Federal Information Processing Standard (FIPS) 201 Solution

TAC is proud to announce its solution for the U.S.

Government Federal Information Processing Standard:

FIPS 201. The Andover Continuum system from TAC has

been enhanced in version 1.9 to include optional support

for FIPS 201. This solution includes new controller firmware

and options for the FIPS 201 ready NetController II, AC-1

modules and the ACX Series.

This Product Announcement provides background

information on FIPS 201 and an overview of the Card

Management and Issuance System. It also describes the

features implemented within Andover Continuums

hardware and software products to support the standard

and complement the solution. To best help with the

structure of this announcement, here is a summary of the

sections included:

About HSPD-12 and FIPS 201 o What is HSPD-12 and FIPS 201?

Card Management & Issuance System Overview o Diagram of a general system as defined by the

standard

o TACs solution satisfies the Physical Access Control component only

Access Control and FIPS 201 o Access Control requirements for a FIPS 201

system

Andover Continuum and FIPS 201 o TACs FIPS 201 feature implementation in

Andover Continuum

Features and Benefits Business Opportunity Technical and Market Opportunities Andover Continuum Security Architecture

Literature CyberStation Installation Guide P/N: 30-3001-720 CyberStation Access Control Essentials Guide P/N: 30-3001-405 web.Client Planning & Installation Guide P/N: 30-3001-835 Plain English Language Reference Guide P/N: 30-3001-872 NetController II Operation & Technical Reference Guide P/N: 30-3001-995 ACX 57xx Series Controller Operation & Technical Reference Guide P/N: 30-3001-999 Release Notes 1.9 NetController II Sales Datasheet P/N: SDS-C-NETCONTROLLER-II-A4

ACX Series Access Controller for Ethernet Sales Datasheet P/N: SDS-C-ACX-A4 Resource List White Paper: US Security Directive FIPS 201 Compliance Strategies P/N: WP-C-SEC-FIPS201-A4 Feature Blast: Federal Information Processing Standard (FIPS) Solution P/N: FB-C-FIPS201-A4 Feature Blast: NetController II P/N: FB-C-NETCONTROLLER-II-A4

Feature Blast: NetController II v2.1 P/N: FB-C-NETC-II-v2_1-A4 Feature Blast: ACX Series Access Controller for Ethernet P/N: FB-C-ACX-A4

Feature Blast: ACX Series v1.1 P/N: FB-C-ACX-v1_1-A4

PRODUCT ANNOUNCEMENT

PA-C-FIPS201-A4 2

Andover Continuum FIPS 201 Solution Products and Requirements o Products that Support the FIPS features o Required Add-On options

Ordering o Ordering Instructions o Software and Firmware Compatibility

How to Approach a FIPS 201 Project FIPS 201 Solution FAQs

About HSPD-12 and FIPS 201

In August 2004, the Homeland Security Presidential Directive (HSPD-12) was issued. It mandates the use

of one federal standard means of identification for all federal employees and contractors.

This is partially driven by the fact that there are over 100 major govenrment agencies each with its own

unique system for performing background checks and criteria for issuing credentials (e.g. access cards).

Furthermore, there was no defined way to authenticate persons between agencies.

The key requirements for HSPD-12 are for secure and reliable identification that:

Is issued based on sound criteria for verifying an individual employees identity

Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation

Can be rapidly authenticated electronically

Is issued only by providers whose reliability has been established by an official accreditation process

The Secretary of Commerce directed the National Institute of Standards and Technology (NIST) to develop

a new standard. NIST released FIPS 201 on February 25th, 2005, and has released 12 supporting

standards to-date. FIPS 201 was created to answer the Homeland Security Presidental Directive: HSPD-12

which charged all federal agencies to utilize a secure standarized single credential Personal Identity

Verification (PIV) system for both logical (PC log on) and physical security (Access Control). FIPS 201

addresses PIV systems at the issuance and reader level.

PA-C-FIPS201-A4 3

Card Management and Issuance System Overview and Major Components

As a result of HSPD-12, every federal employee and contractor will require a new unique identification (i.e.

access card). Below are the major components of the general Card Management and Issuance System

with a summary of each step. TACs solution addresses the Physical Access Control System (PACS)

component.

