The directive
is available at www.whitehouse.gov/news/releases/2004/08/20040827-8.html.
Why
is NIST involved?
The directive calls for the Secretary of Commerce to promulgate
the federal standard by the end of February 2005. The Commerce Department’s
National Institute of Standards and Technology (NIST), in conjunction
with other organizations, will develop the standard as a Federal
Information Processing Standard (FIPS) tentatively titled “Personal
Identity Verification (PIV).”
Since 1972,
NIST has been developing standards and guidelines for federal computer
systems. NIST develops FIPS when there are compelling federal government
requirements, such as for security and interoperability, for which
there are no acceptable industry standards or solutions.
The NIST staff has extensive experience in developing technical
standards and guidelines to improve information systems security
and personal identification and verification systems for federal
applications. For more information on NIST and biometrics, see www.nist.gov/
public_affairs/factsheet/biometrics.htm.
What
will the standard include?
The presidential directive restricts the scope of the federal standard
to secure and reliable forms of identification for federal government
employees and employees of contractors requesting access to federal
facilities and information systems.
NIST anticipates
that the standard will establish the operational requirements and
the technical framework, architecture, and specifications for an
automated system that will provide secure and reliable forms of
identification. The specifications likely will include an integrated-circuit
identification card that contains biometric characteristics, such
as fingerprints or facial images, which can verify an individual’s
identity. Criteria will be graduated, from least secure to most
secure, to ensure flexibility in selecting the appropriate level
of security for each application.
Will
NIST work with the public and private sectors to develop the standard?
Yes. NIST plans to coordinate the development of the standard with
other government agencies and the private sector. A public workshop
was held on Oct. 7, 2004, to discuss technical methods of verifying
the identity of federal employees. The draft standard is expected
to be available for public review in November 2004.
What
is the timeline for developing this standard?
The presidential directive specifies that the standard will be promulgated
within six months from Aug. 27, 2004. A set of milestones is being
established to meet this schedule.
Is
six months enough time for NIST to develop this standard?
The initial standard will be promulgated in February 2005. NIST
anticipates that the initial standard will be augmented over the
course of two to three years as additional supporting technical
guidelines, recommendations, reference implementations, and conformance
tests are developed. Complex standards of this nature often take
many years to develop, coordinate, disseminate, and promulgate.
Such standards require a broad-based technical program with experienced
project management to provide the auxiliary technical support standards,
user guidelines, testing tools, accreditation procedures, and operations
support.
Does
NIST have funding to do this work?
NIST will require additional funding for this work and is seeking
to identify financial support from other federal agencies to support
this effort.
Once
the standard is developed, how long will it take for these standard
PIV systems to be available?
Several federal programs already use electronic circuit systems,
such as smart cards, for federal personal identification, authorization,
and access control. Wherever possible, NIST will use already existing
technology, experience, and component implementations for this project.
NIST also will work closely with implementers and vendors of components
similar to those required by the anticipated standard so they can
expedite planning and development of products and services that
conform to the standard. Under the presidential directive, federal
agencies must have identification programs in place soon after the
FIPS is issued.
As
part of the FIPS, will NIST establish a process to accredit PIV
system providers?
The presidential directive specifies that accreditation will be
a part of the overall PIV operational program. NIST has gained valuable
experience in accrediting testing laboratories for standards components
in many areas, including FIPS programs for information technology
computer security. This experience will be used to develop, test,
and field a similar accreditation program for the PIV FIPS.
Who
will accredit the PIV component and system providers?
If desired by suppliers and users, NIST typically develops and provides
reference implementations and conformance tests for its standards.
NIST also accredits public and private laboratories to test the
conformance of products to standards.