REAL DEAL: PIV II requires more than just buying hardware
Now that agencies have (we hope) met requirements for Part One of the Personal Identity Verification program, the clock is ticking toward the Oct. 27 deadline for Part Two compliance.
Agencies must have systems in place by then to actually begin issuing the interoperable smart ID cards mandated by Homeland Security Presidential Directive-12. Technical specifications for the cards and the data they will contain still are being developed, and products are only beginning to be certified against Federal Information Processing Standard 201, but here are some things that agencies can consider as they plan for PIV II:
- Enrolling thousands of workers, many of them scattered across the country, is not a trivial issue. Thought must be given to getting these employees to the enrollment system or getting a system to remote workers.M
- Back-end systems will have to be in place to hold the data being gathered for use with PIV cards. These systems need to be interoperable with other systems so the data can be used.
- HSPD-12 does not specify how the new cards are to be used, but leveraging the card technology will require enabling IT applications and physical-access control systems. Without this, PIV will be just another photo ID.
- Ultimately, PIV cards are all about security. They must be tamper-resistant and difficult to counterfeit. Security features that go above and beyond the basic requirements specified for the cards are available that you might want to consider to meet your agency's specific needs. 'There is a lot of technology behind these cards that you can employ that is not incorporated in the standards,' said Mike Gibbons, lead of Unisys Corp.'s enterprise security practice.
- The biometric specification calls for including two index fingerprints on the card. What about those without two index fingers? Some provision should be made for alternate biometric features for disabled persons, and systems for authenticating them.
- Figure out which facilities pose the highest risk, and plan to secure them first.
- Plan to implement the system modularly so pieces can be added or upgraded when needed.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.