The Andover Continuum components only address the Physical Access Control System (PACS) component

of the overall system (shown in the upper right section of the diagram).

PA-C-FIPS201-A4 4

Access Control and FIPS 201

Although the current FIPS 201 standard does not specifically define the details for the Physical Access

Control System (PACS), the access control system needs to be able to synchronize data with the PIV

issuance system, Identity Management System (IDMS), commonly referred to as PIV middleware. The

information received from the PIV middleware is then stored in the access control system.

From an access control specific perspective, the following needs to be implemented at a site to transition it

for FIPS 201 compliance:

1. A new PIV Card Issuance system needs to be selected and added to the site which would interact with the PACS.

2. The site needs to change its cards and card readers to accept the new card format.

3. The controllers connected to these card readers need to be upgraded (or changed) for compatibility with the new card readers.

4. The access control system (including database) implementation needs to change to include the new additional data required by FIPS PIV cards.

Physical access requests made by PIV card credentials are read by readers designed to handle the FIPS

PIV cards and are passed to the access control system. The access control system must be able to make

access control decisions using the FIPS data passed to it by the PIV reader.

Andover Continuum and FIPS 201

TAC set out to implement its FIPS 201 solution by expanding on the Andover Continuum access control

system using the following goals:

Preserve the existing customers investment in Andover Continuum by re-using existing hardware and wiring whenever possible

Partner with FIPS PIV Card Issuance System o TAC has selected ImageWare PIV Middleware

Utilize the newest/most capable hardware products to support FIPS: o Use the NetController II and the ACX Series o Replace readers with FIPS transitional readers

Upgrade software components to support FIPS: o CyberStation workstation FIPS software revisions o AC-1 FIPS firmware (Remove Degrade Mode functionality)

The Andover Continuum FIPS 201 solution can handle all of the necessary PACS data syncronization and

access control decision making. With the release of CyberStation v1.9 and the latest controller software

versions, the solution is complete to fully implement as the PACS component of a FIPS 201 site.

Note: Compatible FIPS 201 compliant card readers are required to read the PIV cards.

PA-C-FIPS201-A4 5

Features and Benefits

The FIPS support in Continuum v1.9 permits data to be synchronized between CyberStation and the

IDMS/PIV systems and also distributes FIPS compliant data to controllers for access control decisions. FIPS

compliant access control requires all NetController II, AC-1 and ACX Series controllers to be upgraded to

the latest FIPS compatible firmware.

Second/Transitional FIPS Card Support

Until CyberStation 1.81, only one credential could be assigned to a single personnel record. Since the

release of v1.81, a second credential (e.g. Prox or FIPS PIV card) could be assigned to each personnel

object but only the first credential data could be sent down and supported at the controller level. Now

with v1.9, data for both credentials can be downloaded to a controller that supports dual credentials. This

feature is useful for sites transitioning from one card access system to a FIPS-compliant system. Use of

dual credentials may be temporary or indefinite. Once a site is ready to solely use the second credential

(e.g. FIPS PIV card), a simple change can enforce that only the second credential is used to determine

personnel access.

Note: This feature may also be used at non-FIPS sites and does not require the FIPS option when used

solely with non-FIPS credentials.

Personnel Import Utility (PIU) to PIV Middleware Data Synchronization

Import data from a FIPS approved Identity Management System (IDMS) / Personnel Identity Verification

(PIV) middleware system. The FIPS support in CyberStation v1.9 permits data to be synchronized between

Continuum and the IDMS/PIV systems.

Personnel Import Utility (PIU) Enhancements

The Personnel Import Utility launched in version 1.8 (which supported data import using LDAP) is

enhanced to allow XML as a data source. TAC has included a standard XSLT transformation script that

integrates with the PIV middleware from ImageWare Systems, TACs preferred and tested PIV system for

FIPS installations. The PIU synchronizes import and export of personnel data using XML. The PIU may

exchange data from other systems that utilize XML by editing the XSLT transforms.

Additional Features included with the Andover Continuum Solution

The following features are not specified as required in FIPS 201 but are included in the Andover Continuum

solution and will complement your FIPS 201 configuration for a more comprehensive system.

