Why does GSA have the responsibility to perform FIPS201 evaluation?

This responsibility has been mandated by OMB in OMB Memorandum M-05-24.

Why isn’t there a category on the FIPS201 Product/Service category list for my product/service?

The list created represents the technical data that has been defined. If a product doesn’t have a category, GSA felt that there wasn’t enough information to support that category. However, this doesn’t mean that agencies cannot purchase that specific product. It means that the agency has to determine how to make that product meet the HSPD-12 goals.

There have been a lot of references to NIST. Can the relationship between GSA and NIST during this process be described? And what if anything from this is a prerequisite for entering the evaluation through GSA?

NIST can be defined as the source in which GSA works from. GSA has been mandated to verify that the laid out requirements have been included in products and services in which the requirements apply. GSA plays a role in ensuring that NIST accomplishes what is required. NIST certification is part of the evaluation process before a product is put on the approved products list. A vendor can start the approval process before the NIST evaluation process is complete. However, prior to final approval, the NIST evaluation must be complete. The categories that require NIST certification include the template matcher, template generator, biometric functionality, the card itself, PIV middleware, and the crypto module.

The download ZIP file from the GSA FIPS 201 Evaluation Product for these products includes a non-disclosure agreement (NDA) with Atlan Laboratories of McLean, VA. Is Atlan the “Lab” that is referenced in the approval procedure documents associated with these products?

Yes, Atlan Laboratories is currently GSA’s FIPS 201 Evaluation Laboratory.

This OMB memorandum includes an attachment with a table that lists products and services applying for approval. Under Item #4 it indicates that there have been no products for which application package has been completed. However, under item #5, it states that 9 products have been approved. Please clarify how a product can be approved without a completed application package.

The number of products for which an application package has been completed (as defined in the OMB Table) defines products/services that have had application packages evaluated by the lab, and have been determined to have submitted all documents (as required by the appropriate approval procedure), but have not yet completed the entire evaluation process .

A reference is made to application fees and non-compliance fees. Can you be more specific regarding the fee structure and remittance of fees?

Starting April 2, 2007, Labs will perform evaluation for Vendors on a cost reimbursable basis. Fees will be determined based on the category. The exact fee value will be negotiated by the Lab and the Vendor prior to commencing evaluation.

Vendors are only allowed one user per "logon" due to "sensitive" and "intellectual" property. Can GSA elaborate on what is meant by "sensitive" and "intellectual property"?

Vendors may have data in which they will not want others to have access to. Examples of this type of data could be a vendor’s evaluation criteria, or GSA’s evaluation of a vendor’s product. For this reason, GSA requires a single logon. Also, it is more convenient for GSA to go through one point of contact in order to streamline information flow.

Does one user "logon" mean on a "per line of business" basis? For example, certain companies have several lines of businesses.

There is flexibility for situations like this. GSA will review the circumstances of these types of situations and let the vendor know if that particular vendor can have more than one "logon".

If a product is certified in one brand of product, but not another (i.e. a finger print sensor algorithm) will it have to be reevaluated and recertified?

No.

Will the participants in the MINEX test receive some sort of letter in which they can pass onto GSA?

Currently the decision is to not issue certificates for the MINEX conformance. Only a test report with a list of algorithms will be given. GSA will require the test report and ask for a record as to what types of tests have been conducted. From the approval standpoint GSA will review the documents that came from NIST. The intent of the testing program is to provide a test report with quantitative estimates of the capabilities of the algorithms. The evaluation of the algorithms is based upon an accuracy threshold. Currently NIST has not established an accuracy threshold for acceptance or rejection of a product. NIST will produce numerical scores, and the test will document those scores.

GSA says they’re going to get a recommendation from NIST. The algorithms that have been submitted for the MINEX were submitted in 2004, obviously algorithms have evolved and upgraded. Will a recertification be required if an algorithm has been updated? It was also mentioned that other information could go into the template for use by the algorithm; this opens it up to the fact that the exact algorithm submitted to MINEX isn’t necessarily the algorithm that has to be implemented per FIPS 201.

NIST will see if the algorithms are consistent. As far as ongoing upgrades, a vendor is allotted one additional submission every 6 months. If a vendor takes advantage of putting additional information on a template and uses that information, it needs to go through recertification. Biometric enrollment devices will undergo a separate certification process conducted by the FBI.

If a supplier is listed by NIST as having a MINEX compliant template generator (feature extractor) or matcher, will GSA perform any further evaluation of the actual software product libraries/SDK or will GSA limit its evaluation to a review of the application package, attestation and non-disclosure agreement for completeness and accuracy?

GSA will evaluate Template Generators and Template Matchers in accordance with applicable Approval Procedure.

