Upload
dakota
View
45
Download
1
Embed Size (px)
DESCRIPTION
FIPS 201 Personal Identity Verification For Federal Employees and Contractors. National Institute of Standards and Technology Information Technology Laboratory Computer Security Division 100 Bureau Drive Gaithersburg, MD 20899-8900. Basis for Requirements. - PowerPoint PPT Presentation
Citation preview
FIPS 201Personal Identity Verification For
Federal Employees and Contractors
National Institute of Standards and Technology
Information Technology Laboratory
Computer Security Division
100 Bureau Drive
Gaithersburg, MD 20899-8900
Basis for Requirements
HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors
2
GeneralObjectives
Common reliable identification verification for Government employees and contractors
• Reliable Identification Verification
• Government-wide
- Interoperability
- Basis for reciprocity
General Identity Management Environment
• Government: Common requirement for checking of identity documents and conduct of National Agency Checks – Many documents on list of authorized IDs easy to
obtain fraudulently or to forge (not all picture IDs
– Examples of authorized exceptions to background checking requirements
• Private Sector: No common identity requirements
General Identity Management Environment
• No common identity proofing or credential issuance requirements
• No common requirements for mechanisms to be used for identifying individuals for access control purposes– Something known (e.g., password, PIN)– Something possessed (e.g., ID card, PKI certificate)– Personal characteristics (e.g., physical appearance,
biometrics)
• No common identity credential specification
Identity Proofing and Credential Issuance
• Common minimum basis for issuing credentials• Issuance infrastructure and procedures
– Separation of roles
– Minimum safeguards and security mechanisms associated with personalization and initialization of credentials
• Policy and procedures for accrediting issuers
Card Function and Interoperability Across Different Organizations
Common Characteristics• Physical dimensions• Circuit contact points• Minimum set of information
content• Data formats• Electromagnetic interfaces• Communications protocols• Physical integrity protection
measures• Cryptographic mechanisms• Application programming
interfaces• Card-unique identifier
User Options
• Card Manufacturer
• Reader Devices
• Authorization hardware
• Identification and authorization processes
• Recognition and authorization software
• Physical temper-resistance components/mechanisms
Creating Government Policy on the Use of Smart Card-based Credentials Across
Government Agencies
+ Accreditation of issuing authorities and facilities + Card issuance criteria and procedures + Database architecture and identity information access
protocols + Card update, replacement, and revocation + Procurement authority and acceptance criteria + Minimum implementation requirements + Conformance test requirements and responsibilities + System and component configuration management an
control policies and procedures
Implementing Interoperable Identity and Authorization Smart Cards
National agreement on:
· Basis for establishing identity
· Accommodation on each card of a minimum set of media for communicating identity information
· Means for verification of the identity and authorization of the card issuer
· Card-unique identifier
· Procedure for checking on the currency of identification information carried on the card
· Agreement on the minimum set of card holder identification and verification information that must be contained in or appear on the card
· Security certification criteria, authorities, and criteria
· Human or machine readable tamper indication characteristics
Practical Aspects of Identity Credentials
• Cost tolerance Technology preferences
• Privacy concerns
• Criteria with respect to relevant definition of identity
• Availability of reliable sources on which authorization to issue identity documents can be based
Specific Personal Identity Verification Requirements
HSPD-12: Policy for a Common Identification Standard
Secure and reliable forms of personal identification:
Based on sound criteria to verify an individual employee’s identityIs strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitationPersonal identity can be rapidly verified electronicallyIdentity tokens issued only by providers whose reliability has been established by an official accreditation process
11
HSPD #12 Personal Identity Verification Requirements
•Applicable to all government organizations and contractors•To be used to grant access to Federally-controlled facilities and logical access to Federally-controlled information systems•Graduated criteria from least secure to most secure to ensure flexibility in selecting the appropriate security level for each application•Not applicable to identification associated with national security systems•To be implemented in a manner that protects citizens’ privacy
12
Personal Identity Verification RequirementsHSPD: Policy for a Common Identification Standard
•Departments and agencies shall have a program in place to ensure conformance within 4 months after issuance of FIPS
•Departments and agencies to identify applications important to security that would benefit from conformance to the standard within 6 months after issuance
•Compliance with the Standard is required in applicable Federal applications within 8 months following issuance
13
Community Concerns
• Agency investment in legacy systems• Resource and time required to implement changes to
existing systems• Differences among Agencies regarding confidentiality and
privacy requirements for identity information• Differences among Agencies regarding which mechanisms
are most effective with respect to:- Physical and logical security- Performance- Business issues
Phased-Implementation ApproachTwo Parts to PIV Standard
• Part I – Common Identification and Security Requirements
- HSPD #12 Control Objectives
Examples: Identification shall be issued based on strong Government-wide
criteria for verifying an individual employee’s identity
The identification shall be capable of being rapidly authenticated
electronically Government-wide
- Identity Proofing Requirements (revised from October draft)
- Effective October 2005
• Part II – Common Interoperability Requirements
- Specifications
- Most Elements (revised) of October Preliminary Draft
- No set deadline for implementation in PIV standard
• Migration Timeframe (i.e., Phase I to II)
- IAW HSPD #12, Implementation Plans for OMB before July 2005
- OMB approves agency plans and/or develops schedule directive
Part I
Personal Identity Verification Standard for Federal Government Employees and Contractors
• Promulgate Federal Information Processing Standard within 6 months
• Establish requirements for:
Identity Token (ID Card) Application by PersonIdentity Source Document Request by OrganizationIdentity Registration and ID Card Issuance by IssuerAccess Control (Determined by resource owner)
16
FIPS 201 Part II• Integrated circuit card-based identity token (i.e., ID Card).
• Standard at framework level with minimum mandatory implementation for interoperability specified.
• Basis for specification of issuer accreditation and host system validation requirements .
• Basis for specification of ID card, data base infrastructure, protocols, and interfaces to card.
• Card/token issuance based on I-9 Identity Source Documents, request by government organization, and approval by authorized Federal official.
• Biometric and cryptographic mechanisms.
17
Supporting Specifications
• SP 800-73 – Card Interface Specification• SP 800-76 – Biometrics Specification• SP 800-78 – Cryptographic Algorithms• SP 800-?? – Criteria for Accrediting Issuers• Criteria for conformance demonstration• Criteria for interoperability demonstration
.
.
.
Contact Information
William C. BarkerProgram Manager301-975-8443800-437-4385 [email protected]
Web Site:http://csrc.nist.gov/piv-project/