10/100 Base-T Ethernet with IPsec/IKE Encryption

Communication with the NetController II and ACX Series controllers is not only fast (supporting data

transfer rate up to 100 Mbps) but secure with IPsec/IKE protocols for Network Security. Encryption (up to

168-bit using Triple DES) and authentication may be enabled for communications to and from Andover

Continuum workstations and controllers. Andover Continuum utilizes Internet Protocol Security (IPsec) and

PA-C-FIPS201-A4 6

Internet Key Exchange Protocol (IKE) to assure tamper-proof communications over the Ethernet between

IP controllers and workstations.

FIPS 140-2 Compliance

Although it is possible to have a site that is FIPS 201 compliant without FIPS 140-2 compliant access

controllers, many specifications also require FIPS 140-2 compliant access controllers. To address this

additional requirement, TAC is in the process of listing the Continuum Network Security Module that is in

the NetController II and ACX Series controllers. These will be certified as Level 2 FIPS 140-2.

Support for Area Lockdown

It is important to be able to contain potential threats when they are detected. The NetController II and

ACX Series controllers can respond to Area Lockdown commands set from Andover Continuum software

providing a quick method for sealing off areas. A simple click of a graphic or an automatic program

response is all that is needed to disable card readers and exit requests in any given area. First responder

personnel can still gain access to the area if their record is marked with executive privilege.

Condition Threat Level-based Access Rights

The NetController II and ACX Series controllers can adapt access rights to a change in condition or threat

levels as the U.S. Department of Homeland Security refers to them. Each personnel record can be

assigned a clearance level for each area to which a person has access. When the condition is more severe

than the persons clearance level, access is automatically denied. The condition level may be set manually

through Continuum software or automatically through a program. A program can even be written to

monitor national threat levels and adjust Andover Continuum Condition Levels accordingly. Although the

U.S. government only calls for five condition levels of threat, Andover Continuum is capable of assigning

up to 255 custom condition levels for local security needs.

PA-C-FIPS201-A4 7

Business Opportunity

U.S. Government agencies are required to comply with HSPD-12 by installing physical and logical security

solutions throughout their sites that meet the FIPS 201 standard. Failure to comply with these mandates

could result in a drop of federal funding to that agency. Therefore, existing and prospective TAC

government customers should be approached during this deployment period. The Andover Continuum

system has a clear path for customers to get their site compliant with the new regulations.

At TAC, we believe that many of the v1.9 features can also be applied to less critical applications. So take

the opportunity to leverage these enhancements to a wide range of installations.

Technical & Market Opportunities

TAC is among the first companies to offer a HSPD-12/FIPS 201 solution. We believe that the Andover

Continuum solution, which includes a partnership with ImageWare Systems for PIV middleware, is one of

the best. The ImageWare product gives government agencies the flexibility to integrate with enterprise

level Identity Management Systems (IDMS) including IBM Tivoli, customize the data entry workflow and

business logic, and seamlessly exchange this data in a synchronized fashion with Continuum. Furthermore,

ImageWares Biometric Engine provides the most compatibility with biometric devices (e.g. fingerprint,

iris, hand geometry, facial) making it possible to deploy the Andover Continuum solution while supporting

the customers full range of field devices.

The FIPS feature set should really be thought as an elevated security feature set. TAC is already in

discussions with airports interested in the advantages of the new Andover Continuum offering. We believe

that other segments will also be attracted to our new capabilities. Perhaps they wont utilize the entire

FIPS compliant package, but they are likely to employ a subset of the FIPS solution in new ways.

PA-C-FIPS201-A4 8

Andover Continuum Security Architecture

The architecture below includes the products that make up the Andover Continuum security system; some

of which are part of the TAC FIPS 201 solution. Whereas the Pelco Digital Video Management System

(DVMS) is not part of the FIPS 201 solution, it does natively intergrate with CyberStation and

complements the overall system for added security value.

Andover Continuum FIPS 201 Solution Products and Requirements

This section includes a summary of the components required (including add-on options) for TACs FIPS 201

PACS solution.

