Draft guidelines released for certifying PIV Card issuers
Draft guidelines have been released to help agencies verify that organizations issuing new governmentwide identification cards are up to the job.
The new cards were mandated in Homeland Security Presidential Directive 12
, titled “Policy for a Common Identification Standard for Federal Employees and Contractors.” More detailed objectives for the Personal ID Verification (PIV) Card were laid out in Federal Information Processing Standard 201
, and specifications for the standard are spelled out in a series of special publications from the National Institute of Standards and Technology.
A requirement of HSPD 12 is that card issuers be accredited. The most recent NIST publication, SP 800-79
, provides Guidelines for Certification and Accreditation of PIV Card Issuing Organizations. The draft is offered for public comment until July 10.
The new ID card will be an interoperable smart card that can be used across agencies. The cards will incorporate a common set of identity proofing and issuing standards, as well as other technologies. Agencies must have plans in place for implementing HSPD 12 this year, and have until October 2006 to begin issuing the cards.
Each agency will be responsible for certifying and accrediting the issuer of its cards. Certification is the process of assessing the reliability, availability and capabilities of the issuer’s personnel, equipment, finances and support infrastructure. Accreditation — the management decision to authorize operation — is done by a designated authority within an agency.
NIST has broken the certification and accreditation process into 10 tasks:
- Preparation, which includes establishing security categories for the cards
- Resource identification, which includes identifying resources needed for the C&A process
- Plan analysis and acceptance, which includes identifying requirements for a card issuer and an issuer’s plan analysis
- Card issuer attribute assessment, which includes documenting and assessing the issuer’s resources
- Certification documentation, which includes updates to and signing off on the issuer’s plans
- Accreditation decision, which includes a review of the certification
- Accreditation documentation, which includes the decision to authorize the issuer
- Issuer operations management, which includes analysis of the issuer’s performance
- Issuer status monitoring, which includes ongoing assessment of the issuer
- Status monitoring and documentation, which includes updates and monitoring of the issuer’s plans.
Comments on the draft guidelines should be e-mailed to PIVaccreditation@nist.gov
by July 10.
More details on FIPS-201 and PIV Card specifications are available from the NIST Web site
in special publications 800-73
, Interfaces for Personal Identity Verification; 800-76
, Biometric Data Specifications for Personal Identity Verification; and 800-78
, Cryptographic Algorithms and Key Sizes for Personal Identity Verification.
Connect with the GCN staff on Twitter @GCNtech.