atsec information security, an accredited laboratory for the GSA FIPS 201 Evaluation Program (GSA EP) which runs a product approval program for PIV-related products destined for the U.S. Government market, is proud to announce the successful GSA FIPS 201 evaluation of two Codebench products:
• PIVCheck Desktop Edition
• PIVCheck Mobile Edition
As a result of its evaluation, atsec has determined that the Codebench products above meet FIPS 201 requirements on behalf of the GSA EP, who ultimately grants the approval. These products are now listed on the FIPS 201 Evaluation Program Approved Product List (APL). The APL only lists those products and services that are in compliance with the current version of the Standard and its supporting NIST Special Publication 800-116, which provides recommendations for the Use of PIV Credentials in Physical Access Control Systems (PACS).
Codebench is the first company with solutions evaluated for GSA product category “CAK Authentication System”, as well as “Caching Status Proxy,” “PIV Authentication System,” and “CHUID Authentication System.”
CAK authentication is a reader-to-card challenge/response protocol that ensures that the PIV credential is genuine and is not a forgery or clone, while CHUID authentication involves verifying that the credential’s CHUID, or cardholder unique identifier, has not been altered. Both CAK and CHUID authentication can be performed over the card’s contactless interface and do not require a PIN. Contactless verification of PIV credentials will likely become a requirement for both High and Very High Assurance access control readers.
“PIVCheck products help to verify that credentials are valid at the time of registration into the PACS,” said Geri Castaldo, chief executive officer of Codebench. “This ensures that card and identity issues are resolved before the card is used as an access control token.”
The product entries are included on the GSA FIPS 201 Evaluation Program Approved Product List at fips201ep.cio.gov/apl.php as:
PIVCheck Mobile Edition
Category: CHUID Authentication System
Part #: PVC-D/S
SW version: 1.2
(APL item # 485)
The CHUID Authentication System product category provides the capability to access and determine authenticity of the CHUID stored on a PIV Card and makes an authorization decision based on the CHUID elements stored on the PIV Card.
PIVCheck Desktop Edition
Category: CAK Authentication System
Part #: PVC-M/S
SW version: 1.2
(APL item # 486)
The CAK Authentication System product category provides the ability to perform an asymmetric cryptographic challenge/response with the optional Card Authentication Key (CAK) stored on PIV Card and makes an authorization decision based on the FASC-N data element stored on the PIV Card.
FIPS 201 (with its supporting documents) is the mandatory standard that addresses the Homeland Security Presidential Directive 12 mandate (HSPD-12). HSPD-12 mandates a government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors.
Codebench (pivcheck.com) is a software development firm focused exclusively on physical security applications. A leading developer of software integration solutions, Codebench’s PIVCheck software suite was named Best Integrated System for HSPD-12/FIPS 201 Compliance by Government Security News. A certified Women’s Business Enterprise located in Coconut Creek, Fla., Codebench serves the government, Fortune 500 and academic markets. For more information, visit the website or call 561-883-3218.
About atsec information security
atsec information security (atsec.com) is an independent, standards-based information technology security services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich, Germany in 2000 and has extensive international operations with offices in the U.S., Germany, Sweden, and China.
atsec offers secure code review, and independent hardware security testing for semiconductors, atsec also offers evaluation and testing services leading to formal certification for IT security including evaluation under Common Criteria schemes in the U.S., Germany, and Sweden; cryptographic module and algorithm testing under the Cryptographic Module Validation Program of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada.
atsec works with such leading global companies as IBM, Apple, Microsoft, Hewlett-Packard, Oracle, Cray, BMW, SGI, Vodafone, RWE, and Red Hat.