XceedID FIPS 201 PIV II GSA Smart Card Readers
XceedID FIPS 201 Readers Overview
XceedID’s industry leading line of Multi-Technology card readers have been approved by the U.S. Government under HSPD-12 for FIPS 201 compliance as PIV Transparent Readers. PIV compliance is now available in six reader models including mullion-mount (XF1100), wall mount (XF1500), midrange (XF2100 & XF2200), and midrange with keypad (XF2110 & XF2210).
XceedID Multi-Technology readers are a unique and critical component of successful security upgrades in all sectors of the government. FIPS 201 is a Federal Information Processing Standard ("FIPS") developed by the National Institute of Standards and Technology ("NIST") to satisfy the requirements of HSPD-12, a Homeland Security Presidential Directive. One of the main objectives of HSPD-12 is to ensure governmentwide interoperability for information technology and security through the implementation of a range of federal standards and product requirements. FIPS 201 seeks to improve identification and authentication of Federal employees and contractors for access to the Federal factilities and information systems.
XceedID FIPS 201 PIV compliant readers are available in more PIV formats than 75 and 200 bit formats. XceedID offers 14 PIV formats. Please contact XceedID for more information.
In addition to reading approved FIPS 201 PIV II credentials, XceedID Multi-Technology readers are also compatible with many standard proximity and leading smart card technologies (see specifications). The ability to read multiple existing card types and PIV II cards simultaneously is a tremendous benefit to those agencies looking to transition seamlessly from older proximity technologies to new, mandated PIV II credentials. A mixed population of old prox credentials and new PIV II credentials is unavoidable during the government's multi-year upgrade path to FIPS 201 compliance.
Download the XceedID FIPS 201/PIV II readers product data sheet (PDF).
Recommended FIPS 201 Readers
Because of the limited RF performance of PIV cards XceedID recommends using the XF2100-PIV Mid-range or XF2110-PIV keypad readers.
The approval of XceedID FIPS 201 readers under the FIPS 201 federal specification indicates that XceedID readers have passed compliance testing for compatibility with the new Personal Identity Verification (“PIV II”) credentials mandated for issuance to all federal employees by 2008. Several card manufacturers have been approved as suppliers of FIPS201 compliant PIV credentials; the physical access control function of these approved cards has been verified with XceedID readers.
However, it is the responsibility of each end customer or agency to validate and verify actual performance of the specific credentials on XceedID readers.
XceedID FIPS 201 Reader GSA Listing
The XceedID PIV Multi-Technology readers official GSA listing can be found on the GSA Approved Products List (“GSA APL”). The readers are listed as items 88, 89, 90, 469, 471 and 472. Additionally XceedID PIV technology products will be listed separately for various OEM private label agreements. Make sure that any product purchased is on the official GSA Approved Product List.
What is FIPS 201 PIV II?
FIPS 201 is a Federal Information Processing Standard (“FIPS”) developed by the National Institute of Standards and Technology (“NIST”) to satisfy the requirements of HSPD-12, a Homeland Security Presidential Directive. One of the main objectives of HSPD-12 is to ensure government-wide interoperability for information technology and security through the implementation of a range of federal standards and product requirements. FIPS 201 seeks to improve identification and authentication of Federal employees and contractors for access to Federal facilities and information systems.
Personal security has become a serious issue for our nation and its people, particularly for the individuals and agencies that support our federal government. On August 27, 2004, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12) to address numerous security gaps and inefficiencies that exist throughout the federal government. HSPD-12 mandates that federal employees, contractors and affiliates must undergo a standard identity verification process and hold a specific personal identification card.
The specific personal identification card is known as a FIPS 201 compliant “PIV card”. These PIV cards must be used on access control readers capable of reading the PIV application data. XceedID and its OEM partners offer these FIPS 201 compliant PIV readers. Essentially, all government agencies must upgrade existing infrastructure to include all access control card readers, and eventually entire access control systems, to be FIPS 201 PIV compliant.
PIV-I vs. PIV-II
FIPS 201 encompasses two sections: PIV-I (Personal Identity Verification), which took effect October 27, 2005 , and PIV-II, which took effect on October 27, 2006.
PIV-I deals specifically with personal ID authentication and establishes the PIV card as the card that carries access privileges for government facilities. However PIV-I does not mandate any specific PIV card technology. It does specify the items such individuals must submit and processes that must be ahdered to prior to being issued a PIV card in order to prove that they are who they claim to be.
PIV-II outlines the technical requirements for the PIV cards that are issued once the PIV-I requirements have been met. The PIV card is, essentially, a dual interface smart card that contains both a contact chip and a contactless chip for storing data such as a biometric template, a PIN (personal identification number), a CHUID (Card Holder Unique Identification), an expiration date, and encrypted keys for computer access, and a CHUID.
The essential requirement introduced by PIV-II is interoperability that allows any PIV card used at one agency to be used with the same level of efficiency at any other U.S. federal agency anywhere in the world.
