NIST lays out new smart-card draft specs

What NIST expects the cards to do

Allow use by all government organizations and contractors


Reliably and rapidly identify someone while protecting privacy


Resist fraud, tampering and counterfeiting


Be issued by officially accredited providers


Provide access to federal facilities and information systems except for national security systems


Be flexible enough for agencies to specify an appropriate security level for any application

Agency expects card standard to get final OK from Commerce by month's end

The National Institute of Standards and Technology has re- leased biometric specifications that firm up plans for governmentwide personal-identity-verification cards.

The revised Special Publication 800-73 is a second draft and does not set any implementation deadlines. It covers both file system and Java Virtual Machine cards so agencies such as NASA, which have existing smart-card programs, can comply and card vendors do not have to redesign their products.

An earlier draft of SP 800-73 met resistance because agencies and industry felt it would require them to throw out several years of work on smart-card projects [GCN, Dec. 13, 2004, Page 42]. The new draft is meant to allay those concerns.

Among other things, the second draft discusses data flows, card architecture, the client application programming interface and command interface, construction of the card edge, use for physical and logical access, embedding X.509 certificates and using acceptable encryption algorithms.

NIST will accept public comments on the draft until Feb. 14.

Homeland Security Presidential Directive 12 required NIST to develop the specs for a common federal smart card. Agencies must establish compliant card programs by Oct. 25.

Last month NIST published a complementary biometric-technology draft, Special Publication 800-76, with a comment period ending today.

SP 800-76 details how to capture fingerprints and full-frontal facial images correctly. It also de- fines a common header for all types of biometric data, called the Common Biometric Exchange Formats Framework (CBEFF).

NIST and the Government Smart Card Interagency Advisory Board have spent several months reworking draft Federal Information Processing Standard 201, with final release due by Feb. 28, as well as the draft SP 800-73. Together, the three documents will set lifecycle procedures for registration, issuance and use of PIV cards.

NIST's Curt Barker, co-chairman of the PIV project, said the FIPS is now 'in the final approval process.'

For security and privacy, the PIV card as envisioned by NIST will go far beyond the requirements of many states for driver's licenses. In addition to fingerprint or facial-image biometrics, the PIV card likely will have a holographic agency seal, a serial number stored on the chip and a personal identification number not stored on the card. All ID information will be encrypted and digitally signed, and agencies will have to set up a network mechanism for checking a cardholder's identity as well as the card serial number against their issuance records.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above