PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS: FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 201 APPROVED BY THE SECRETARY OF COMMERCE
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
A new Federal Information Processing Standard (FIPS) for a governmentwide personal identity verification (PIV) system was approved by Carlos M. Gutierrez, the U.S. Secretary of Commerce, on February 25, 2005. The system is based on the use of smart cards, which will be issued by all federal government departments and agencies to their employees and contractors who require access to federal facilities and information systems.
Homeland Security Presidential Directive (HSPD) 12, issued by President Bush on August 27, 2004, cited the wide variations in the quality and security of the forms of identification used to gain access to federal and other facilities, and called for the development of a mandatory standard for secure and reliable forms of identification to be used throughout the federal government. The directive stated the government’s requirements for a common governmentwide identification system that would enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) developed the standard, working in conjunction with private industry and with other federal agencies, including the Office of Management and Budget (OMB), the Office of Science and Technology Policy, and the Departments of Defense, State, Justice, and Homeland Security.
HSPD 12 stated that the secure and reliable forms of identification should be:
· Based on sound criteria for verifying an individual’s identity;
· Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
· Rapidly authenticated electronically; and
· Issued only by providers whose reliability has been established by an official accreditation process.
NIST, the Department of Commerce (DoC), and the Office of Management and Budget (OMB) held public meetings in October and November 2004 to discuss the technical and policy issues related to developing the needed standard. NIST drafted the FIPS and announced it in the Federal Register for public review and comment in November. NIST also issued drafts of two supporting technical documents in December. Another public meeting was held in January 2005 to address privacy and security issues that might affect individuals to whom PIV cards are issued. The comments received in the open forums and from more than 80 organizations and individuals during the formal review process were carefully considered and helped to shape the final standard. In addition, the Federal Identity Credentialing Committee and the Smart Card Interagency Advisory Board made many valuable contributions to the technical framework of the standard.
The standard does not apply to identification systems for national security systems and facilities.
FIPS 201 specifies the technical and operational requirements for interoperable PIV systems that issue smart cards as identification credentials and that use the cards to authenticate an individual’s identity. Authentication of an individual’s identity is an essential component of secure access control to facilities and to information systems. In the past, hand-held credentials such as driver’s licenses and badges have been used to control access to facilities, and passwords have been widely employed for access to information systems. More recently, cryptographic and biometric technologies have been employed to replace the older methods.
FIPS 201 has been issued in two parts to allow for a smooth migration to a secure, reliable personal identification process. The first part of FIPS 201 (PIV I) describes the minimum requirements needed to meet the control and security objectives of HSPD 12, including the process to prove an individual’s identity. Agencies may issue credentials only to applicants whose identity has been established and who have had a background investigation. Agencies must inspect at least two identity source documents submitted by an applicant for the PIV credential. At least one of the documents presented by the applicant must be a valid state- or federal government-issued picture identification (ID). Applicants for credentials must be examined through an Office of Personnel Management (OPM) background investigation process, the National Agency Check with Written Inquiries (NACI), to establish assurance of identity. While the National Agency Check has been a requirement for federal government employees since the 1950s, it may be a new requirement for some contractors. The initial phase of the NACI must be completed before the new ID card is issued. When the written inquiries part of the NACI is completed, the agency reviews the results and takes appropriate action if negative results are received. These are current practices for most agencies.
The PIV Card
HSPD 12 stated that the standard should include graduated criteria, from least secure to most secure, to give agencies flexibility in selecting the appropriate level of security for each application. Agencies will continue to have full flexibility in determining who is allowed to have access to their systems and facilities.
The PIV card is the primary component of the system. The size of a credit card, the PIV card will use cryptographic and biometric technologies to support the required graduated levels of security for agency applications. Cards will contain a Personal Identification Number (PIN); this is the data used to authenticate the cardholder to the card, as a PIN is used with an ATM card. The PIN never leaves the card, and it cannot be read from the card. The card will also have a Cardholder Unique Identifier (CHUID), which identifies the individual within the PIV system. There will also be two electronic fingerprints, which will be securely stored and protected on integrated circuit chips. Public Key Infrastructure (PKI)-based cryptography will be used to protect the integrity of information that will be stored on the card.
No other personal information, such as Social Security number, address, or telephone number, is required by FIPS 201 to be stored on the card. The release of biometric information required to be stored on the card by FIPS 201 and use of the private key takes place only after the cardholder provides the correct PIN. Only the CHUID will be available through a wireless interface.
Fingerprints were chosen as the biometric information to be stored on the cards because fingerprints are the least invasive and most cost-effective, reliable, repeatable, and accurate means of verification available using public available technology. Two fingerprints will be stored on the cards. An electronic facial image is not required, but may be used. A printed photograph of the cardholder is required to be printed on the card for visual inspection and verification. Also the cardholder’s name and the expiration date of the card will be printed on the card. Agencies may include other optional information such as their agency seals and the issue date of the card if they wish to do so.
The second part (PIV II) of FIPS 201 explains the many components and processes that will support a smart-card-based platform, including the PIV card and card and biometric readers. The specifications for PIV components support interoperability between components in systems and among the different department and agency systems. An operational system contains three subsystems:
· PIV Front-End Subsystem – PIV card, card and biometric readers, and personal identification (PIN) input device.
