PIV card specs to account for mobile, other new factors
Connecting state and local government leaders
Proposed changes in FIPS 201 reflect changes in the technology and environment in which the federal PIV cards for government workers and contractors are used.
Technical specifications for the Personal Identity Verification Card for federal workers and contractors are being revised to reflect changes in the technical environment in which the smart cards are being used, and to incorporate changes requested by agencies and other stakeholders.
The specifications are included in Federal Information Processing Standard 201, and NIST has released a second draft of proposed revisions for public comment.
Because of the increased use of mobile devices within government, the proposed changes would allow the use of electronic credentials derived from PIV cards in a variety of form factors for use with mobile devices. The PIV card itself will continue to be in the standard smart-card format. Other significant changes to the standard include introduction of a virtual contact interface to enhance secure access to functions over a contactless connection.
Related coverage:
Are mobile devices already making PIV cards obsolete?
HSPD-12 in 2004 mandated the creation of the Personal Identity Verification Card, a common interoperable government ID that could be used both for logical and physical access control. The directive required NIST to develop technical standards for the card by February 2005. The standards in FIPS 201 define the technical requirements for a credential that:
- Is issued based on sound criteria for verifying an individual employee’s identity.
- Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.
- Can be rapidly authenticated electronically.
- Is issued only by providers whose reliability has been established by an official accreditation process.
“The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to federally controlled government facilities and electronic access to government information systems,” the draft publication says.
The standard specifies the architecture and technical requirements for a common electronic ID card, as well as the physical card characteristics, storage media and data elements that make up identity credentials. FIPS 201 is part of a suite of publications specifying technical requirements for storage interfaces and architecture, cryptography and biometric information.
The original standard was released in 2005 and PIV cards now are in the hands of most federal workers and contractors. The standard was due for a routine review in 2010. NIST determined that a major revision was needed to accommodate changes in the technical environment, including the increased use of smaller, mobile devices with wireless connections. An initial draft of proposed revisions was released for comment in March 2011, and comments were received from 25 federal agencies as well as state and foreign governments and private-sector organizations.
In addition to editorial corrections and changes to clarify requirements, several substantive changes have been proposed in FIPS 201-2.
Iris imaging is included as an optional alternative to fingerprints for biometric identification, along with facial recognition. Because the required biometric matching might not be possible for some persons with disabilities, agencies must determine appropriate authentication mechanisms for their systems to accommodate them, to comply with Section 508 of the Rehabilitation Act.
The 2011 draft standard would have required that “a new chain-of-trust record shall be created,” that would include biometric information to personalize each card as it is issued. This was included as a cost savings measure for reissuance of lost, stolen or damaged cards. Because of complaints that the requirement was cost-prohibitive, it has been made optional in the most recent release.
A public workshop on the revised draft of FIPS 201-2 will be held July 25 at NIST in Gaithersburg, Md. Participants must pre-register by July 18.
Written comments on the draft can be sent to Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on the Revised Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, Md. 20899-8930.
Electronic comments may be e-mailed to piv_comments@nist.gov, with "Revised Draft FIPS 201-2 Comments" in the subject line of the email. Comments must be received by August 10, using the comment template.