One card that works across the government as an ID and for access is a step closer to reality. In accordance with Homeland Security Presidential Directive (HSPD) 12, the National Institute of Standards and Technology (NIST) has released a standard specifying the architecture and technical requirements for a common identification standard for federal employees and contractors, such as a smart card with embedded biometric data.
The first part of the standard gives minimum requirements for a personal identity verification (PIV) system that meets the control and security objectives of HSPD 12, while the second part provides the technical requirements, such as card elements and system interfaces, to support the control and security objectives as well as to maintain interoperability.
PIV-I mandates, for example, that a detailed background investigation be completed before ID credentials are issued. It also requires that the applicant appear in person at least once during the process and that he or she present two forms of identification in original form.
To address privacy concerns, departments and agencies need to assign a senior official to manage privacy-related matters, publish a detailed list of what information will be collected and how it will be used, and ensure that any technologies used in the PIV system allow for regular auditing of compliance with stated policies.
PIV-II divides the functional parts of a PIV system into three subsystems: front-end components such as cards and biometric readers; card issuance and management components; and access control devices. For example, the cards will have both contact and contactless interfaces, will not be embossed, and will be subject to rigorous tests to ensure that they continue to work after getting wet and don’t crack after prolonged exposure to sunlight. They will contain biometric data in the form of two electronic fingerprints (additional biometrics may be added).
The PIV standards are getting high marks from industry groups, in part because NIST has met with industry representatives about the standards on numerous occasions since last year, says Randy Vanderhoof, executive director of the Smart Card Alliance. But some concerns exist nonetheless.
Both Vanderhoof and Jennifer Kerber, director of homeland security for the Information Technology Association of America (ITAA), say that one concern is that it is not yet clear how these new standards will mesh with existing standards, such as the Government Smart Card-Interoperability Specification (GSC-IS), and with smartcard systems that are already in place. What is needed, they say, is a clear migration path that will lead from what agencies and contractors have in place now to what will be required by this new standard.
“Industry recognizes that changes are needed to their products to comply with these standards,” Vanderhoof says.
But if existing standards are completely abolished in favor of new ones, there could be a delay in implementing secure credentials past the October deadline when federal agencies must be able to issue compliant ID cards, says Kerber. NIST is addressing these concerns in publications forthcoming at press time that focus on the technical details of the smart chips in the cards, biometrics standards, and cryptography issues.
Agencies need to be compliant with PIV-I by late summer. Then, the Office of Management and Budget (OMB) will get involved by issuing guidance regarding the development of transition plans to PIV-II.
The Federal Information Processing Standard 201, Personal Identity Verification of Federal Employees and Contractors, is available below.nist_tech0505.pdf