Draft guidelines issued for PIV card issuers

By William Jackson

By William Jackson

|

The new ID cards will be interoperable smart cards that can be used across agencies, and will incorporate a common set of identity proofing and issuing standards and technologies.

Comments on the draft guidelines should be e-mailed to by July 10.More details on FIPS-201 and PIV Card specifications are available from the in special publications , Interfaces for Personal Identity Verification; , Biometric Data Specifications for Personal Identity Verification; and , Cryptographic Algorithms and Key Sizes for Personal Identity Verification. Washington Technology's .

Draft guidelines have been released to help agencies verify that organizations issuing new governmentwide identification cards are up to the job.

The new cards were mandated in Homeland Security Presidential Directive 12, titled "Policy for a Common Identification Standard for Federal Employees and Contractors." More detailed objectives for the Personal ID Verification (PIV) Card were laid out in Federal Information Processing Standard 201, and specifications for the standard are spelled out in a series of special publications from the National Institute of Standards and Technology.

A requirement of HSPD 12 is that card issuers be accredited. The most recent NIST publication, SP 800-79, provides Guidelines for Certification and Accreditation of PIV Card Issuing Organizations. The draft is offered for public comment until July 10.

The new ID card will be an interoperable smart card that can be used across agencies. The cards will incorporate a common set of identity proofing and issuing standards, as well as technologies. Agencies must have plans in place for implementing HSPD 12 this year, and have until October 2007 to begin issuing the cards.

Each agency will be responsible for certifying and accrediting the issuer of its cards. Certification is the process of assessing the reliability, availability and capabilities of the issuer's personnel, equipment, finances and support infrastructure. Accreditation ? the management decision to authorize operation ? is done by a designated authority within an agency.

NIST has broken the certification and accreditation process into 10 tasks:


  • Preparation, which includes establishing security categories for the cards

  • Resource identification, which includes identifying resources needed for the C&A process

  • Plan analysis and acceptance, which includes identifying requirements for a card issuer and an issuer's plan analysis

  • Card issuer attribute assessment, which includes documenting and assessing the issuer's resources

  • Certification documentation, which includes updates to and signing off on the issuer's plans

  • Accreditation decision, which includes a review of the certification

  • Accreditation documentation, which includes the decision to authorize the issuer

  • Issuer operations management, which includes analysis of the issuer's performance

  • Issuer status monitoring, which includes ongoing assessment of the issuer

  • Status monitoring and documentation, which includes updates and monitoring of the issuer's plans.

PIVaccreditation@nist.gov

NIST Web site800-73800-76800-78

William Jackson is a senior writer forsister publication,Government Computer News

NEXT STORY: Symplicity wins bid to run FedBizOpps.gov