The following table details the specific products and minimum product software versions required for FIPS

201 support:

Product Minimum Software Version (Controllers should be upgraded to the latest revision)

CyberStation* v1.9 ACX Series (Models 5720 & 5740)* v1.1

NetController II (Model 9680)* v2.1 AC-1 Module v25 AC-1A Module v25

AC-1 Plus Module v29

* CyberStation, the ACX Series, and the NetController II require add-on options for FIPS 201 functionality.

The next page summarizes the add-on options required for FIPS 201 support.

PA-C-FIPS201-A4 9

Add-On Option Requirements per Product: CyberStation Software:

Required:

FIPS option -F must be added to all CyberStation software keys/dongles. This option enables all fields and

functionality required to support FIPS-PIV cards.

o Enabling the F option automatically enables the Critical Security option -C (i.e. Condition

Level); there is no need to order -C separately.

Data Exchange option -D must be added to at least one CyberStation software key/dongle for interoperability with the IDMS.

Not Valid:

Once a site is fully converted to FIPS 201 operation, the Badging option -B can no longer be used. The FIPS 201 standard requires that all badging functionality is handled by the

IDMS/PIV middleware.

ACX Series (Models 5720 & 5740) and NetController II (Model 9680):

Required:

FIPS option F must be added to all units. This option enables the controllers to support the personnel records FIPS-

PIV data required for access control validation.

o Enabling the F option automatically enables the Critical Security option -C (i.e. Condition Level);

there is no need to order it separately.

o Enabling the F option also automatically enables the High Encryption option H to assure tamper-proof

communications over the Ethernet between IP

controllers and workstations.

Complementary Third Party Components Required

IDMS/ PIV middleware:

Highly Recommended:

ImageWare Systems: TAC has partnered with ImageWare and has included CyberStation enhancements to the Personnel Import Utility (PIU) to include a standard XSLT

transformation script that integrates with the PIV middleware from ImageWare.

Note: Other IDMS/PIV middleware applications (instead of the ImageWare IDMS) can be used

with the Andover Continuum FIPS 201 solution.

PA-C-FIPS201-A4 10

Card/Credential Readers:

Required:

FIPS 201 compliant readers compatible with Andover Continuum hardware products

o Maximum bits supported: ACX Series Access Controllers for Ethernet: 260 bits NetController II (with AC-1, AC-1A, or AC-1 Plus): 240 bits

Note: Degrade mode (e.g. validation via site code only) does not work with FIPS-PIV cards.

Take the following into consideration when planning your compliant system:

o Order only FIPS approved devices. Consult NIST web site for current list: http://www.fips201.com/

o Readers that offer transitional support may be the best choice.

o There is currently no test for access controllers and software.

o There are different levels of assurance. Andover Continuum can be used to provide a solution for low and medium assurance applications.

Built-in Low-Assurance Formats: Wiegand 75-bit

o Agency + System + Credential + Expiration Date Wiegand 200-bit

o 200-bit FASC-N (No Expiration Date) All other formats considered a FIPS-PIV Custom Card format and

must be specified by the user via the FIPS-PIV Custom Format

System variable.

Custom Low-Assurance Format Examples: 200-bit FASC-N with embedded expiration date 245-bit FASC-N with appended expiration date

Custom Medium-Assurance Format Examples: 200-bit FASC-N with embedded HMAC 107-bit: 75-bit PIV + 32-bit HMAC 32-bit HMAC + 200-bit FASC-N

Recommended:

HID Transitional Readers

o HID transitional readers support both 125 kHz Proximity and 13.56 MHz FIPS 201 compliant Smart Cards

o Each reader comes standard to simultaneous read all card technologies. o Readers may be switched after transition to read only FIPS cards. o Reader mode is changed by recycling power and presenting a programming card.

PA-C-FIPS201-A4 11

Ordering

In order to enable a site for FIPS 201 compatibility, TAC requires that certain procedures are followed and

the specified options are purchased. FIPS enabled products cannot be purchased through regular new

product ordering procedures. FIPS functionality is only available as separate add-on options and must be

ordered through the standard feature upgrade process.

FIPS add-on options are closely managed and require TAC management approval before

ordering. Please be sure to work with your local TAC sales representative for support through the sales

process and to facilitate approval before ordering.

