Technical Questions
Click on the questions below to see the answers to the FAQs.
What is the rationale behind the selection of smart card, fingerprint, and PKI technologies?
What information must be stored on the card?
Why is the standard divided into 2 parts?
What are the primary requirements for an agency to implement FIPS 201?
Is there a plan to further standardize the badge topology across the federal government?
What does "logical access" mean in FIPS 201?
What is the relationship of a Device CA to the PIV trust model?
-answers
What is the rationale behind the selection of smart card, fingerprint, and PKI technologies?
The presidential directive required a standard for secure and reliable identification and authentication of federal employees and contractors that incorporates rapid electronic validation, but did not specify how to achieve it. Several organizations (most notably DOD) had on-going smart card programs that demonstrated the efficacy of this technology in meeting the needs of HSPD-12. The decision to include PKI and fingerprint technologies was made to improve the security profile of the smart card for both physical and logical access. PKI provides a digital credential that can be used to electronically verify the identity of the cardholder, while the fingerprint ties the card irrevocably to a specific individual and can be used to ensure the cardholder is the individual to whom the card was issued. Of the several potential means of personal biometric marker verification (e.g., DNA, iris scans, hand geometry, handwritten signatures, facial images, or fingerprints), fingerprints were chosen as being the least invasive and most cost-effective, reliable, repeatable, and accurate means of verification available using publicly available technology.
Back to the Top
What information must be stored on the card?
The PIV Card must contain the following mandatory Personally Identifiable Information:
- Personal Identification Number (PIN)-this data is used to authenticate the cardholder to the card--in the same way a PIN is used with an ATM card. The PIN never leaves the card, and it cannot be read from the card.
- A Cardholder Unique Identifier (CHUID)-this number uniquely identifies the individual within the PIV system.
- Two fingerprint biometrics that are PIN protected.
- One asymmetric cryptographic key pair used to authenticate the card to the PIV system.
What is FIPS 201?
FIPS 201 is the Standard identified in HSPD-12 that sets out the requirements for a Federal government-wide identity credential for employees and contractors.
Back to the Top
Why is the standard divided into 2 parts?
The standard is divided into two parts so agencies can make an orderly migration-in terms of both technology and "identity proofing" from their current systems to the requirements established by the standard and meet the deadlines established by the President in HSPD 12. Part 1 deals with the security objectives as they apply to uniform personnel identity proofing and vetting activities, while Part 2 focuses on the technical interoperability requirements, including the issuance of compliant identity badges and the implementation of the government-wide infrastructure to support the effective use of the badges.
Back to the Top
What are the primary requirements for an agency to implement FIPS 201?
Revise the identity proofing and identity card issuance process of the agency to meet FIPS-201 requirements and implement access control mechanisms for facilities and IT systems that utilize the capabilities of the compliant identity credential. Establish control measures that mandate privacy protections with information assurance that is auditable. FIPS 201 requirements include the issuance of an identity badge that utilizes smart card technology, both contact and contactless, and incorporates a standardized Card Holder Unique Identifier (CHUID), digital credentials, and biometric templates.
Back to the Top
Can federal agencies use the standard for other purposes beyond the scope of the standard to include national security applications?
Yes. The Directive specifically tasks agencies to identify additional applications important to security for which the standard might be employed. Such wider use must conform to Office of Management and Budget (OMB) policy (including the relevant privacy provisions) and, if national security systems are involved, the applicable requirements to protect national security information and systems.
Back to the Top
What will the card look like?
Card topology is described and pictured in the Standard. Each card will contain a required set of information: a printed picture of the cardholder, name, expiration date, and agency affiliation. Additional optional information (e.g., signature, agency seal, issue date, etc.) may be selected by each agency within the parameters set by the Standard and further refined by OMB, where applicable.
Back to the Top
Is there a plan to further standardize the badge topology across the federal government?
