NIST updates standards for federal electronic ID cards
Standards updated for cards mandated for federal employees and contractors by homeland security directive
The National Institute of Standards and Technology is updating the standards for electronic identification cards mandated for federal employees and contractors under Homeland Security Presidential Directive 12.
A draft of the revised Federal Information Processing Standard 201 released for public comment reflects changes in the technical environment in which the smart cards are being used and also incorporates some changes requested by agencies since the standard was first adopted in 2005.
Among the significant changes in the revision are a biometrically authenticated chain of trust to allow reissuing of lost cards and the optional inclusion of new industry standards that could make the cards more adaptable as technology changes. The maximum life of the card also would be extended from five to six years to synchronize the card life cycle with the certificates and biometric data the cards use.
Will feds trust nonfederal ID card for contractors and agency partners?
Crypto rules changing for ID cards
“This standard specifies the architecture and technical requirements for a common identification standard for federal employees and contractors,” the draft publication states. “The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to federally controlled government facilities and electronic access to government information systems.”
NIST will hold a public workshop on the proposed revisions April 18 and 19 at its campus in Gaithersburg, Md.
HSPD-12 in 2004 mandated the creation of the Personal Identity Verification Card, a common interoperable government ID that could be used both for logical and physical access control. The directive required NIST to develop technical standards for the card by February 2005. The standards in FIPS 201 define the technical requirements for the identity credential that:
- Is issued based on sound criteria for verifying an individual employee’s identity.
- Is strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation.
- Can be rapidly authenticated electronically.
- Is issued only by providers whose reliability has been established by an official accreditation process.
The original standard was released in 2005 and was due for a routine review in 2010. NIST determined that a major revision was needed.
PIV Cards are in the hands of most federal workers and contractors, but many of their electronic capabilities are not being leveraged to enable their use for access control on computer systems.
The Office of Management and Budget last month directed
agencies to “develop and issue an implementation policy, by March 31, 2011, through which the agency will require the use of the PIV credentials as the common means of authentication for access to that agency’s facilities, networks, and information systems.”
In addition to editorial corrections and changes to clarify requirements and eliminate contradictory elements, several substantial changes have been proposed in FIPS 201-2. The proposed standard would require that “a new chain-of-trust record shall be created” that will include biometric information — either fingerprints or iris images — to personalize each card as it is issued. This same data from the record could be used to reissue a card that has been lost, stolen or damaged so that the holder does not have to repeat the complete registration process.
A background National Agency Check Written Inquiries is required for each card holder, but the PIV Card would no longer have to contain a NACI Indicator to indicate that a card was issued before the check was completed. Since the original standard was issued, the timely completion of background checks has improved and other options for online status checking are available, so that this indicator no longer is necessary, NIST concluded.
Revisions also would allow for the inclusion in the standards of optional profiles for international industry standards that enable “a high degree of interoperability between electronic credentials and relying subsystems by means of a firmware-defined adaptation layer.” This could increase the flexibility and resiliency of the PIV system middleware, card readers and credentials as technology evolves.
Comments on draft FIPS 201-2 should be sent to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Revision Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7730, Gaithersburg, MD 20899-7730. They also can be e-mailed
by June 6. A Microsoft Excel template for comments
is available online.