For New Product Orders:

Follow the standard Andover Continuum ordering process for every option except the FIPS F options.

Specifically, exclude the FIPS F, Critical Security C (i.e. Condition Level), and High Encryption H

options. After product receipt, contact the Repair Department to order controller flash files and software

dongle/key cookies to enable the FIPS options. The Repair Department representative will confirm TAC

approval before processing the FIPS option(s) upgrade request.

Refer to the Ordering and FAQ sections of the TAC Product Announcements specified below for information

on how to order the following products. All of these documents are available in the Andover Continuum

Product section of TAC ExchangeOnline. From the ExchangeOnline Global website, navigate to: Product

Zone -> Andover Continuum -> Sales and select the desired document type from the menu on the left.

CyberStation software o CyberStation and web.Client v1.9 Product Announcement: PA-C-CYBER-WEBC-V1_90-A4 o CyberStation and web.Client v1.81 Product Announcement o CyberStation and web.Client v1.8 Product Announcement

Note: web.Client is not part of the Andover Continuum FIPS 201 solution; it does not support

FIPS features/functionality.

NetController II o NetController II Product Announcement: PA-C-NETCONTROLLER-II-A4 o NetController II Part Numbering Scheme Reference Sheet o Countries Approved for Product Release of the NetController II and ACX Series Reference:

PA-NETC-II-ACX-EXPORT-COUNTRIES-A4

ACX Series o ACX Series Access Controller for Ethernet Product Announcement: PA-C-ACX-A4 o ACX Series Part Numbering Scheme Reference Sheet o Countries Approved for Product Release of the NetController II and ACX Series Reference:

PA-NETC-II-ACX-EXPORT-COUNTRIES-A4

For Product Upgrades:

Existing sites and products can be upgraded for FIPS 201 compliance, however note that only

CyberStation software, the NetController II, the ACX Series (Models 5720 and 5740), and the AC-1 family

of modules can be upgraded for FIPS 201 compliance. These are the only products in which the FIPS

PA-C-FIPS201-A4 12

features have been implemented. All other Andover Continuum access control products are compatible in

the security/BMS system, but do not adhere to the standard and may need to be replaced or removed in

zones that need to be FIPS 201 compliant.

Existing access control products will need to be upgraded to enable the FIPS add-on options and to meet

the minimum software versions specified in the table in the compatibility section below. Add-on options

may be ordered through the standard feature upgrade process. Contact the Repair Department to order

controller flash files and software dongle/key cookies for upgrades to enable the FIPS options. The Repair

Department representative will confirm approval before processing the FIPS option(s) upgrade request.

Controller flash files for version upgrade are available free of charge from the ExchangeOnline Global

website. Navigate to: Product Zone -> Andover Continuum -> Software -> Continuum and select

the desired product and version from the menu on the left. Note: This only includes new firmware

versions and does not enable options required for FIPS support.

Compatibility

The following table summarizes the software and controller software versions required to support the FIPS

201 solution add-on functionality. All CyberStation workstations must be upgraded to the same version.

Please make sure the sites operating systems, firmware and SQL servers are all compliant with the matrix

below.

Andover Continuum Software and Firmware Compatibility Matrix for v1.9

CyberStation/web.Client Software Version Last Updated: October 8th, 2008 1.9

DB Server OS Win Svr 2003 (SP1), Win Svr 2003 R2, MS Vista Business, MS Vista Ultimate

SQL Version MS SQL 2000 (up to SP4), MS SQL 20051

Standard & Enterprise Editions

LAN

C

onfig

urat

ion

CyberStation PC OS

Win XP Pro (SP3), MS Vista Business, MS Vista Ultimate, Win Svr 2003 (SP1), Win Svr 2003 R2 .NET v2.0 & .NET v3.0 (Video Only)

SQL Version MS SQL Express (SP4)

Sing

le U

ser

Con

figur

ati

on

CyberStation SU (Cyber / DB Server OS)

Win XP Pro (SP3), MS Vista Business, MS Vista Ultimate, Win Svr 2003 (SP1), Win Svr 2003 R2 .NET v2.0 & .NET v3.0 (Video Only)

Compatible Firmware Versions ACX Series (5720/5740) 1.1 NetController II 2.1 AC-1 25 AC-1A 25 AC-1 Plus 29

1 Only the Standard Edition of MS SQL 2005 is supported on MS Vista machines.

The complete Andover Continuum Software and Firmware Compatibility Matrix is posted on the TAC

ExchangeOnline Global website. Navigate to: Product Zone -> Andover Continuum -> Software ->

Continuum Compatibility Matrix and download the PDF file.

