Fact Sheets from NIST
Personal Identity Verification Standard for
Federal Employees and Contractors

On Aug. 27, 2004, the President issued a Homeland Security Presidential Directive calling for a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and to the employees of federal contractors.

According to the directive, “secure and reliable forms of identification” means identification that:

  • is based on sound criteria for verifying an individual employee’s identity;
  • is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
  • uses electronic methods of rapid authentication; and
  • is issued only by providers whose reliability has been established by an official accreditation process.

The directive is available at www.whitehouse.gov/news/releases/2004/08/20040827-8.html.

Why is NIST involved?
The directive calls for the Secretary of Commerce to promulgate the federal standard by the end of February 2005. The Commerce Department’s National Institute of Standards and Technology (NIST), in conjunction with other organizations, will develop the standard as a Federal Information Processing Standard (FIPS) tentatively titled “Personal Identity Verification (PIV).”

Since 1972, NIST has been developing standards and guidelines for federal computer systems. NIST develops FIPS when there are compelling federal government requirements, such as for security and interoperability, for which there are no acceptable industry standards or solutions.
The NIST staff has extensive experience in developing technical standards and guidelines to improve information systems security and personal identification and verification systems for federal applications. For more information on NIST and biometrics, see www.nist.gov/ public_affairs/factsheet/biometrics.htm.

What will the standard include?
The presidential directive restricts the scope of the federal standard to secure and reliable forms of identification for federal government employees and employees of contractors requesting access to federal facilities and information systems.

NIST anticipates that the standard will establish the operational requirements and the technical framework, architecture, and specifications for an automated system that will provide secure and reliable forms of identification. The specifications likely will include an integrated-circuit identification card that contains biometric characteristics, such as fingerprints or facial images, which can verify an individual’s identity. Criteria will be graduated, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application.

Will NIST work with the public and private sectors to develop the standard?
Yes. NIST plans to coordinate the development of the standard with other government agencies and the private sector. A public workshop was held on Oct. 7, 2004, to discuss technical methods of verifying the identity of federal employees. The draft standard is expected to be available for public review in November 2004.

What is the timeline for developing this standard?
The presidential directive specifies that the standard will be promulgated within six months from Aug. 27, 2004. A set of milestones is being established to meet this schedule.

Is six months enough time for NIST to develop this standard?
The initial standard will be promulgated in February 2005. NIST anticipates that the initial standard will be augmented over the course of two to three years as additional supporting technical guidelines, recommendations, reference implementations, and conformance tests are developed. Complex standards of this nature often take many years to develop, coordinate, disseminate, and promulgate. Such standards require a broad-based technical program with experienced project management to provide the auxiliary technical support standards, user guidelines, testing tools, accreditation procedures, and operations support.

Does NIST have funding to do this work?
NIST will require additional funding for this work and is seeking to identify financial support from other federal agencies to support this effort.

Once the standard is developed, how long will it take for these standard PIV systems to be available?
Several federal programs already use electronic circuit systems, such as smart cards, for federal personal identification, authorization, and access control. Wherever possible, NIST will use already existing technology, experience, and component implementations for this project. NIST also will work closely with implementers and vendors of components similar to those required by the anticipated standard so they can expedite planning and development of products and services that conform to the standard. Under the presidential directive, federal agencies must have identification programs in place soon after the FIPS is issued.

As part of the FIPS, will NIST establish a process to accredit PIV system providers?
The presidential directive specifies that accreditation will be a part of the overall PIV operational program. NIST has gained valuable experience in accrediting testing laboratories for standards components in many areas, including FIPS programs for information technology computer security. This experience will be used to develop, test, and field a similar accreditation program for the PIV FIPS.

Who will accredit the PIV component and system providers?
If desired by suppliers and users, NIST typically develops and provides reference implementations and conformance tests for its standards. NIST also accredits public and private laboratories to test the conformance of products to standards.

 

Created: 10/06/04
Last update: 10/06/04
Contact: inquiries@nist.gov

Return to Fact Sheet page