· PIV Card Issuance and Management Subsystem – components responsible for identity proofing and registration, card and key issuance and management, and repositories and services such as the public key infrastructure (PKI directory).
· Access Control Subsystem – physical and logical access control systems, the protected resources, and the authorization data.
PIV II also describes a means to collect, store, and maintain information and documentation needed to authenticate and assure an individual’s identity.
By June 27, 2005, agencies must establish a program to ensure that the identification forms issued by their organizations meets the PIV standard. By August 27, 2005, they are required to identify any additional applications, beyond the scope of the standard, for which the standard should be used, and report them to the Assistant to the President for Homeland Security and to OMB.
By October 27, 2005, agencies must have procedures in place for verifying employees’ identities and for issuing smart cards that meet the requirements of PIV I. To operate and maintain PIV systems, agencies will have to obtain the services of an accredited PIV card issuer, and adopt procedures for PIV card applicants to provide acceptable identity source documents. Agencies also will need to acquire services for capturing biometric information, as well as PIV card readers and PKI services.
With the October 27th implementation of PIV I by all federal agencies, there will be a basis for trust among agencies and for the mutual recognition of their employee and contractor credentials. PIV II, which will take longer to implement because of the many electronic credential systems now in place, focuses on the common technical interoperability requirements of HSPD 12. When this part is implemented, a card from one agency will be electronically recognized by any other agency so that a decision about granting access to the cardholder can be made.
NIST is developing three key companion documents that will support the implementation of FIPS 201 by vendors and users. The first publication, Interfaces for Personal Identity Verification, to be issued as NIST Special Publication 800-73, will specify interface requirements for retrieving and using data from the PIV card. SP 800-73 provides the PIV data elements, identifiers, structure, and format, and describes the Application Programming Interface (API) and the card interface requirements that will enable PIV identity credentials to be used interchangeably throughout federal agencies. SP 800-73 includes two specifications to help agencies make the transition to conformance with FIPS 201: a transitional card specification that is derived from the Government Smart Card Interoperability Specification and that agencies already invested in smart card implementations might want to consider using; and a FIPS 201 PIV II card specification for agencies choosing to move directly to the PIV II target architecture.
The second publication, Biometric Data Specification for Personal Identity Verification, by Charles Wilson, Patrick Grother, and Ramaswamy Chandramouli, will be issued as NIST Special Publication 800-76 and will specify technical acquisition and formatting requirements for the biometric credentials of the PIV system. Designed to ease agency implementation of FIPS 201 by facilitating interoperability and ensuring performance of PIV systems, the specification selects options from published biometric standards. It includes specifications for the fingerprints used in the PIV systems, facial image optional specifications, the format for all PIV biometric data representation, and the requirements for biometric devices.
The third publication, Cryptographic Algorithms and Key Sizes, will be issued as NIST Special Publication 800-78 and will specify cryptographic algorithms and key sizes that will be authorized for use in PIV systems in current and future time frames.
Draft versions of NIST Special Publications 800-73 and 800-76 have been made available for public review and comment. See the “For More Information” section below for details about accessing these two draft documents.
Insofar as its resources permit, NIST also plans to investigate other technical issues that will help support the use of the standard. Some of these requirements include: reference implementations and conformance tests to enable testing of implementations for conformance with the standard; measures to protect privacy of users of PIV systems; ways to authenticate identity source documents; and methods to incorporate data needed by different agencies while assuring appropriate levels of security and providing for interoperability among federal PIV systems.
OMB is responsible for overseeing agency implementation of HSPD 12 and will develop implementation guidance for federal agencies, including privacy and implementation guidelines to federal agencies. OMB will determine the timeline for agencies to comply with the second part of the standard.
The General Services Administration (GSA) is responsible for assisting agencies in procuring and operating PIV subsystems such as card and biometric readers. OPM is responsible for assisting agencies in authenticating and vetting applicants for the PIV card.
Privacy is an issue of special concern and a basic obligation established by the presidential directive. The standard requires federal department and agencies to ensure the privacy of applicants for identity credentials. Some of the requirements include:
FIPS 201 does not require that the federal government establish a central database to track movement of employees and contractors or the systems that they access. Personally identifiable information stored on the card is minimal, and the information stored on the PIV card, such as electronic fingerprints, will be protected since the cardholder must enter a PIN to release the information.
The technology on the card does not allow for tracking movement of contractors and employees while moving throughout a building. Because the information on the PIV card may be read by a wireless device, there has been some concern that data can be inadvertently or maliciously captured. To alleviate this concern, employees will be required to keep the card in an electronically opaque sleeve when not in use to minimize the risk of unauthorized reading of data from the card without the consent of the cardholder.
FIPS 201 is available on the NIST website http://csrc.nist.gov/publications/fips/index.html.
Draft NIST Special Publications 800-73 and 800-76 are available on the NIST website http://csrc.nist.gov/publications/nistpubs/index.html.
The NIST website http://csrc.nist.gov/piv-project/index.html provides links to other information about the PIV project, including workshops held in 2004 and 2005, and HSPD 12. Also available on the web pages are answers to frequently asked questions about the PIV standard and contact information. The comments received by NIST concerning the draft FIPS 201 are also available.
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.