FIPS 201 Evaluation Program Industry Session Followup

The industry feedback day was very well attended, and we thank everyone for the constructive feedback you provided. Below is a recap of the main points that were touched upon during the session:

  • Interoperability: GSA will be re-orienting the program to focus on the intent of HSPD-12; which includes both security and interoperability considerations for federal agency identity management implementations. This may require that existing categories be refined or deleted and new categories created to make them more understandable and relevant. New system/subsystem categorizations may also be required in order to form the basis for interoperability testing requirements.

  • Standards & Specifications: With concurrence from both NIST and OMB, a Requirements Traceability Matrix that includes interoperability will use FIPS 201 as a starting point for conformance, but will also leverage the FICAM Roadmap and Implementation Guidance as well as additional relevant material to develop the interoperability requirements.

    While it will take some time to fully implement; we’re going to start identifying the minimum appropriate infrastructure subsystems and boundaries to support both PACS and LACS implementations, since a single PIV Card must work across both environments. The identification of subsystem-to-subsystem interfaces going forward can form the basis for developing the specification for each interface which in turn should drive standardization and interoperability.

  • Industry/Lab(s) Interaction Process: Industry would like more visibility into the evaluation process, and to speed the certification process wherever possible. Vendors would like better definition of when product re-testing is required, especially when new standards are introduced (e.g., upcoming FIPS 201-2). The industry seemed to be open to new Lab involvement and even a mix (LACS, PACS, and Interoperability) going forward if it will speed up the process and reduce contracting complexity.

    GSA will also consider if and where vendor self-attestation might fit within the program evaluation process.

While we address the above in the medium to long term, there was concurrence that while the GSA APL continues to be a great starting point, improved categorization and additional information about product compatibility would enhance its utility for our Agency Customers in the near term. We will be looking to see how to make this possible.

Our next step is to hold an Agency Session on Tuesday, June 19 (9 a.m - 12 p.m. EST) at GSA OCS, 1275 First Street NE, DC (NY Ave Exit - DC Metro Red Line) to gather feedback from our Agency Customers. An invitation has already been extended to Agencies through their representatives to the ICAMSC and FPKI Working Groups. If you are an Agency representative interested in attending this session, please contact me [chi.hickey (at) gsa (dot) gov] for details.

:- by Chi Hickey