Q: What is the Personal Identity Verification Project and how will the standard impact an access control system?
A: In August of 2004, President Bush issued Homeland Security Presidential Directive/Hspd-12, which is a Policy for a Common Identification Standard for Federal Employees and Contractors. The draft of the standard is on the project web site at http://csrc.nist.gov/piv-project/.
The standard is divided into two parts, PIV-I and PIV-II. The first part (PIV-I) sets minimum requirements for a Federal personal identification system, including the personal identity proofing process, but does not address the interoperability of Personal Identity Verification (PIV) cards and systems among agencies.
The second part (PIV-II) provides detailed specifications, including personal authentication, access control, and Personal Identity Verification (PIV) card management systems for technical interoperability of (PIV) cards across the Federal Government.
The standard sets up requirements for authenticating and verifying the identity of the individual that vary based on the sensitivity of the position of the individual. In some cases, verification can be done based on documents, in others fingerprinting and background checks will be required. It also requires that employees and contractors be treated as visitors and not be issued long-term identity credentials until the required credential verification or background investigation is complete.
The main impact is on the design of the credential used:
- Specific information must be printed on the card in designated areas. Holes or punches, decals and embossing are not allowed on the card. Each card must contain a circuit chip and a contact and contactless interface.
- A tri-modal or bi-modal optical variable device (OVD) or optical variable ink (OVI) must be embedded in the card material on the front of the card.
- The chip in each card must store: a Personal Identification Number (PIN); a Cardholder Unique Identification object (CHUID); one asymmetric key pair and corresponding certificate associated with the cardholder; two biometric fingerprints; and a Biometric facial image.
Optical variable ink (OVI) contains tiny flakes of special film or ink embedded in the card that change color as the viewing angle is varied. This security device allows a control that is visible to the naked eye without any special equipment, and prohibits the card from being photocopied (only one color will appear).
An optical variable device (OVD) embedded in the card material on the front of the card uses complex line details and wave patterns, holograms, covert laser-retrievable text embedded into the laminate and/or microtext or pixel encryption technology that are only visible under extreme magnification.
The Cardholder Unique Identification object (CHUID) is an identifier specific to each card. It is made up of several pieces of information, including a mandatory Federal Agency Smart Credential Number (FASC-N) that will uniquely identify a PIV card, an expiration date and a position sensitivity level. The deadline for compliance is October 2005.
Brad Shipp is a former Executive Director and Training Director for the NBFAA where he authored several NTS courses, including the Access Control Certification course. His involvement in the access control industry dates back to 1974 and in 1986 he became an instructor for the NBFAA National Training School. Shipp has served on several law enforcement, regulatory and industry association boards and has been honored for his service by the False Alarm Reduction Association and the International Association of Security and Investigative Regulators. Send in your questions on access control to firstname.lastname@example.org.