What FIPS Means for the Security Industry

A look at the far-reaching impact of the new federal personal identification verification project

With ambitious objectives for enhancing security, preventing terrorism and increasing efficiencies, Homeland Security Presidential Directive (HSPD) 12 has changed the landscape of identification within the federal government.

The directive mandates a common identification credential for physical and IT access for employees of all federal agencies as well as employees of government contractors. For the first time, a common credential will be required for access to federal buildings and computer systems. The same credential will operate across agencies when desired.

The details of implementation of the directive are laid out in the Personal Identification Verification (PIV) project. PIV has 2 stages of deployment. The first stage, PIV I, deals with identity-proofing, registration, and related issuance processes. It must be in place by Oct. 27, 2005. The second phase includes detailed specifications for personal authentication, access control and technical interoperability of PIV cards across the federal government. Although the date for final implementation is flexible, it is widely understood to be Oct. 27, 2006. This date will be finalized after the June 27, 2005 deadline for federal agencies to submit implementation plans for PIV I and II.

As the deadlines for implementation approach, this directive will have far-reaching impacts on manufacturers, government integrators and end users.


The impact on manufacturers of smart cards, physical access readers, biometric systems, software systems and card printers is significant. Smart card manufacturers that provide the electronics and software needed for PIV II are rushing to make sure their solutions are ready. Many federal agencies are discussing implementing PIV II-compatible smart cards for PIV I in order to make the transition to PIV II smoother. Fortunately, there is a migration path for existing smart card implementations in the Department of Defense and other agencies that were started ahead of HSPD-12. These agencies will eventually reissue cards in order to fully meet the PIV II implementation.

Because PIV II requirements are based on existing government and international standards, physical access reader manufacturers are well positioned to address the federal need. Federal agencies with existing physical access implementations will need to replace or update physical access readers to fully meet PIV II.

The requirements for biometrics are still in draft form. Enrolling fingerprints for PIV cardholders should be straightforward, but how those fingerprints are used for PIV access and how they are protected for privacy are not in full agreement.

Software systems architecture for PIV II is somewhat different from existing implementations. Interoperability requirements are aligned to international standards and therefore will also require changes from the systems already in place today. Most government integrators are in a position to support these changes.

Card printer manufacturers will see new challenges. Because the cards for the PIV II implementation include smart chips, contactless antennas and visual security requirements, printing PIV cards will not be as easy as in the past. Reverse transfer printing technology will provide the optimal printing solution for full coverage of the PIV card. The many irregularities that arise from putting electronic technology in a card will make direct printing on PIV cards difficult.

Distribution of printed cards should also be considered carefully. Using a central bureau may be an easy choice for a large integration, but it lacks the flexibility and security of printing on site. With on-site printing, an agency can better secure the precious electronic cards and security overlaminates. On-site printing can also remove security holes in shipping cards and having employees wait for cards.


This content continues onto the next page...