Implementation Questions
Click on the questions below to see the answers to the FAQs.
What documents/programs are currently available to help agencies implement FIPS 201?
Is there a list of "approved" identity proofing and registration processes?
Will agencies maintain records of access to facilities by individuals?
For the facial image, is there a specific color backdrop that should be used?
How can agencies receive an advance report of the fingerprint check results?
Does the FIPS 201 standard include a physical access control system?
-answers
What documents/programs are currently available to help agencies implement FIPS 201?
- NIST Special Publication 800-47: Security Guide for Interconnecting Information Technology Systems
- NIST Special Publication 800-73 specifies PIV card interface characteristics
- NIST Special Publication 800-76 specifies PIV card biometric characteristics
- NIST Special Publication 800-78 specifies cryptographic algorithm requirements and characteristics
- NIST Special Publication 800-79 provides guidance for PIV issuer accreditation
- OMB M-05-24 provides implementation guidance on HSPD-12
- GSA memorandum of August 10, 2005 specifies the procedures for ordering goods and services in compliance with the Presidential Directive
- NIST Special Publication 800-85 provides conformance tests for validating PIV components as complying with SP 800-73
- NIST Special Publication 800-87 contains codes for the identification of Federal and federally-assisted organizations, needed in PIV identifiers
- NIST Special Publication 800-100 Information Security Handbook: A Guide for Managers
- NIST IR 7329: Information Security Guide For Government Executives
- OMB M-05-24 provides policy guidance and deadlines supplementary to HSPD-12
- OMB M-06-18 provides updated acquisition guidance to Federal agencies
- Federal Identity Management Handbook
- Smart Card Handbook
Is there a list of "approved" identity proofing and registration processes?
There is not a list of "approved" identity proofing and registration processes, per se. "Approved" means that the process has met the control objectives, and the head of the agency has approved in writing that the process does meet the objectives. SP 800-79 provides further guidance on the certification and accreditation of PIV card issuing organizations. (See FIPS-201, Section 2)
Back to the Top
Is Personal Identity Verification different from access authorization such that having a PIV card or achieving identity verification does not automatically entitle the cardholder to physical or logical access?
Yes. Access control remains the purview of the local facility or IT system security policy.
Back to the Top
Will agencies maintain records of access to facilities by individuals?
This is outside the scope of the standard. It can be anticipated that agencies will continue to maintain records, in accordance with the Privacy Act, of access to and unsuccessful attempts to access their facilities and systems as required for their security and audit needs.
Back to the Top
Does compliance to FIPS 201 mean that every door in every federal building and every federal computer terminal must have a PIV card reader?
No. Generally, agencies will implement FIPS-201 access controls on facility access points (i.e. entry doors) first. Further deployment within the facility is at the discretion of the agency facility security manager. Logical access controls that provide for authentication of federal employees and contractors based on PIV credentials are recommended for IT Systems operating at E-Authentication Level 3 or higher. As agencies develop their plans in accordance with HSPD 12, they should focus on the highest-risk facilities and systems for initial deployment of readers. Over time, this could expand to lower-risk systems and facilities. (Ref: OMB M-04-04, DOJ Vulnerability Assessment of Federal Facilities Report - June 1995, ISC Security Design Criteria for New Construction and Major Modernizations - December 2004 and Security Standards in Leased Space - Jan 2005.)
Back to the Top
Does the PIV Sponsor, Registrar, PIV Card Approval and the PIV issuer have to be all different people or can one person have multiple roles?
A two-way separation of roles is the absolute minimum that could possibly meet the FIPS 201 test. In practice, however, it would be challenging to define two roles such that each provides a reliable cross-check on all critical actions of the other. Special Publication 800-79 recommends "the roles of Applicant, Sponsor, Registrar, and PCI [PIV Card Issuer] must be played by different people when issuing a PIV Card." Such a three-way separation of roles can generally be sufficient to insure that the test of FIPS 201 is met, namely, "a single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential." However, the requirement for a particular separation of roles depends on the implementation of the PIV issuance system.
Back to the Top
Does Registrar record signing only apply to pen-and-paper records, or does it also apply to electronic enrollment records?
The requirement applies to both paper and electronic storage. The method is left to individual departments and agencies. If cryptographic signature processes are employed, they must conform to the requirements of NIST standards and guidelines.
Back to the Top
During reissuance, if an attribute has changed, who is responsible for verifying the change and recording the change and the reason for it?
This function is best performed by the Registrar since this is the individual rechecking the records during card re-issuance. However, this is open to individual agency discretion which may choose to utilize an alternative process.
Back to the Top
Is support for PIV card logical access mandatory on enrollment systems and/or issuance systems? If so, is PIV card verification required for all operator logins?
Credential-based identification support is specified in FIPS 201. Use of the identity credentials for specific access control applications is not. However, use of a PIV card to verify Registrar, Sponsor, Approval, or Issuer roles for card issuance activities as an on-going activity would be an effective mechanism for maintaining the security of the process.
Back to the Top
There is no backdrop color requirement; however, per the recommendation of the International Committee for Information Technology Standards (INCITS) 385, the background should be uniform.
Back to the Top
Can identity proofing be conducted by federal employees and also "trusted agents," where trusted agents might include contractors?
FIPS 201 does not prohibit contractors from being employed to conduct identity proofing activities under the supervision of government employees in accordance with departmental or agency security and contracts management policies.
Back to the Top
How can agencies receive an advance report of the fingerprint check results?
Agencies who receive their investigations from OPM, may obtain advance reports of fingerprint check results by putting the code "R" in the Codes block of the Agency Use section of any of the standard investigative forms (SF-86, SF-85P, or SF-85).
Back to the Top
Does the FIPS 201 standard include a physical access control system?
No. FIPS 201 does not specify the physical access control system (PACS). In order to effectively implement HSPD-12, each agency will need to implement a PACS for internal use. The Smart Card Interagency Advisory Board has published Technical Implementation Guidance Smart Card Enabled Physical Access Control System (TIG SCEPACS) 2.2 as a guide to assist agencies in this implementation, which is referenced by FIPS 201.
