s “mission is to provide force protection, security, and law enforcement operations as required for the people, facilities, infrastructure, and other resources at the Pentagon Reservation, and for Department of Defense [DOD] activities and DOD-occupied facilities not under the jurisdiction of a military department within the National Capital Region (NCR).”
The RFI explained that, “PFPA is exploring capabilities to better manage and share incident and event information with DOD, federal, state, and local mission partner organizations within the NCR,” elucidating that PFPA’s existing Physical Access Control System (PACS) is comprised of “a heterogeneous mix” of AMAG Technology’s Symmetry (a diverse unified security platform that encompasses intrusion management, access control, video management, identity management, visitor management and incident and case management), Tyco Security Products’ Software House’s C-CURE ID badging solution, and IntelliSoft’s ICEWare (a commercial-off-the-shelf (COTS) credentialing management system), “as the unifying solution for managing tenant enrollment and privileging. Over 100,000 individuals are currently enrolled in PFPA’s identity management system, with fingerprint and iris biometrics captured as part of tenant enrollment in PFPA’s identity management system.”
According to the RFI, PFPA’s intent is to be “able to augment” existing CAC only or CAC+PIN based access control authentication with CAC+Biometric or CAC+PIN+Biometric. The broader goal for biometric authentication is to largely deprecate the need for visual identification and matching of credential and cardholder by local guard forces, add higher surety for entry to select locations, and to enable future changes in guard force staffing depending on the threat environment. Among the principal PFPA requirements in a biometrics solution is multi-modal “your choice” biometric authentication of both fingerprint and iris.
But PFPA’s “broader goal for biometric authentication is to largely deprecate the need for visual identification and matching of credential and cardholder by local guard forces, add higher surety for entry to select locations, and to enable future changes in guard force staffing depending on the threat environment,” the RFI explained, adding, “Among the principal PFPA requirements in a biometrics solution is multi-modal ‘your choice’ biometric authentication of both fingerprint and iris.”
The RFI tends to discount recent widespread speculation the Pentagon is planning to ditch CAC. As Biometric Update previously reported, DOD Chief Information Officer Dana Deasy denied CAC is going away anytime soon.
“From my standpoint, the CAC will remain the department’s principle authenticator for the foreseeable future,” especially since they’ve become a central element of DOD security, Deasy said in his opening keynote address at the 2018 Billington CyberSecurity Summit on priorities of the CIO at DOD. “Most of you hear about identity and credential management at DOD, and what you think about is the common access card, CACs …”
Earlier this year, Army Col. Tom Clancy, the Identity Management and Public Key Infrastructure lead for the DOD’s CIO, also stated during a panel on the future of government identity that reports DOD will no longer use the common access card just weren’t true.
“Two years ago, the CIO kicked off an examination into the future of CAC,” Clancy said. “After that, we are actually planning on making the CAC better, and issuing additional authenticators to meet mission needs, but we are not getting rid of the CAC. There is no plan for that,” noting, “identity management has a role in all three of Secretary James Mattis’ priorities.”
On August 27, 2004, Homeland Security Directive 12 (HSPD-12), was issued by President George W. Bush which mandated new requirements for a common interoperable government credential that can be used for logical and physical access control.
In response to an industry source’s question as to whether PFPA would be “interested in a biometric only solution with no CAC/PIV contactless reader?” PFPA made clear that, “HSPD-12 makes the PIV the authoritative credential for physical access to federal facilities. However, the government may be interested in multi-modal biometric only in the future.”
“The government is open to other combinations of biometrics in support of the multi-modal requirement, such as fingerprint/facial, iris/facial, or finger/facial/iris,” the RFI said. However, “A consideration in the government’s future path is the maximum re-use of existing tenant photo and biometric captures as it would be a significant burden to re-capture a brand new biometric (e.g., hand vein) from the entire tenant population.”
According to Tyco, “This requirement also influenced similar smart card credentials for DOD and Airports, and Ports, to replace its legacy credentials with the newer smart cards,” and that, “The process of issuing and enrollment of these smart cards has driven tighter integration of enrollment and smart card authentication requirements with the physical access control systems.”
Tyco said, “There is also a move towards modernization of older legacy systems to more robust computing platforms and open system architecture for integration and interoperability with other sub-systems such as visitor management, IDS, CCTV, and building systems.”
But the challenge, the company opined, are the “common issues associated with government facilities which are often multi-site [with] disparate legacy PACS, authentication of employees, contractors, visitors, managing access levels and system integration.”
