NIST guidance on PIV cards
- By William Jackson
- Nov 25, 2008
The government has established a common interoperable identity
card for use throughout civilian agencies, and the National
Institute of Standards and Technology is providing guidelines for
integrating the cards into physical access control systems.
The Personal Identity Verification Card was mandated by Homeland
Security Presidential Directive 12 (HSPD-12) as a smart credential
that would be interoperable not only across agency boundaries, but
also across physical and logical access control systems. NIST
Special Publication 800-116, titled
“A Recommendation for the Use of PIV Credentials in Physical
Access Control Systems,” provides guidelines for best
practices in integrating the cards into systems used to control
access to facilities.
“Specifically, this document recommends a risk-based
approach for selecting appropriate PIV authentication mechanisms to
manage physical access to federal government facilities and
assets,” NIST said in releasing the publication. “This
document also proposes a PIV implementation maturity model to
measure the progress of agencies' PIV implementations.”
PIV cards are smart cards that contain identifiers for each card
holder in multiple formats, including printing, photographs, bar
code and magnetic stripe, as well as digitally on a chip that also
includes fingerprints, digital certificates and encryption keys.
The technical standards for the cards are spelled out in the
Federal Information Processing Standard publication 201.
HSPD-12 requires the use of PIV Cards “in gaining physical
access to federally controlled facilities and logical access to
federally controlled information systems.” But existing
physical access control systems often are not interoperable with
each other and sometimes provide inadequate authentication because
credentials used with them are easily cloned or counterfeited. NIST
identified a number of shortcomings to these physical access
systems that could be addressed by implementing PIV cards:
- Scalability—Some systems have a limited ability to read
longer credential numbers.
- Security—Most systems cannot perform cryptographic
challenges on a card, but rely only on more easily copied
- Validity—Expiration and revocation of credentials often
are managed locally and cannot be easily managed across multiple
- Efficiency—Personal identification numbers, public key
infrastructure and biometrics typically are managed at each site,
with no interoperability.
SP 800-116 addresses how the PIV Card can be used to overcome these
limitations, and also how the cards can be used to provide the
appropriate level of authentication assurance in multiple areas
within a facility with differing levels of risk-based security
requirements. A PIV Implementation Maturity Model is proposed to
measure progress of implementation.
In the NIST model, risk-based access requirements for would
range from unrestricted access, through controlled and limited
access, to an exclusion area, with each level requiring additional
authentication factors. A controlled area would require a single
factor; a limited access area two factors, which might include a
biometric; and an exclusion area would require at least three
factors, including a PKI and card authentication keys.
NIST recommends a phased implementation of PIV into physical
access systems. Migrations paths could include use of
multi-technology readers that can work with PIV Cards as well as
other credentials, retrofitting existing systems for use of PIV
Cards, and coexistence of PIV-enabled and existing systems in
The document lays out five maturity levels to measure progress
of incremental implementation of PIV into physical access, based on
the three risk-based levels of access control:
- Maturity level 1—Ad hoc PIV verification.
- Maturity level 2—Systematic PIV verification to
controlled access areas, in which PIV coexists with non-PIV
- Maturity level 3—Access to exclusion areas by PIV or
exception only. Non-PIV cards are not accepted at this level.
- Maturity level 4—Access to limited access areas by PIV or
exception only, with no use of non-PIV cards.
- Maturity Level 5—Access to controlled access areas by PIV
or exception only.
William Jackson is a Maryland-based freelance writer.