NIST sets rules for PIV cards

The National Institute of Standards and Technology has set ground rules for how to use Personal Identity Verification cards so employees can use them to enter government buildings.

"It is intended to be a practical, short-term recommendation," said William MacGregor, speaking at the Smart Cards in Government Conference held in Washington last fall. MacGregor is one of the co-authors of NIST’s Special Publication 800-116, "A Recommendation for the Use of PIV Credentials in Physical Access Control Systems.”

Most government buildings already have physical access systems in place.

Most entry cards that employees use don't have authentication protections. And many cards are specific to the vendor that supplied the security system, so a government employee can't use his or her access card when visiting another agency. By using the government-issued smart cards, as mandated by Homeland Security Presidential Directive 12, agencies will move closer to adopting a governmentwide physical access framework.

Borrowing a physical security layout designed by the Army, the publication recommends three security levels for buildings: controlled, limited and exclusion. Each successive level requires an additional authentication factor.

Controlled access is basic building access and requires one form of authentication, namely the Cardholder Unique Identifier number that comes with a card.

A limited-access area "might be considered an area where discretionary access of some kind is being applied," MacGregor said. It requires two factors of authentication, such as an entry card and biometric identifier. The government has 32 factors to choose from in this category.

For the most sensitive areas, exclusion access would require a third form of authentication, such as an attended biometric or a Federal Information Processing Standards 201-compliant authentication key.

Agencies can use as many as 71 combinations of factors to secure government buildings at all the levels. "The mechanisms can be combined in many ways, and the cases and rules for combining them are all in the document," MacGregor said.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

inside gcn

  • Get ready for IoT-enabled threats

    Mirai creators helping FBI crack cybercrime cases

Reader Comments

Fri, Feb 20, 2009 Washington, DC

There is a physical access control system by LENEL Systems that is a great fit for this program. We currently use it here at our Federal Agency and have been amazingly pleased with its function and performance. There are a number of these systems in place in a very large number of Federal Govt installations nationwide. They have a group based here in Washington DC that is very knowledgeable on the subject. I suggest to learn more information on this you contact them. I believe their team's contact information is on their website.

Tue, Feb 17, 2009

Not good. NIST only addresses the protection of unclassified interests. DOD uses controlled, limited and exclusion to catagorize protection for areas that has only up to sensitive (controlled), classified information present but under the control of custodians who prevent unauthorized access (limited), and areas where mere presence constitues access to classified information (exclusion). NIS will cause confusion by using these same terms differently.

Thu, Feb 12, 2009

This is a very good idea. This should have been done a long time ago. Would have saved the government lots of money. Every institute has it own security system which I am sure cost lots of money. If you just have one system that talks to every institute that means one company or contractor can work on. Not several different security systems that don't communicate with each other.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group