The GSA lab tests card readers and other FIPS201 products against a set of criteria established by various government agencies including NIST (National Institute of Standards and Testing) and the GSA’s own Card/Reader Interoperability Requirement Guidelines. For detailed information, consult the the GSA’s Card/Reader Interoperability document.
XceedID FIPS201 PIV compliant readers are available in two formats (75 bit and 200 bit) providing unprecedented versatility within the PIV II specification.
XceedID FIPS 201 PIV II Smart Card Reader Applications
In addition to reading approved FIPS 201 PIV II credentials, XceedID Multi-Technology readers are also compatible with many standard proximity and leading smart card technologies. Two of the most commonly deployed PIV II credentials are cards made by Oberthur and Gemalto.
The ability to read multiple existing card types and PIV II cards simultaneously is a tremendous benefit to those agencies looking to painlessly transition from older proximity technologies to new, mandated PIV II credentials. A mixed population of old prox credentials and new PIV II credentials is unavoidable during the government’s multi-year upgrade path to FIPS 201 compliance. XceedID Multi-Technology readers are a unique and critical component of successful security upgrades in all sectors of the government.
FIPS 201 PIV II Reader Availability
XceedID PIV Multi-Technology readers are available from XceedID OEM resellers. Please view the XceedID reseller page or contact XceedID directly for specific details. Download the XceedID FIPS 201/PIV II readers product data sheet (PDF).
What kind of read range performance should be expected for PIV II credentials on physical access readers?
Most PIV readers will read a PIV credential at a range of 0” to about 1.5”. The read range and read time will be noticeably worse than read ranges typically found on existing proximity cards and readers. One of the reasons for this is the type of technology in the PIV cards. The dual interface chip and technology on the PIV credential is not well suited for read range. There is also more data being exchanged with PIV credentials than with traditional prox. This will be an education problem for all agencies that roll out PIV credentials. Some users will believe that readers are “not working” because their cards no longer work at 3” or 4”. Users may now actually have to touch their card to the reader surface, perhaps in a particular area or fashion, in order for the card to work. In some cases, because the cards are complex and more fragile than traditional proximity cards, the cards may not even work.
Why is it so important to validate specific PIV II credentials with physical access readers?
The short answer is that the PIV cards and PIV readers do not come from the same manufacturing source. While interoperability has been the goal of the government in the PIV rollout, if operation is not validated between the specific cards and specific readers there is the potential for cards and readers to be “inoperable”.
It was my understanding that interoperability meant that any PIV II credential could be enrolled on any access system and used with any PIV compliant readers?
The government has changed the specifications for access cards and readers on multiple occasions over the past 6 or more years. There have been renditions of GSC DESFire specs, PIV specs, TWIC specs, FRAC specs and now PIV II specs. The card chips have changed from contact only to contactless (DESFire) and most recently to dual interface (SmartMX) technology. Many of these changes involve modifications to reader and card hardware, firmware and software. The changes also effect data structure and required outputs from the devices. These changes and the potential effects are compounded when you multiply it across numerous card manufacturers and numerous reader manufacturers. It is compounded again when you realize that the companies manufacturing the cards are not the same companies which manufacture the readers. While the GSA APL lab is doing its best to approve products meeting the stated requirements this does not truly guarantee interoperability and performance in the real world. Since there are very few “experts” on these technologies and there have been hardware and firmware required changes it is imperative that any purchase of PIV credentials and PIV readers be validated prior to any rollout or purchases. It is inevitable that many agencies (end customers) will find themselves with inoperable cards and/or readers due to these continual changes. Each end customer is responsible for the functionality of their system and MUST validate their intended PIV credentials with the intended PIV readers.
Does XceedID guarantee interoperability of its GSA APL listed readers with all APL listed credentials?
NO. XceedID does guarantee that its readers have passed all of GSA’s compliance testing and is listed on GSA’s Approved Products List. However, it is not possible to guarantee operation of all APL credentials because of the vast differences in performance by the different manufacturers of cards. This is why XceedID requires all end customers to VALIDATE and VERIFY actual operation of intended credentials and readers.
FIPS 201 Reader Disclaimer
The U.S. Government PIV credentials are complex dual interface credentials involving contact and contactless smart card components, and in some cases a proximity component (antenna coil) or other technologies such as bar code or mag stripe. XceedID PIV readers have been approved by the GSA lab as compliant with FIPS 201 and the appropriate PIV credentials. However, XceedID does not control the quality, tuning or RF performance of the PIV cards and therefore cannot guaranty that every card will read on our readers. The transaction time and the RF performance varies widely from one card type and manufacturer to another and is solely dependent on the card quality and not the reader. Any PIV reader installations intended to be mounted on or near metal surfaces should be tested in the actual install environment to verify operation. XceedID cannot guarantee performance of PIV credentials, especially on readers mounted on or near metal. Every PIV reader is tested at the factory prior to shipping.
It is the sole responsibility of the end customer (Agency or Company) to validate and verify that the specific credentials intended to be used on XceedID readers are operable prior to any rollout or mass purchase.