The contact interface must conform to the ISO/IEC 7816 specification, and the contactless interface must conform to the ISO/IEC 14443 specification. In most cases, physical access applications will use the contactless interface, although there are special cases in which the contact interface will be used.
The PIV card contains multiple data elements that are used to verify the cardholder's identity at graduated assurance levels. The required data include a personal identification number (PIN), the cardholder unique identifier (CHUID), PIV card authentication data (one asymmetric key pair and corresponding certificate) and two fingerprint biometric minutiae templates.
The CHUID contains a federal agency smart credential number (the FASC-N) that identifies each card uniquely within the federal government and can be used in the physical access control system (PACS). It is written to the FIPS 201-compliant card chip or chips and is available from both the contact and contactless interfaces.
In a FIPS 201 implementation, the organization must be able to enroll individuals' PIV cards into the local PACS, be able to access PIV card status information to determine if the card has been revoked (e.g., if an employee was terminated) and use the new PIV card data elements (e.g., the CHUID or portions thereof) to make access control decisions.
Agencies and departments will have different approaches to PIV card enrollment, depending on their security requirements, their PACS, and their use of credential data. For example, some organizations may require data to be “pushed down” from the central identity management system (IDMS) to the PACS server's user database, with pre-registration for physical access privileges. Others may simply need to know that the new PIV card will work in the current system.
In general, enrollment of a PIV card into a PACS requires that cardholder demographic data and CHUID data be entered into the PACS, the PIV chain of trust be validated to the level required by the federal agency accepting the card, and access privileges be assigned.
Once a PIV card has been enrolled and is being used, FIPS 201 requires that all implementations include the capability to remove and revoke registered access privileges centrally, should a person move or leave the organization. This can be accomplished in a number of ways.
The PACS server database can be updated periodically from the central identity management system or card management system. When a credential is revoked, the expiration date could be changed and downloaded to the PACS server. The PACS server receives the expiration date and distributes this to the user record in the relevant controllers that will then make an access/deny decision for that employee's credential. Alternatively, the PACS enrollment officer may manually revoke or change access privileges for an employee, using a real-time process with instant change to the access privileges for the card.
While FIPS 201 defines many aspects for an interoperable federal identity card, the standard also provides a variety of options for implementation and permits individual agencies to define their own approaches to meeting agency-specific access requirements.
What Does FIPS 201 Mean for Other Organizations?
The impact of FIPS 201 is not restricted to the federal government. State and local governments are being encouraged to adopt the provisions of FIPS 201, and businesses that provide goods and services to the federal government will find that a substantial segment of their workforce will need to be credentialed. Security systems manufacturers are actively engaged with the government to assist in defining the details of how FIPS 201 will be implemented and are developing products to meet the standard.
To ensure that standard-compliant products and services are available, NIST has established the NIST Personal Identity Verification Program (NPIVP) to validate PIV components and sub-systems required by FIPS 201. The NPIVP currently includes FIPS 201 interface validation of PIV card applications and PIV middleware for conformance to the SP 800-73 specification. Additional validation programs will be added as the PIV program evolves. Providers of products and services that are determined to conform to the standard will be eligible to offer approved products and services on a new General Services Administration procurement vehicle, which will be established to align all agency acquisitions with FIPS 201 policy.