PA-C-FIPS201-A4 13

How to Approach a FIPS 201 Project

The Andover Continuum FIPS 201 solution presents a great opportunity for new business as government

agencies are mandated to adhere to the standard. However, as with any new standard (or protocol), it

will require researching and learning the details to comply and meet customers needs. FIPS 201 will not

make customer sites more efficient or productive; it is costly and the defined procedures will slow them

down. It will, however, make them more secure. Furthermore, not implementing a FIPS 201 compliant

system could result in budget cuts for your customers.

Now with the release of v1.9, the Andover Continuum FIPS 201 solution is complete and fully available.

However, projects must be approved to enable FIPS add-on options (required for compliance) on

Continuum products. Ordering FIPS features is restricted and will only be possible with TAC approval.

Work in conjunction with your local sales management to discuss and plan your approach for government

customers.

TAC recommends the following steps and discussion points in your FIPS 201 sales process:

Work with your TAC sales representative.

Ask if there is a central office of the agency that is creating the specification and if you can meet with that group.

Ask which areas need FIPS and at what level of assurance.

Ask who will provide the PIV middleware software.

o ImageWare is the preferred and TAC tested compatible solution; others could also work.

Ask what their timeline is.

Ask what their transition plan is.

Ask who will purchase and print the badges.

Use only FIPS approved devices.

o Consult NIST web site for current list: http://www.fips201.com/

PA-C-FIPS201-A4 14

Federal Information Processing Standard (FIPS) 201 Solution FAQs

1. How do I find out more about FIPS 201?

The website http://www.fips201.com contains more information. You can specifically browse through

the Resources section on the right.

Note: The products included on this site (e.g. cards, card readers) can be used to complement the

Andover Continuum FIPS 201 solution. The Andover Continuum solution (e.g. controllers, software)

only applies to the Physical Access Control System (PACS) portion of the overall FIPS defined process.

2. Is there any TAC material that can help me learn more about the TAC FIPS 201 Solution?

TAC created the U.S. Security Directive FIPS 201 - Compliance Strategies white paper to better help

you understand the standard. It is available on the TAC website http://www.tac.com and can be

found by clicking on White Papers link and navigate down to the US Security Directive FIPS 201

link. Or, browse directly to this white paper by typing in the following direct link:

http://www.tac.com/Content?contentId=document/24244&node=11105.

3. Is the Andover Continuum FIPS 201 solution certified?

Although the National Institute of Standards and Technology (NIST) certified certain FIPS 201

components, there is no FIPS 201 test or certification for a PACS system.

4. What is FIPS 140 (or FIPS 140-2)?

The Federal Information Processing Standard 140 (FIPS 140) is the U.S. government computer

security standard that specifies requirements for cryptographic modules. It specifies the security

requirements that need to be satisfied by a cryptographic module that is utilized within a security

system protecting sensitive but unclassified information. FIPS 140-2 is for encryption only. In order

to cover the full range of potential applications and environments in which cryptographic modules may

be employed, four levels of security are defined: Levels 1 4.

5. Does FIPS 140-2 have a certification process?

Yes, FIPS 140-2 does have a certification. It is certified by NIST.

There are different levels of 140-2 certification; our products are being tested for certification as a

level 2 cryptographic module.

Level 1 only tests encryption from a software point of view.

Level 2 requires a level of protection physically. The encryption module should not be accessible and any physical tamper should be obvious.

6. Are the Andover Continuum products FIPS 140-2 certified?

TAC is in the process of listing the cryptographic module that is in the NetController II and ACX Series

controllers. These will be certified as Level 2 FIPS 140-2.

