GSA HSPD-12 FAQ's

Regulations Governing PIV Cards


What is HSPD-12?


In August of 2004, President Bush signed the Homeland Security Presidential Directive-12 (HSPD-12). HSPD-12 is a mandated policy for Common Identification Standard for federal employees and contractors.

HSPD-12 requires all federal government departments and agencies to conduct personnel investigations, adjudicate results, and issue Personal Identity Verification (PIV) credentials to all federal employees and contractors who require routine access to federally controlled facilities and information technology systems. Routine access is defined as regularly scheduled access.

Where can I obtain more information about HSPD-12?

  • FedID.gov
  • IDMangement.gov

Your PIV Card


What is a Personal Identity Verification (PIV) Card?


A Personnel Identity Verification or PIV card is a secure identification card that uses smart card technology and is about the size of a credit card. Government employees and contractors will use this card to verify the cardholder's identity.

The PIV card is designed to verify your identity by matching the information stored on the card with the information you provided when you obtained your card. For example, if you work in a building requiring higher levels of security your identity would be verified using the picture on the card and Personal Identification Number you provided when you activated your card.

What will I use this card for?


Today, the new PIV card is a replacement for the previous GSA badge and can be used for building access. Beginning in October 2008, GSA's new PIV card will be the only form of identification accepted for building access.

In the future, GSA will provide card readers that enable cardholders to log onto their computer and GSA networks. In this case, the PIV card will be used in place of a password to provide secure and user-friendly access to information. That means no need to remember long passwords that need to be changed frequently. Additionally, it will provide more security for your emails.

GSA plans to use the card as the only authorized method for both building and network access. The card provides a secure method of authenticating the card holder's identity while protecting their personal privacy.

Requirement for Your PIV Cards


Why do I need to get a new card?


The president is requiring all agencies to issue new credentials to all employees. Your new card complies with Homeland Security Presidential Directive-12, which is a mandated policy for a Common Identification Standard for federal employees and contractors signed August 2004 by President Bush.

The new cards enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors.

All GSA employees and contractors requiring routine access to GSA-controlled facilities and information technology systems must receive the new cards.

Who has to get these cards?


All GSA employees and contractors requiring routine access to GSA-controlled facilities and information technology systems must receive the new cards.

Is there a deadline for getting this card?


Homeland Security Presidential Directive 12, signed by the president in August 2004, requires that all GSA personnel be enrolled for the card by October of 2008. The HSPD-12 Program Management Office is working to ensure that the Agency is positioned to meet this mandate. You can help GSA meet its goal by enrolling for the card when you receive your email notification requesting you schedule an appointment at your local enrollment station

Contractor Information


Do GSA contractors with non-HSPD-12 cards need to replace their cards, even if the non-HSPD-12 card has not yet expired?

GSA contractors with non-HSPD-12 must replace their cards with HSPD-12 cards, even if the legacy card has not yet expired.  All HSPD-12 cards will eventually supplant non-HSPD-12 cards as GSA converts existing physical access security systems to meet HSPD-12 requirements.

Do GSA contracts need personnel investigations and credentials apart from those required by HSPD-12?

GSA contractors do not need personnel investigations and credentials apart from those required by HSPD-12 to work in any GSA-controlled facility except where required by a tenant agency.  If a tenant agency has personnel investigation requirements in addition to those provided by GSA, the funding for these investigations will be borne by the requesting agency.

What are the HSPD-12 personnel investigation requirements for contractors?

All long-term contractors requiring routine access to GSA facilities and/or IT systems must have a personnel investigation appropriate for their job responsibilities in order to be issued an HSPD-12 card. The agency must initiate a minimum of a National Agency Check with Written Inquiries (NACI) and must have received favorable results on the FBI fingerprint check before a HSPD-12 card can be issued and access to GSA facilities granted. 

Do I need a card if I am a temporary GSA contractor?
Temporary contractors (those employed six months or less) must undergo a background investigation only if they will require routine access to GSA-controlled facilities for more than ten days.

