What is GOVPASS?
GOVPASS is the name given to the new UK government standard for card encryption on a physical access control card. Many government departments have already committed to moving to GOVPASS, and more are expected to follow soon.
Due to extensive experience working with central governments across Europe, including projects for the European Parliament, Nedap was invited to test and certify the first version of GOVPASS. As a result, AEOS became the first GOVPASS-certified access control system. And our card readers are among the first to be certified for use with this new standard.
High security access control standard for the UK government
Currently the government estate uses a variety of access control technologies and systems, with no single standardised access card format for its many departments and sites. This creates a series of challenges around card management, support systems, and end-of-life issues. Creating GOVPASS has enabled standardised access control that provides high security and can be used by any government agency. The government recognised that this would allow greater control over security and the opportunity could benefit from economies of scale as the cards could be centrally produced.
Where GOVPASS cards can be used
While GOVPASS is designed to allow a single card to be used across multiple departments, sites and applications, it doesn’t mean that cardholders have access to every government site. Or that the departments will all use the same access control system. Each UK government department will still manage the authorisations on their GOVPASS cards locally. This means the cards used by each department will only allow access to their specific sites and applications. If someone needs access to another UK-government location, however, their card can be enrolled locally by the relevant department.
An advanced approach to card reading
GOVPASS enables a complex, yet swift, way of reading a credential that isn’t available on any other card. It went through rigorous testing, which ensures a very high level of security. The government can now produce these high-security cards centrally, with a common set of applications and security keys. So every card is made in the same way to the same stringent standards and specifications. The cards are then distributed to government departments where they’re encoded further for use with their individual applications and access control systems.
Essentially, GOVPASS creates a template for government cards, rather than an access-all-areas master card. It offers all the benefits of central production and control with the flexibility and security of local encoding and enrolment.
Hardware and software requirements for GOVPASS
To enable government departments to use GOVPASS, their existing card readers need to be upgraded to GOVPASS-compliant firmware. If this isn’t possible, readers can be replaced with GOVPASS-compliant ones, such as Nedap readers. And if a department installs a new access control system, it’s recommended they choose one that’s certified for use with GOVPASS, such as AEOS.
End-to-end encryption for GOVPASS with AEOS Access Control System
A major benefit of using Nedap’s AEOS for the implementation of GOVPASS, is that AEOS controllers store keys and digital certificates in a SAM (secure access module) on the secure side of the door. It effectively makes our readers transparent, as GOVPASS cards are read and decrypted in the SAM rather than the reader. This end-to-end encryption protects against hackers overriding the access control system and has been certified for use with GOVPASS.
The implementation of GOVPASS will create new access control projects as government departments look to upgrade their systems or readers. Whether you bid, supply or specify for such projects, you have the assurance that the AEOS access control system and readers are GOVPASS approved and ready to go. AEOS fully system is GOVPASS compliant and we have the in-depth knowledge to provide any support you need.
Do you want more information regarding GOVPASS, don’t hesitate to contact our GOVPASS expert Michael Lee at michael.lee@nedap.com
Frequently asked questions
UK sites classified as critical infrastructure, where deep encryption standards are paramount, can deploy the approved physical security. A CPNI-graded automatic access control system has an intrinsic level of protection that is obtained as a result of an assurance process.
At a very basic level, access control is a means of controlling who enters a location and when. The person entering may be an employee, a contractor or a visitor and they may be on foot, driving a vehicle or using another mode of transport. The location they’re entering may be, for example, a site, a building, a room or a cabinet. We tend to call it physical access control to differentiate it from access control that prevents people from entering virtual spaces – for example when logging into a computer network.
If you decide to use an access control system, it’s probably because you want to secure the physical access to your buildings or sites to protect your people, places and possessions. That’s just the start for access control systems though. The right system, used well, can add value in a range of ways. You can use it, and the data it generates, to boost not just security but productivity, creativity and performance.
Today, physical security is about so much more than locks and bolts. Many modern physical access control systems are IP-based, powered by smart software and able to process large quantities of data. This provides more functionality, flexibility, scalability and opportunities for integration. It also means they’re part of your IT network, so it’s essential they’re protected and upgraded – just like your other IT systems.
From our perspective, a centralised access control system is always preferable – whether you have just two locations in the same town or hundreds spread around the world. Centralising your access control brings a range of far-reaching benefits.
For the people using your building, biometrics can give a better experience compared to an access badge. These days, biometrics are used for both identification and verification – sometimes even both at the same time. Being allowed to enter your building just by scanning your hand or face makes access control more convenient than ever.
Mechanical keys are the simplest form of physical access control and the method many smaller organisations use. Even for a small company, however, using mechanical keys has several flaws and limitations – especially as an organisation gets bigger. Below are just some of the problems presented by using keys.