PA-C-FIPS201-A4 15

The FIPS 140-2 certification process status can be found on the National Institute of Standards and

Technology (NIST) website - Modules in Process at:

http://csrc.nist.gov/groups/STM/cmvp/inprocess.html.

Click on the FIPS 140-1 and FIPS 140-2 Modules In Process List PDF link to see the table of products currently in process.

o The status of the TAC submittal is under Module Name: Continuum Network Security Module, Vendor Name: TAC, LLC.

The PDF itself can be found directly at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

7. Which software version of CyberStation supports the FIPS 201 solution?

CyberStation v1.9 (or greater) supports the full Andover Continuum FIPS 201 solution feature set

implementation.

8. Is web.Client included as part of the FIPS 201 solution?

No, web.Client is not included as part of the FIPS 201 solution.

9. Which hardware products support the FIPS 201 solution?

The FIPS features are only supported by the following hardware products:

ACX Series Access Controllers for Ethernet NetController II AC-1 AC-1A AC-1 Plus

10. Are any special options required for FIPS-related functionality?

Yes, the FIPS features are paid add-on options on the CyberStation workstations and the controllers.

The following summarizes the required and recommended add-on options.

CyberStation Software

Required:

FIPS option -F must be added to all CyberStation software keys/dongles.

o Enabling the F option automatically enables the Critical Security option

-C (i.e. Condition Level); there is no need to order it separately.

Data Exchange option -D must be added to at least one CyberStation software key/dongle for interoperability with the IDMS.

Not Valid:

Once a site is fully converted to FIPS 201 operation, the Badging option -B can no longer be used. The FIPS 201 standard requires that all badging functionality is handled by the IDMS/PIV middleware.

PA-C-FIPS201-A4 16

ACX Series (Models 5720 and 5740) and NetController II (Model 9680)

Required:

FIPS option F must be added to all units.

o Enabling the F option automatically enables the Critical Security option

C (i.e. Condition Level); there is no need to order it separately.

o Enabling the F option also automatically enables the High Encryption option H to assure tamper-proof communications over the Ethernet between IP controllers and workstations.

11. Are there any specific controller firmware versions required for FIPS 201 support?

Yes, there are new firmware versions required to support features introduced over the last few revs.

In general, it is good practice to upgrade to the latest firmware versions for the best functionality.

Product v1.9 Compatible Firmware Version

NetController II (Model 9680) v2.1

ACX Series (Models 5720 and 5740) v1.1

AC-1 IOU Modules v25

AC-1A IOU Modules v25

AC-1 Plus IOU Module v29

Product version compatibility per CyberStation revision can be checked with the Compatibility Matrix

on the TAC ExchangeOnline Global website. Navigate to: Product Zone -> Andover Continuum ->

Software -> Continuum Compatibility Matrix and download the PDF file.

12. Can I purchase a NetController II or ACX Series controller with FIPS support?

FIPS enabled products cannot be purchased through regular new product ordering procedures. FIPS

functionality is only available as separate add-on options and must be ordered through the standard

feature upgrade process. Please refer to the Ordering section on pages 1011 for ordering

instructions.

FIPS add-on options are closely managed and require TAC management approval before ordering.

Please be sure to work with your local TAC sales representative for support through the sales process

and to facilitate approval before ordering.

13. Can an existing (non-FIPS 201) site be upgraded to be FIPS 201 compliant?

Yes. Existing Andover Continuum systems can be upgraded to support FIPS 201. The following are

some of the steps that are required:

CyberStation software will need to be upgraded to v1.9 (or greater).

PA-C-FIPS201-A4 17

ACX Series, NetController II, AC-1, AC-1A, and AC-1 Plus units will need to be upgraded to the FIPS specific firmware files (see Question 10). The FIPS required options will need to be

added as well (see Question 9).

o If the existing hardware products are not the NetController II or the ACX Series, they will need to be replaced. Only the NetController II (with the family of AC-1 modules)

and the ACX Series support the FIPS specific features.

The existing cards and card readers will need to be replaced to support the FIPS-PIV format.

o CyberStation v1.9s Second/Transitional Dual Card support feature will help during the transition period from one card format to the FIPS-PIV card.