If a supplier is listed by NIST as having a MINEX compliant template generator (feature extractor) or matcher, does the supplier still have to submit its product (software libraries) to GSA for approval? Specifically, the procedures shown in FIPS 201 Evaluation Program – Template Generator Approval Procedure, Section 1.2, Page 1 (see below in italics) references submission of the Product, but it is not clear if GSA plans to perform any product tests since NIST has already performed its testing under MINEX. Please clarify.
A Supplier must complete the following steps in order to have the Template Generator (hereafter referred to as the Product) placed on the FIPS 201 Approved List:

1. Determine if the Product fits into one of the defined categories and requires Lab evaluation;
2. Obtain a login credential for the FIPS 201 Evaluation Program (EP) website;
3. Complete an online application form;
4. Register the Product on the EP website;
5. Pay the applicable evaluation fees; and
6. Complete and upload the application package to the Lab.

Once the Product is submitted, the Lab performs the following steps:

1. Perform an evaluation of the Supplier submission;
2. Compile the evaluation report;
3. Communicate the results of the evaluation to the appropriate party;
4. Place the Product on the Approved List; or
5. If necessary, engage in a non-conformance review with the Supplier to discuss shortcomings of the Product and adjudicate any disagreements.

Answer: Supplier will need to apply Template Generators and Template Matcher products as required in applicable Approval Procedure.

The APIs for MINEX and SP800-76 are different. Does a supplier’s Product need to comply with the MINEX API or SP 800-76? In the table in Section 4.1 of the GSA Template Generator Approval Procedure, T-GEN.3 states that “A supplier’s implementation, submitted for certification, shall satisfy the requirements of an API specification found in SP 800-76, Table 10.” However, it appears that GSA is accepting products for the Evaluated Products List that have been listed by NIST as having a MINEX compliant template generator (feature extractor) or matcher with no further testing or evaluation. Please clarify. The differences between these two API specifications are summarized as follows:

1. The MINEX create_template receives separate inputs for raw image, finger quality, finger position, impression type, height, and width. But in SP800-76, the input for the template generator is a [FINGSTD] record, which includes these values as part of its structure.
2. The MINEX match_templates receives two templates. However, in SP800-76, the input for the template matcher is four templates.
3. None of the supplier name, version number, timestamp, or contact point functions are defined in MINEX, but are required for SP800-76.

The GSA FIPS 201 Evaluation Program relies on NIST certification for Template Generators and Template Matchers. Additionally, for Template Generators, the Evaluation Lab checks compliance of the templates to Table 3 of SP 800-76.

How does GSA plan to test single finger sensors to ensure that they conform to Appendix G of the FBI’s Electronic Fingerprint Transmission Specification?

These Appendix G interim image quality specifications for scanners were decommissioned for IAFIS certifications in July 1999; all fingerprint systems submitted for IAFIS certification after July 1999 must meet the Appendix F requirements. GSA shall review certification of fingerprint sensors in accordance to Appendix F of the FBI’s Electronic Fingerprint Transmission Specification.

There are applications where mobile wireless readers are appropriate for authenticating PIV card holders. Does GSA plan to evaluate mobile readers for FIPS 201?

Vendors that believe that their product falls within the product/service categories listed on the GSA’s EP website may submit their product for evaluation. Once submitted, GSA will evaluate the appropriateness of the product for the category it was submitted under.

What is the procedure and time required for submitting contactless PIV card readers for approval and where can we find appropriate contact information? In addition, if a given manufacturer private labels its products under several brands, does each individual brand and company need certification?

The CHUID Reader (contactless) and Transparent Reader Approval procedures apply to contactless Readers depending on which category the Supplier chooses to submit under. If a product is rebranded, such that the name or version of the product is different, each rebrand needs to go through the evaluation process.

The Card Printer Station references the submittal requirement for a test data report and sample cards. Do you have a specific format for the test data report and which test parameters should be reported? Where do should the sample cards be sent?

There is no specific format for the vendor test data report (VTDR). The VTDR must however comprise of all the test cases/scenarios and their results as required as per the approval procedure. The sample cards need to be sent to the Lab identified on the Lab page of the EP Website.

Should the approval mechanism for "CHUID Reader (Contactless)" Approval Procedure, item R-CHU-CL.1 be Vendor Documentation Review? The approval mechanism for similar products (e.g. PIV card and transparent reader) is "Vendor Document Review".

It should state "Vendor Documentation Review". This will be updated in the next version of the document.

