Over the past 18 months, there has been tremendous change in the federal government's approach to managing physical access control and information security. On August 12, 2004, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12), which mandated the establishment of a standard for identification of federal government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to federally controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.
Requirements, Short and Sweet
HSPD-12 requires that the federal identity credential be secure and reliable. This means the credential:
• Must be issued based on sound criteria for verifying an individual's identity;
• Must be strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
• Must be able to be rapidly authenticated electronically; and
• May be issued only by providers whose reliability has been established by an official accreditation process.
As a result of HSPD-12, the Department of Commerce and National Institute of Standards and Technology (NIST) developed a new standard for secure and reliable forms of identification, the Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. This standard provides specifications that govern the entire chain of trust of the identity system and specifies a single smart card—the PIV card—for both physical and logical access, as well as other applications as determined by the individual agencies.
This article summarizes some of the key aspects of FIPS 201, its impact on physical access control systems, and future impact on both government and commercial secure identification implementations.
Identity Proofing Requirements
Federal agencies must follow the standard FIPS 201 identity proofing process when they provide official government identification to new or current employees, contractors and affiliates. Adherence to a uniform identity proofing process that includes a threat/risk assessment for all employees and contractors across the federal government provides a basis for trust among agencies and helps ensure that cardholders are who they claim to be.
FIPS 201 also applies to citizens of foreign countries who are working for the federal government overseas, although there are special registration considerations and procedures for these workers.
Verifying the individual's identity is the first step. FIPS 201 mandates processes and provides guidance on both the source documents required to validate an individual's identity and the process for issuing a PIV card. Below are the general requirements for PIV identity proofing and registration:
• The process must begin with a background check of the individual applying for a card, and the check must be completed before a card is issued.
• The applicant must appear at least once in person in front of a PIV official before a credential can be issued.
• The applicant must provide two identity source documents in original form from a published list of acceptable documents. One of the documents must be a valid (unexpired) picture ID issued by a state government or the federal government.
• The process must adhere to the principle of separation of roles. No single individual has the power to issue a PIV card without the cooperation of another authorized person.
The Elements of the Smart Card
FIPS 201 requires that the PIV card be a smart card. The card body is similar to a credit card and conforms to the ISO/IEC 7810 specification. The card contains both contact and contactless interfaces, which can be provided by two separate integrated circuit chips (ICC) or by one dual-interface ICC.