Something is rotten in the state of Colorado. Either that, or Colorado is making a bold bet on FIPS 201 despite the political cost.
It seems that HID, a company with product hanging on about 80 or 90% of all the doors in Colorado state buildings, has been stuck on the back burner. Colorado has approved a first responder credentialing RFP calling for a new type of identity and access card – one that will not work with proprietary HID readers.
This is curious, because the RFP has obvious implications for doors and not just first responders. Surely, many of the first responders will be state employees and others with state issued access cards – cards already produced by HID. So selecting any card other than HID for the first responders will beg the question of identity and access cards everywhere in the state.
So here’s the story, as I understand it from a few sources close to the state capital. Colorado announced an RFP to provide cards for its COFRAC v.3 standard (Colorado first responder authentication credentials), a standard for first responder identity credentialing. The RFP is on a fast-track, ostensibly to establish the standard in advance of the Democratic National Convention to be held in Denver in August. This acceleration means that the standard was pushed through without public meetings. The state’s Identity Management Director, Micheline Casey, held a number of 2-hour meetings and reportedly short-changed the normal public comment period by posting the document in the state’s procurement system back in December.
HID was left out of most of these discussions, but CoreStreet wasn’t. CoreStreet is the vendor that has been helping to rewrite the rules of credentialing for the last few years. One of the first credential solution providers to be fully FIPS 201 compliant, the CoreStreet system is optimized for first responders. But it also limits interoperability for legacy physical access control systems with any existing cards or readers by the use of the FIPS 201 specification (while its mobile solution does address some legacy issues). A migration plan will have to be put in place that takes this into account.
Clearly, first responder credentialing needs the functionality described in the RFP such as the ability "to electronically validate the identity and the attributes (qualifications, certifications, authorizations, and privileges) of those who are required – or volunteer – to respond to natural or man-made disasters or acts of terror." After all, you don’t want just anybody showing up at a disaster scene. Imagine false paramedics, or worse, terrorists dressed as paramedics.
Does this signal the limit of HID’s technology – marking it as not ready for the future, or simply limited to doors? Does this mean that FIPS 201 moves out of the DC area faster than expected? Or did CoreStreet’s lobby beat HID’s lobby fair and square?