Yes. NIST will issue Special Publication 800-104 entitled "A Scheme for PIV Visual Card Topography" which will provide additional recommendations on Personal Identity Verification (PIV) Card color-coding for designating affiliation. This document provides guidance on affiliations and their color-coding designations. This document is not intended to contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its associated documents. It is intended to augment existing standards to enable implementation of a common visual mechanism to provide for quick, flash-pass verification of the PIV Card in the near term and for electronic validation in the future when that infrastructure is in place.
Back to the Top
What does "logical access" mean in FIPS 201?
Logical access, as used in FIPS 201, refers to use of the credential as part of identification and authentication processes that are used by automated information systems access-control processes (e.g., log on actions and digital signatures).
Back to the Top
How can agencies assess their existing infrastructure to tell if they are FIPS 201 compliant? Do you have any specific publication (like 800-53)?
FIPS 201 is the governing Standard for HSPD-12 compliance. FIPS 201 contains normative references to additional documents. Enrollment and Card Issuance organizations and processes must be accredited in accordance with SP 800-79. Data objects produced by Card Issuance systems are tested according to SP 800-85B, assisted by the 800-85B test toolkit. Implementation of infrastructure for utilizing the cards is covered by FISMA reporting and SP 800-53. (Ref: http://csrc.nist.gov/publications/nistpubs/index.html).
Back to the Top
Which fingers are required for capture on the PIV card. Should the choice of which fingers to capture for the PIV card be automatic, or should the operator have the final say?
The Index fingers are designated as primary for capture to the PIV card. Fingerprint substitution should only take place if the primary fingerprint cannot be imaged successfully (e.g. missing or badly scarred). (Ref: FIPS 201 Section 4.4.1)
Back to the Top
In the event fingerprint capture is not possible, what should the alternative biometric be, and how should it be handled throughout the registration and issuance process?
In the event fingerprint capture is not possible, agencies must collect an alternative biometric. The most common is probably a facial image, however this is not specified by FIPS 201. For the purposes of the criminal history check, there is no alternate biometric. Where prints are not available, OPM will rely on the name check for criminal history. (Ref: FIPS 201 4.4.1)
Back to the Top
At PIV card issuance, should the applicant's fingerprints be matched against the enrollment record, the PIV card biometrics, either, or both? Is this actually mandatory?
Biometric match of fingerprints at card issuance is mandatory. The match should be made against the templates placed on the PIV card from the record captured at enrollment. Whether this record is in the IDMS or on the PIV card is at the agency's discretion; however, matching to the PIV card has the added advantage of validating the biometric record on the PIV card. (Ref. FIPS 201, Section 5.3.1)
Back to the Top
Are there standards by which PKI Shared Service Providers must comply regarding RA/CA communication and key escrow?
PKI Shared Service Providers must comply with the Federal Common Policy Framework which details requirements for PKI operations. (http://www.cio.gov/fpkipa/documents/CommonPolicy.pdf)
Back to the Top
What is the relationship of a Device CA to the PIV trust model?
Device authentication is outside the scope of the Personal Identity Verification (PIV) program objectives. However, provisions have been made in the Federal Common Policy Framework for device certificates and agencies are encouraged to issue under this policy if interoperability with other Federal organizations is desired. (Ref: X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework)
Back to the Top
FIPS-201, Section 5.4.2 states: "All certificates issued to support PIV Card authentication shall be issued under the Common Policy". Does this statement refer to all PIV-defined keys and their corresponding certificates?
Yes. The intent of this statement is that all certificates in the PIV data model shall be issued under the Common Policy.
Back to the Top
The FPKI Common Policy limits CA keys to a 6 year lifetime. Subscriber keys are limited to a maximum of half that (3 years). FIPS 201 allows credentials to be valid for up to 5 years. Given these facts, 5-year cards will require maintenance during their lifecycle (PIV certificate reissuance). Is this correct?
This is correct. To use a PIV card for the maximum five years, new PKI credentials will need to be obtained at the three year point. This is a security feature, as well as mitigating the risk of large CRLs. There are currently no plans to modify either FIPS 201 or the Common Policy. Technically, certificate renewal can be performed by the user from the desktop, or the agency may choose to re-issue smart cards every three years and align it with the PKI certificate issuance cycle.
Back to the Top