Generally, temporary contractors do not receive a PIV card unless they require access to GSA IT systems. Temporary contractors needing issuance of a GSA PIV Card and/or access to IT systems must abide by the same personnel investigation requirements as those for long-term contractors. The Contracting Officer is responsible for determining who is a long-term or a temporary contractor. Should the duration of project exceed six months, all temporary contractors must obtain a PIV card.

What are the HSPD-12 requirements for non-US resident or non-US citizen contractors?

Per OPM final guidance on their credentialing standards in memorandum “Final Credentialing Standards for Issuing Personal Identity Verification Cards Under HSPD-12” issued on July 31, 2008, GSA will not request background investigations for non-US citizens who have not been a US resident for three consecutive years.  Instead, GSA will request the following checks to receive initial access or entry of duty determination:

·         FBI Fingerprint and Name Check

·         National Crime Information Center (NCIC)/Interstate Identification Index (III)/National Law Enforcement Telecommunications System (NLETS)/Wanted Person Check

·         Citizen and Immigration Services Check (CIS)/e-Verify

Non-US citizens who do not meet the three-year resident requirement and receive a favorable result on the required checks for initial access or entry of duty determination will receive a facility access card rather than a PIV card.  GSA is currently developing the plan to issue facility access cards to such non-US citizens and other personnel groups. 

When a non-US citizen who previously did not meet the three-year resident requirement meets that requirement, the written inquiries portion of the NACI is required to be performed and a final determination decision made.  The non-US citizen will then receive a PIV card. 

What are the HSPD-12 requirements for child care workers at GSA facilities?

The GSA Child Care Operations Division has worked with the Office of Homeland Security, Federal Protective Service (FPS) to ensure that all child care workers in Federal work places have gone through the security check process mandated by the Crime Control Act.  However, the criminal history check is not the equivalent of the FIPS 201-mandated minimum NACI because it lacks the written inquiries component.  Therefore, child care workers are not eligible for PIV credentials.

Child care workers in Federal workplaces will receive facility access cards (FAC) to enable access to local facilities.  The facility access cards will be compatible with, but both physically and electronically distinct from, the PIV card.  GSA is currently developing the plan to issue facility access cards to child care workers and other personnel groups. 

Privacy Concerns


What personal information is being stored on the Card?
The PIV card is designed to securely store your identification verification data. It does not contain personal information such as your social security number, date of birth, or personal address. The only data stored on your card are your digital photograph, fingerprints, and cryptographic keys.

Cryptographic keys are methods for securely transmitting and authenticating information such as emails and can be used to digitally sign and encrypt emails such that ensures your emails are kept confidential and only read by the intended receiver.

In addition to minimizing the personal data on the card, the card stores the digital photograph, fingerprints, and cryptographic keys in encrypted form. Prevents unauthorized individuals or systems from reading the information on the card without your personal identification number (a numeric password only you know).

What steps have been taken to protect my privacy?
Personal data is properly protected at every point in the process and by every person involved.

GSA has taken strong steps to ensure Personally Identifiable Information (PII) is securely reviewed, transmitted, stored, and destroyed by:

  • Informing Applicants of Data Collected: All forms used in the HSPD-12 process have a Privacy Act statement included that indicates what PII is collected, the purpose of its collection, whether it is optional or required, and the consequences of not providing the requested information.
  • Securing Information Technology (IT) Systems: All GSA IT systems must store and transmit data securely and have a completed a Privacy Impact Assessment (PIA) filed with the Privacy Office. The PIA ensures that the IT system complies with federal and GSA privacy regulations, including the Privacy Act.
  • Securing Paper Forms: All paper forms containing PII data must be stored and transmitted in accordance with the GSA IT Security Policy and be protected from any unauthorized disclosure.
  • Designating Staff: All HSPD-12 related staff must be specifically designated to handle HSDP-12 related PII data. All HSPD-12 related GSA staff are required to have completed privacy training and abide by the GSA IT Security Policy.

Last Reviewed 3/5/2009