Draft guidelines released for certifying PIV Card issuers

Draft guidelines have been released to help agencies verify that organizations issuing new governmentwide identification cards are up to the job.

The new cards were mandated in Homeland Security Presidential Directive 12, titled 'Policy for a Common Identification Standard for Federal Employees and Contractors.' More detailed objectives for the Personal ID Verification (PIV) Card were laid out in Federal Information Processing Standard 201, and specifications for the standard are spelled out in a series of special publications from the National Institute of Standards and Technology.

A requirement of HSPD 12 is that card issuers be accredited. The most recent NIST publication, SP 800-79, provides Guidelines for Certification and Accreditation of PIV Card Issuing Organizations. The draft is offered for public comment until July 10.

The new ID card will be an interoperable smart card that can be used across agencies. The cards will incorporate a common set of identity proofing and issuing standards, as well as other technologies. Agencies must have plans in place for implementing HSPD 12 this year, and have until October 2006 to begin issuing the cards.

Each agency will be responsible for certifying and accrediting the issuer of its cards. Certification is the process of assessing the reliability, availability and capabilities of the issuer's personnel, equipment, finances and support infrastructure. Accreditation ' the management decision to authorize operation ' is done by a designated authority within an agency.

NIST has broken the certification and accreditation process into 10 tasks:

  • Preparation, which includes establishing security categories for the cards

  • Resource identification, which includes identifying resources needed for the C&A process

  • Plan analysis and acceptance, which includes identifying requirements for a card issuer and an issuer's plan analysis

  • Card issuer attribute assessment, which includes documenting and assessing the issuer's resources

  • Certification documentation, which includes updates to and signing off on the issuer's plans

  • Accreditation decision, which includes a review of the certification

  • Accreditation documentation, which includes the decision to authorize the issuer

  • Issuer operations management, which includes analysis of the issuer's performance

  • Issuer status monitoring, which includes ongoing assessment of the issuer

  • Status monitoring and documentation, which includes updates and monitoring of the issuer's plans.

Comments on the draft guidelines should be e-mailed to PIVaccreditation@nist.gov by July 10.

More details on FIPS-201 and PIV Card specifications are available from the NIST Web site in special publications 800-73, Interfaces for Personal Identity Verification; 800-76, Biometric Data Specifications for Personal Identity Verification; and 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group