Frequently
Asked Questions About the Standard for Personal Identity
Verification (PIV) of Federal Employees and Contractors
WASHINGTON, D.C.—U.S.
Commerce Secretary Carlos M. Gutierrez today announced
he has approved a
new standard for a smart-card-based form of identification
for all federal government departments and agencies to issue
to their employees and contractors requiring access to federal
facilities and systems.
"Protecting federal facilities, systems and the employees
who have access to them is of vital importance to this Administration,”
said Gutierrez. “This new standard will enable federal
agencies to issue more secure and reliable forms of identification
to better protect federal assets against threats such as terrorist
attacks. It also will help safeguard against other risks such
as identity theft,” said Gutierrez.
On
Aug. 27, 2004, President Bush issued a Homeland Security
Presidential
Directive calling for a mandatory, government-wide
personal identification standard. The directive specified
that the secure and reliable forms of identification should
be based on sound criteria for verifying the cardholder’s
identity; be strongly resistant to identity fraud, tampering,
counterfeiting and terrorist exploitation; use electronic
methods of rapid authentication; and be issued only by
providers
whose reliability has been established by an official accreditation
process. (The presidential directive is available at http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html.)
Computer
security specialists at the Commerce Department’s
National Institute of Standards and Technology (NIST) worked
closely with other federal agencies—including the Office
of Management and Budget (OMB), the Office of Science and
Technology Policy, and the Departments of Defense, State,
Justice and Homeland Security—as well as private industry
to develop Federal
Information Processing Standard (FIPS) 201, Personal Identity
Verification (PIV) of Federal Employees and Contractors.
As a result of public meetings, briefings by NIST and OMB
and the public availability of the draft FIPS as announced
previously in the Federal Register, NIST received
comments from more than 80 organizations and individuals.
These comments were carefully considered and led to many changes
in the final standard. (Comments are available at http://csrc.nist.gov/piv-project/FIPS201-Public-Comments.html.)
The
standard specifies the technical and operational requirements
for the PIV
system and card. The first part of the standard
describes the minimum requirements needed to meet the control
and security objectives of the Presidential directive,
including
the process to prove an individual’s identity. By October
2005, agencies must meet the requirements of the first part
of the standard.
The
second section explains the many components and processes
that will support
a smart-card-based platform, including the
PIV card and card and biometric readers. It also describes
a means to collect, store and maintain information and
documentation
needed to authenticate and assure an individual’s identity.
OMB will determine the timeline for agencies to comply with
the second part of the standard.
The standard provides graduated levels of security to give
agencies flexibility in selecting the appropriate level of
security for each application. Agencies will continue to have
full flexibility in determining who is allowed to have access
to their systems and facilities.
The PIV
card is the primary component of the system. About the size
of a credit card, the PIV card will contain integrated circuit
chips for storing electronic information, a personal identification
number and biometric data—a printed photograph and two
electronically stored fingerprints. The standard includes
requirements to protect the privacy of PIV cardholders. OMB
will provide privacy and implementation guidelines to federal
agencies.
NIST
also is working to develop two key companion documents to
FIPS 201. Interfaces for Personal Identity Verification
(NIST Special Publication 800-73) will specify interface requirements
for retrieving and using data from the PIV card. Biometric
Data Specification for Personal Identity Verification
(NIST Special Publication 800-76) will specify technical acquisition
and formatting requirements for the biometric credentials
of the PIV system.
A copy
of FIPS 201 and other information are available at: http://csrc.nist.gov/piv-project/index.html.
Since 1972, NIST has been developing technical standards
and guidelines for federal computer systems. NIST typically
develops FIPS when there are compelling federal government
requirements, such as for security and interoperability, for
which there are no acceptable industry standards or solutions.
In doing so, NIST is carrying out its responsibilities under
the Federal Information Security Management Act of 2002.
As a
non-regulatory agency of the U.S. Department of Commerce’s
Technology Administration, NIST develops and promotes measurement,
standards and technology to enhance productivity, facilitate
trade and improve the quality of life.
-30-
Go
back to NIST News Page
|