On Friday, U.S. Commerce Secretary Carlos M. Gutierrez announced that a new standard for smart-card-based identification methods has been approved. The standard applies to identification cards issued to all federal government departments and agencies and their employees and contractors requiring access to federal facilities and systems. The standard is available online with additional information: click here.
"Protecting federal facilities, systems and the employees who have access to them is of vital importance to this administration," said Gutierrez in a statement. "This new standard will enable federal agencies to issue more secure and reliable forms of identification to better protect federal assets against threats such as terrorist attacks. It also will help safeguard against other risks such as identity theft," said Gutierrez.
The approval of the new standard follows last summer's announcement by President Bush of a directive that called for a mandatory standard that would be applied for all government facilities. To view, the presidential directive, click here.
In developing the standard, Commerce Department National Institute of Standards and Technology (NIST) computer security specialists worked with the Office of Management and Budget (OMB), the Office of Science and Technology Policy, the Departments of Defense, State, Justice and Homeland Security in addition to the private sector to develop the new standard, known as Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors.
In the process of creating the standards, public comments from 80-plus organizations and individuals were accepted and are available online -- click here for comments.
The new standard specifies technical and operational requirement for the Personal Identity Verification standard, describing the minimum requirements to meet the directive and describing the process to prove an individual's identity.
It was also announced that by October 2005, agencies must meet the first part of the standard, which sets the minimum requirements needed to meet the presidential directive.
The second section of the standard explains the components and processes that will support the smart-card-based platform, including the PIV card and card and biometric readers. This section will also describe the method used to collect, store and maintain the information and documentation used to authenticate a person's identity. The timeline for when agencies will need to comply with the second part of the standard has not been defined, but will be set by the OMB.
The standard is design so that the integrate chip will contain a PIN number, a digital photograph and two digitally stored fingerprints, and the card is designed with security in mind so that this private data is not subject to theft.
NIST will also be creating companion documents to accompany FIPS 201 that will specify interface requirements for retrieving data from the PIV card and will specify how the biometric data is saved and accessed using the PIV system.