14. What if the workstations (or controllers) at my site already have the -C Critical Security

and/or H High Encryption options enabled? Do I need to pay for the full -F FIPS

option?

The upgrade process for FIPS options are like any other upgrade. The upgrade price will be

determined as the difference in current prices of the newly desired configuration and the existing

current configuration per controller (or workstation). For example, if a NetController II has the H

High Encryption option already enabled, the F FIPS option upgrade price is the current F option

price minus the current H price for that controller.

15. Can the original NetController be upgraded to support FIPS 201 functionality?

No, the original NetController (i.e. CX9900, CX9940) cannot be upgraded to support the FIPS

functionality. These units will have to be replaced with NetController IIs. To ease the transition,

CyberStation does support upgrading the NetController up to a NetController II. From a Continuum

database perspective, you will be allowed a one-time model number change from your current

NetController up to the NetController II model number 9680. Note that this process cannot be

reversed.

16. Can the ACX 78x or the CX9702 be upgraded to support FIPS 201 functionality?

No, only the ACX Series, NetController II, and AC-1 family of modules support the FIPS functionality.

17. What happens if my workstations are FIPS (F) option enabled but not my controllers?

Whereas the CyberStation software and Continuum database will support the FIPS specific data per

personnel record, this information will not be downloaded down to the controller level. This means

your access controllers will not have the necessary credential data per personnel object and thus will

not support FIPS-PIV cards.

18. What happens if my controllers are FIPS (F) option enabled but not my workstations?

If the workstations are not FIPS (F) option enabled, the CyberStation personnel dialogs will not

support FIPS specific fields nor will the Continuum database support FIPS-PIV data.

www.tac.com

Copyright 2008, TAC All brand names, trademarks and registered trademarks are the property of their respective owners. Information contained within this document is subject to change without notice. All rights reserved. PA-C-FIPS201-A4 2009 May 15

19. Does the FIPS (F) option need to be enabled on all workstations and controllers?

FIPS compliance is system-wide; the FIPS (F) option must be added to all CyberStation workstations,

NetController IIs, and ACX Series controllers. As described in the previous two FAQs, failure to do so

results in lack of functionality and compliance.

20. What does it mean that degrade mode is not supported?

Degrade mode in the AC-1, AC-1A, and AC-1 Plus modules is access validation based on lesser

information depending on how the system is configured e.g. site code only (when communication to

the NetController has been lost). This violates the FIPS 201 standard. Therefore, this functionality

has been changed and degrade mode functionality does not work with FIPS-PIV cards. The degrade

mode feature is still supported when using non-FIPS-PIV cards.

21. Is the High Encryption (H) option required to be FIPS 201 compliant?

Encryption is not specified for the FIPS 201 standard, however, it may be requested by a particular

customer site. FIPS 140 (which is a common requirement at FIPS sites) does require the High

Encryption (H) option for compliance.

Note: The High Encryption (H) option is automatically included when the FIPS option is enabled.

22. Do I have to use the ImageWare Systems IDMS/PIV middleware with the Andover Continuum FIPS 201 solution?

TAC has selected ImageWare Systems IDMS as its preferred PIV middleware solution, however, it

is not required for use with the Andover Continuum FIPS 201 solution. CyberStations Personnel

Import Utility (PIU) can import data using XML or LDAP from other systems that support these

formats.

To ease integration with ImageWare Systems, TAC has tested and included a standard XSLT

transformation script that integrates with the PIV middleware from ImageWare Systems.

23. Do I have to add-on the Data Exchange (-D) option to my workstation if I am not using the ImageWare Systems IDMS/PIV middleware?

Yes, the Data Exchange (-D) option is required to enable the Personnel Import Utility application to

import personnel information from any IDMS system. It is the only way to ensure tamper-proof

import of personnel data from an IDMS as required by FIPS 201. However, the Data Exchange (-D)

option is not required on all workstations; it is only required on the workstation(s) which are

importing personnel data into Continuum from the IDMS.

24. Does TAC offer Andover Continuum compatible, FIPS 201 compliant Card/Credential Readers?

Yes, TAC Field Devices Division offers a range of FIPS 201 compliant product, including readers from

HID and Bioscript.