|
The old days of receiving an identity card via the personnel department with minimal paperwork, bad photo and red tape are gone. Ushered in with the new era of homeland security is the Personal Identification Card (PIV), also known as HSPD identity card or smart identity card. The PIV cards are designed to enhance security at Federal buildings by reading electronically stored data to verify identification. The cards are more or less the size of a credit card and contain integrated circuit chips for storing electronic information.
To address the variations in the quality and security of identification used to enter secure Federal and other government facilities, President Bush issued a Homeland Security Presidential Directive (Hspd-12, 2004) that required mandatory and government-wide personal identification standard. (The standard applies to both government employees and contractors.) In response to the directive, NIST proposed the smart card containing a portable means to store and process data in a secure manner. Both the “identity proofing” process and technical security mechanisms of the smart card standard are designed to increase Federal access security and reduce personal identify theft.
NIST set an aggressive deadline of October 2005 for all governmental agencies to meet the first phase of the PIV system and card. The first phase of the standard describes the minimum requirements to meet objectives of the presidential directive, including the process to prove an individual’s identity. It was also the deadline to begin actually issuing PIV cards to employees. The second phase explains the many components and processes that support a smart-card-based platform, including the PIV card and card and biometric readers. It also describes a means to collect, store and maintain information and documentation to authenticate an identity.
Jumping forward, by October 27, 2008 all governmental agencies must issue cards to all their employees and contractors. But according to many sources, the biggest challenge is not the actual issuance of the cards, but the life-cycle management of the cards (data). It is a daunting and extremely expensive task that agencies are approaching at different speeds and manners. Interestingly enough, the October 27 deadline does not require that agencies have their PIV cards readers installed -- although that will be required down the road. In the meantime, security employees will continue to visually inspect the PIV cards.
Although the new PIV Card looks similar to older forms of identification with a standard photo, name, date of expiration etc., the new smart cards contain several elements of vital electronic data. Each card must have a Personal Identification Number (PIN)—this data is used to authenticate the cardholder to the card (much like an ATM PIN); a Cardholder Unique Identifier (CHUID)—this number uniquely identifies the individual within the PIV system; two fingerprint biometrics that are PIN protected; and one asymmetric cryptographic key pair used to authenticate the card to the PIV system.
As part of the PIV “identity proofing” process, government agencies must review at least two identity documents issued by approved government entities for each applicant as well as instigate an OPM background investigation process. The initial phase of that check, known as the “National Agency Check,” must be completed before the new ID card is issued.
While increasing the breath and depth of information required for government workers and contractors, several different security requirements are included in the standard to protect against identify theft for smart card holders. For example, each agency must appoint a PIV privacy officer to assess their PIV systems to oversee everything from how information is collected to how it is stored to how is will be used. In addition, since the PIV cards have wireless capability, employees are required to keep their card in an electronically opaque sleeve to minimize the risk of unauthorized data reading.
Overall, there remains a degree of flexibility within Federal agencies in regards to how they augment the usage of PIV cards. In the future, iris scans, hand geometry or DNA verification may not just be James Bond script material. However, for now the standard provides graduated levels of security that offer agencies some freedom in selecting the appropriate level of security for each application and the freedom to decide who has appropriate access to their information systems and buildings.
One final word about PIV cards – if you have one, be sure to not to lose it. One source quoted a replacement cost of $52. That would buy a lot of government-style cafeteria lunches.
Sources:
http://csrc.nist.gov/publications/nistpubs/800-79/sp800-79Q-As.pdf
http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html
http://www.gcn.com/media/10272006.mp3
http://www.findbiometrics.com/article/43
http://www.commerce.gov/opa/press/Secretary_Gutierrez/2005_Releases/February/25_Gutierrez_ID_Standards_QnA.htm
http://www.fcw.com/article96615-10-30-06-Print |
