New federal ID standard approved
Connecting state and local government leaders
The Commerce Secretary today approved the Federal Information Processing Standard for Personal Identity Verification, starting the clock for agencies to implement common smart card-based ID cards.
The Commerce Secretary today approved the Federal Information Processing Standard for Personal Identity Verification, starting the clock for agencies to implement common smart card-based ID cards.
FIPS 201 lays out the technical and operational requirements for the PIV system and card. The Homeland Security Presidential Directive that mandated the card requires agencies to have the access systems in place, 'to the maximum extent practicable,' by Oct. 25.
Meeting that deadline is likely to be a challenge.
'I don't think its going to be possible for most agencies to continue doing business as usual and comply,' said Jim Dray of the National Institutes of Standards and Technology.
HSPD 12 was issued Aug. 27, 2004, calling for NIST to produce a federal standard for secure and reliable forms of identification for federal employees and contractors within six months. Computer security specialists at NIST said recently that preparing such a standard generally is a two-year process.
The presidential directive called for a fraud-resistant card that could be authenticated electronically.
Agencies have until June 25 to submit a program to the Office of Management and Budget for compliance with the standard. Within another four months the agencies must be in initial compliance.
The first phase of compliance, due by Oct. 25, will include common ID and security requirements for the applications that will use the new cards. Within another year, second phase compliance will require agencies to begin issuing interoperable cards to employees and contractors. No deadline has been set for completing the issuing process.
The cards will not apply to national security systems and facilities.
The new card will be used both for physical and IT system access, and the new standard specifies a handful of technologies. It will be a smart card with a programmable chip, with both contact and contactless (wireless) interfaces, and will support four levels of security. It will use cryptographic tools for higher levels of security and will contain biometric data to verify identity. Because biometric standards now exist only for fingerprints, FIPS 201 calls for use of fingerprints, although additional forms of biometrics could be added later.
The chip also will contain a digital photo of the holder, as well as a printed photo that will appear on the card. The cards also can include a magnetic stripe and a bar code.
The physical specifications for the standard are outlined in NIST Special Publication 800-73, which was presented for public comment until Feb. 14. Dray said the final version of this document is expected to be released by March 1. He said the most contentious issue in the document has been blending FIPS 201 with the Government Smart Card Interoperability Specifications.
A separate document, NIST Special Publication 800-76, will contain biometric data specifications for PIV. It will specify technical acquisition and formatting requirements for biometric credentials.
To ease the transition process, the Federal ID Credentialing Committee is preparing a handbook for agencies that will be released soon. It will include a template for agency compliance plans, consisting primarily of yes or no questions.
Although the new standard does not apply to national security systems, Judith Spencer, chairwoman of the Federal ID Credentialing Committee, said the Defense Department intends to make its Common Access Card FIPS 201-compliant.
Spencer said General Services Administration schedule contracts for smart cards will be modified to require compliance with FIPS 201, and GSA will encourage multi-agency buys to take advantage of volume card purchases.