What specific information is required in the Vendor Test Data Report for the R-CHU-CL.1 requirement of the "CHUID Reader (Contactless)" Approval Procedure? ISO/IEC 14443 is a multipart specification; ISO 10373-6 calls out 2 specific tests for "PCD" devices (the reader), plus an informative test. Other R-CHU-CL.x requirements call out specific electrical, protocol and initialization / anti-collision requirements. R-CHU-CL.1 is extremely broad and needs clarification. See previous question on correctness of the approval procedure for this requirement.

The Approval Mechanism for R-CHU-CL.1 has been changed to Vendor Documentation Review. In this regard, the Supplier needs to simply provide documentation to show compliance of their product to ISO 14443.

Does a smart card reader that is integrated into the internals of a laptop computer need to be FIPS 201 certified? Does the entire laptop need to be submitted for testing? What if the reader PCB and PC/SC driver have already been independently certified?

If the Reader will be used for logical access under HSPD-12, it needs to be evaluated by the Lab. If the Reader is integrated within the Laptop and cannot be disassembled, the Laptop will have to be submitted for evaluation.

Re the answer to question 353 - please clarify the difference between the FIPS 201 Evaluation Lab process and the SIN 132-62 review process. Are both processes required, or is one process sufficient?

Special Item No. (SIN) 132-62 is established for products and services to implement the requirements of HSPD-12, FIPS-201 and associated NIST special publications. Qualification Requirements are established for the following HSPD-12 system components and categories on SIN 132-62: (a) PIV Enrollment and Registration Services and Products, (b) PIV Systems Infrastructure Services and Products, (c) PIV Card Management and Production Services and Products, (d) PIV Card Activation and Finalization Services and Products, and (e) PIV System Integration Services and Products. Based on the SIN 132-62 category that the Supplier is applying under, either one or both of the processes are necessary. For example, a Supplier providing PIV System Integration Services and Products does not need to go through the FIPS 201 Evaluation Program since there are no requirements that needs to be evaluated by the Lab under this category. Same situation applies for PIV Enrollment and Registration Services and Products as well.

Where can we get the 2 sample cards required in order to test a transparent reader.

The Lab Specifications and the Transparent Reader test procedure identifies the cards used for testing by the Lab. Suppliers are encouraged to procure these cards directly from the manufacturer so as to perform in-house testing prior to submitting their products to the Evaluation Program.

Do I need both PIV and MINEX before FIPS201 certifed?

Depending on the product you are submitting to the Lab, certification from NIST MINEX(in case of template matcher and generators) or NPIVP (PIV Card and PIV Middleware) is necessary. Review the approval procedure that corresponds to the product you seek to submit for Evaluation to determine the pre-requisite certification that is needed.

If we are incorporating another company's product into our own, and the other firm's product is already certified, does our product need to be certified?

If you are selling the product under your own name and part number, and it falls under one of the categories within the FIPS 201 EP category list, the re-evaluation is required.

Which certification is needed for a CAC reader?

Readers are classified based on the functionality of the reader i.e. the CHUID Reader is capable of performing the CHUID use case for card holder authentication. Similarly the Biometric Reader is able to perform the biometric use case according to Section 6 of FIPS 201. Readers are not classified on the type of Identity Credential (e.g. PIV, CAC)

If a module, say a template generator, gets certified and changes are made to that module, does the module remain certified, or does it have to go through the ceertification process a second time?

Template Generators and Matchers are approved by NIST. The GSA FIPS 201 Evaluation Program relies on NIST Certification for these modules. If a change in the module is made, then it needs to be re-certified by NIST prior to submission under the GSA FIPS 201 Evaluation Program.

Given that Table 3 specifies that the on-card format for templates must contain a 2-finger view, and that Table 11 specifies that template generators are to certify with a 1-finger view, certified template generators might not produce compliant on-card template formats even though they are on the FIPS certified list. System integrators, then, can not rely on the assumption that certified template generators will help them produce compliant PIV cards, because those generator may not be able to generate 2-finger view templates. Given this, can a system integrator who has chosen a certified template generator which does not produce 2-finger views, modify the INCITS & CBEFF records directly (to include two views) outside of the template generator API and still claim that they are using FIPS certified modules by virtue of having used a certified (though inadequate) generator to begin with? If not, what, if any, statements can be legitimately made by the system integrator?

This question needs to be directed to the NIST MINEX program that is evaluating template generators.

Facial Image Capture Middleware Approval Procedure Requirement FICM.2 reads: "If more than one image is stored in the record, the most recent image shall appear first and serve as the default provided to applications." This requirement appears out of place considering the others, which all specify requirements on the facial image content and IMAGE file. But Requirement FICM.2 addresses writing and parsing of data records, which will likely occur at locations other than a front-end facial capture station. For example, proper placement of the facial image into a record will often be performed by a central personalization server. Correct parsing of the image will take place at card readers upon entry attempt. What is the proper interpretation of this requirement? Is standard-compliant PIV file formatting expected to be included in this product category? Are tests intended to ascertain compliance of facial image files (eg. .JPG, .JP2) or facial image records as stored on a card?

