FIPS 201Personal Identity Verification For

Federal Employees and Contractors

National Institute of Standards and Technology

Information Technology Laboratory

Computer Security Division

100 Bureau Drive

Gaithersburg, MD 20899-8900

Basis for Requirements

HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors

2

GeneralObjectives

Common reliable identification verification for Government employees and contractors

• Reliable Identification Verification

• Government-wide

- Interoperability

- Basis for reciprocity

General Identity Management Environment

• Government: Common requirement for checking of identity documents and conduct of National Agency Checks – Many documents on list of authorized IDs easy to

obtain fraudulently or to forge (not all picture IDs

– Examples of authorized exceptions to background checking requirements

• Private Sector: No common identity requirements

General Identity Management Environment

• No common identity proofing or credential issuance requirements

• No common requirements for mechanisms to be used for identifying individuals for access control purposes– Something known (e.g., password, PIN)– Something possessed (e.g., ID card, PKI certificate)– Personal characteristics (e.g., physical appearance,

biometrics)

• No common identity credential specification

Identity Proofing and Credential Issuance

• Common minimum basis for issuing credentials• Issuance infrastructure and procedures

– Separation of roles

– Minimum safeguards and security mechanisms associated with personalization and initialization of credentials

• Policy and procedures for accrediting issuers

Card Function and Interoperability Across Different Organizations

Common Characteristics• Physical dimensions• Circuit contact points• Minimum set of information

content• Data formats• Electromagnetic interfaces• Communications protocols• Physical integrity protection

measures• Cryptographic mechanisms• Application programming

interfaces• Card-unique identifier

User Options

• Card Manufacturer

• Reader Devices

• Authorization hardware

• Identification and authorization processes

• Recognition and authorization software

• Physical temper-resistance components/mechanisms

Creating Government Policy on the Use of Smart Card-based Credentials Across

Government Agencies

+ Accreditation of issuing authorities and facilities + Card issuance criteria and procedures + Database architecture and identity information access

protocols + Card update, replacement, and revocation + Procurement authority and acceptance criteria + Minimum implementation requirements + Conformance test requirements and responsibilities + System and component configuration management an

control policies and procedures

Implementing Interoperable Identity and Authorization Smart Cards

National agreement on:

· Basis for establishing identity

· Accommodation on each card of a minimum set of media for communicating identity information

· Means for verification of the identity and authorization of the card issuer

· Card-unique identifier

· Procedure for checking on the currency of identification information carried on the card

· Agreement on the minimum set of card holder identification and verification information that must be contained in or appear on the card

· Security certification criteria, authorities, and criteria

· Human or machine readable tamper indication characteristics

Practical Aspects of Identity Credentials

• Cost tolerance Technology preferences

• Privacy concerns

• Criteria with respect to relevant definition of identity

• Availability of reliable sources on which authorization to issue identity documents can be based

Specific Personal Identity Verification Requirements

HSPD-12: Policy for a Common Identification Standard

Secure and reliable forms of personal identification:

Based on sound criteria to verify an individual employee’s identityIs strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitationPersonal identity can be rapidly verified electronicallyIdentity tokens issued only by providers whose reliability has been established by an official accreditation process

11

HSPD #12 Personal Identity Verification Requirements

•Applicable to all government organizations and contractors•To be used to grant access to Federally-controlled facilities and logical access to Federally-controlled information systems•Graduated criteria from least secure to most secure to ensure flexibility in selecting the appropriate security level for each application•Not applicable to identification associated with national security systems•To be implemented in a manner that protects citizens’ privacy

12

Personal Identity Verification RequirementsHSPD: Policy for a Common Identification Standard

•Departments and agencies shall have a program in place to ensure conformance within 4 months after issuance of FIPS

•Departments and agencies to identify applications important to security that would benefit from conformance to the standard within 6 months after issuance

•Compliance with the Standard is required in applicable Federal applications within 8 months following issuance

13

Community Concerns

• Agency investment in legacy systems• Resource and time required to implement changes to

existing systems• Differences among Agencies regarding confidentiality and

privacy requirements for identity information• Differences among Agencies regarding which mechanisms

are most effective with respect to:- Physical and logical security- Performance- Business issues

Phased-Implementation ApproachTwo Parts to PIV Standard

• Part I – Common Identification and Security Requirements

- HSPD #12 Control Objectives

Examples: Identification shall be issued based on strong Government-wide

criteria for verifying an individual employee’s identity

The identification shall be capable of being rapidly authenticated

electronically Government-wide

- Identity Proofing Requirements (revised from October draft)

- Effective October 2005

• Part II – Common Interoperability Requirements

- Specifications

- Most Elements (revised) of October Preliminary Draft

- No set deadline for implementation in PIV standard

• Migration Timeframe (i.e., Phase I to II)

- IAW HSPD #12, Implementation Plans for OMB before July 2005

- OMB approves agency plans and/or develops schedule directive

Part I

Personal Identity Verification Standard for Federal Government Employees and Contractors

• Promulgate Federal Information Processing Standard within 6 months

• Establish requirements for:

Identity Token (ID Card) Application by PersonIdentity Source Document Request by OrganizationIdentity Registration and ID Card Issuance by IssuerAccess Control (Determined by resource owner)

16

FIPS 201 Part II• Integrated circuit card-based identity token (i.e., ID Card).

• Standard at framework level with minimum mandatory implementation for interoperability specified.

• Basis for specification of issuer accreditation and host system validation requirements .

• Basis for specification of ID card, data base infrastructure, protocols, and interfaces to card.

• Card/token issuance based on I-9 Identity Source Documents, request by government organization, and approval by authorized Federal official.

• Biometric and cryptographic mechanisms.

17

Supporting Specifications

• SP 800-73 – Card Interface Specification• SP 800-76 – Biometrics Specification• SP 800-78 – Cryptographic Algorithms• SP 800-?? – Criteria for Accrediting Issuers• Criteria for conformance demonstration• Criteria for interoperability demonstration

.

.

.

Contact Information

William C. BarkerProgram Manager301-975-8443800-437-4385 X8443wbarker@nist.gov

Web Site:http://csrc.nist.gov/piv-project/