The RFI states “the … current desired requirements and salient characteristics for the government’s enterprise biometrics solution at a high level [to] support an enrolled tenant population of over 100,000 individuals,” a “CAC/PIV card read must be through ‘contactless’ read in accordance with FIPS201-2 standard,” and, “Support the following authentication modalities:”
• CAC/PIV card only (free read Cardholder Unique Identifier (a digitally signed Federal Agency Smart Card Number (FASC-N)) Card Authentication Key);
• CAC/PIV card + PACS PIN;
• CAC/PIV + “your choice” multi-modal biometric;
• CAC/PIV + PACS PIN + “your choice” multi-modal biometric;
• Render a biometric validation in less than 1 second, preferably less than 500 ms;
• Integrate with IntelliSoft ICEWARE for receiving tenant cardholder data and biometric images; and
• Generate templates using standards based template generator.
Enterprise device management devices must be able to:
• Support distribution of biometrics templates to edge devices;
• Retrieve biometrics matching scores and system events and alerts from devices;
• Push authentication modality changes to a single device and/or group of devices; and
• Synchronize 100k cardholders to an edge device in less than 20 minutes.
Integrate with local PACS by:
• Integrating with both AMAG Symmetry (58bit) and SoftwareHouse CCURE (200 bit) as PACS over Wiegand;
• Interpret and display feedback from the PACS panel, such as Access Granted or Access Denied;
• Theoretical extensibility to other PACS such as Lenel; and
• Support both indoor and outdoor (day and night) implementations. Outdoor systems should be ruggedized (rain, humidity, and temperature tolerant/resistant) for mid-Atlantic and Northeast seasonal extremes;
Meet applicable DoD IT/cybersecurity requirements:
• Achieve an Authority to Operate in accordance with NIST800-53 Risk Management Framework;
• Contain no “Category 1” software vulnerabilities;
• Achieve a Common Vulnerability Scoring System score of less than 2.5;
• Comply with relevant DISA Security Technology Implementation Guidelines and Security Requirements Guides;
• Encrypt Personally Identifiable Infoormation (PII) data in-transit and at-rest; and
• On-premise deployment with no off-premise/cloud components.
PFPA said it currently uses an Innometriks-based ecosystem in support of this requirement, namely the Innometriks Rhino Reader and EdgeMatch device, along with Tascent Insight Duo or IrisID iCAM 7000 products. The concept of operations was the Intellisoft software captures and sends biometric reference images to an enterprise biometrics server, which then generates ANSI/NIST-ITL 1-2007 compliant templates and distributes the reference templates to the Innometriks EdgeMatch device. The EdgeMatch device, located locally on the secure side of the access control point or suite, locally caches the biometric fingerprint and iris templates for each tenant, with the templates linked to the tenant by their FASC-N/CHUID.”
But, “No biometric data is stored on any device on the unsecured side of the access control point or suite.”
In response to this other industry source’s question, “Why ‘your choice’ multi-modal biometrics? Why not use a single biometric factor?” PFPA’s Acquisition Directorate responded, saying the “government is not presently considering a single biometric factor solution as a viable approach to biometrics at our scale. Previous empirical testing has found that a non-trivial portion of the population, between 5 percent to 10 percent, is unable to reliably and consistently use a single mode of biometric authentication (i.e., fingerprint only). The ability to use more than one biometric (fingerprint or iris) significantly reduces the percent of tenants that could potentially be affected in these cases. Additionally, offering multi-modal biometric authentication affords tenants the ability to use the biometric they are most comfortable with, as well as better accommodate any individual’s specific disability that may impair use of a particular biometric.”
“While operational workarounds (such as guard force member bringing over an iris reader if a tenant is unable to authenticate via fingerprint) are possible, PFPA’s Acquisition Directorate noted, adding, “we don’t believe this to be viable for achieving biometric entry at scale (dozens of entry portals across three states and DC), particularly where hardened entrances without a guard force are a conceived use case/goal.”
The Acquisition Directorate did say, though,” that “the government would be interested in knowing of large-scale use of single factor PACS.
PFPA’s RFI was issued “solely for information and planning purposes – it does not constitute a Request for Proposal (RFP), or a promise to issue an RFP in the future … and will not accept unsolicited proposals.”
“Any solicitation resulting from the analysis of information obtained will be announced to the public in Federal Business Opportunities in accordance with the FAR Part 5,” the RFI stated, noting, “However, responses to this notice will not be considered adequate responses to a solicitation. It is the responsibility of the potential offerors to monitor these sites for additional information pertaining to this requirement.”