FICM.2 deals with storing the most recent image in the first record. Since it is the Facial Image Capturing (middleware) that would be updating the INCITS 385 record to place the image in the right location, this requirement is considered to be apt in this approval procedure.

A reference is made in paragraph 3.1 for a site visit to evaluate the product. Does the evaluation lab plan to visit the vendors location for this requirement?

For categories that have Site Visit as an approval mechanism, the Lab will visit the Supplier's facility at a date and time convenient to both. The approval procedures clearly state the requirements that will be evaluated on site.

If my offering is on the SINs, do I need to be on the NIST or GSA approved lists?

If you are offering products, the answer is yes. If you are offering integrated solutions, you must be qualified by GSA and you must commit to delivering only products which have been approved and appear on the Approved product List.

Is it required to purchase FIP compliant items only from vendors on GSA's schedule 70 SIN 132-62?

It is required to only purchase products that are on the GSA FIPS 201 APL. However, the method of purchasing this isn't fixed. If the Vendor has the same product on their GSA Schedule 70 SIN 132-62, then it can be purchased from here, or else it would need to be purchased from the open market.

In the event that a vendor offers a product listed on the Approved Products List, but they are not listed under Schedule 70 SIN132-62, what is the procedure that an agency can use to place a GSA order for this product?

Once the vendor is approved from either GSA SIN 132-62 review process or GSA FIPS 201 Evaluation Lab process, they must submit a procurement package to the FAS Schedules program to be considered for an award offer under SIN 132-62. Once the vendor is on Schedule, then any Federal agency or State may procure the service or product. The APL does not mean the vendor automatically receives a Schedule award. If the product is not in SIN 132-62, then agencies can procure the product through any another Schedule that it is on or they will have to procure via Open Market.

It is believed that there is an issue bringing various biometric sensors together in an integrated environment. How does GSA feel about biometric sensor technology from an integration and interoperability prospective?

After prolonged discussion about the reader category, GSA has decided to categorize this item by the FIPS 201 use cases. The interoperability issue is already addressed by NIST certifications of template management and template generators. There are issues with the biometric middleware being able to work with certain sensors. The biometric middleware is not a category at this time. Currently interoperability is based upon how an agency’s biometric system is set up.

If biometric middleware is not an evaluation category, isn’t an agency in a situation in which they have to pick components from a single vendor?

The mandate is to have data containers which are exchangeable throughout agencies. This isn’t to say that in the future there won’t be funding available for the evaluation of biometric middleware. GSA is aware that there are issues, but at this point it’s not in GSA’s mandate to solve those particular issues.

The website includes a link to e-Auth. Is e-Auth a part of the larger set of HSPD-12 requirements and will that be the primary evaluation mechanism for logical access types of products or will there be a FIPS 201 product category for middleware that provides systems level access in which credentials are passed from a smart card to a software system?

There are approval procedures for card readers, and they do not discriminate on the types of environments in which they work, i.e. physical versus logical access. The category of PIV middleware will be evaluated by NIST, and NIST will comment on that.

It was mentioned that something was coming from 800-76 which hasn’t been included yet. Can GSA elaborate on that?

Items from 800-76 are included in the RTM - there is a template match and template generated category with approval procedures. However, the Requirements Traceability Matrix hasn’t been updated to include this information - that is what was being referred to. Additionally, SP800-85B will be added as well. It is important to note that just because an item is not in the Requirement’s Traceability Matrix does not mean that there are not approval procedures.

What is the process of "committing" to integrating FIPS 201 compliant products. We are a systems integrator and installer of Security equipment.

The qualification procedures for a System Integrator are managed through another program and not the FIPS 201 EP. Please refer to www.idmanagement.gov for details on how to qualify as a Systems Integrator under SIN 132-62.

I'm somewhat new to this, so pardon me if this is off base. But it seems that 800-76 has a subtle contradiction. Section 3.4.3 says pretty clearly that there has to be two "Finger View Records" in the INCITS 378 template. Table 3 lists the number of finger views correctly as 2. But table 11, in the certification section, lists only 1 finger view. Which way does it have to be to get certified?

Table 11 specifies the format required by NIST for certification. Table 3 specifies the format of the INCITS 378 template to be placed on the PIV Card.

Does FIPS 140-2 require 256 bit encryption? or 128 bit encryption is sufficient? We are manufacturer of wireless broadband products.

The FIPS 201 Evaluation Program is not the authorative source for questions regarding FIPS 140-2 validation.