Government Identity/Credentialing Resources

Homeland Security Presidential Directive 12 (HSPD-12), issued by President George W. Bush on August 27, 2004, mandated the establishment of a standard for identification of Federal Government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to Federally controlled facilities and information systems.

The Department of Commerce and National Institute of Standards and Technology (NIST) were tasked with producing a standard for secure and reliable forms of identification. In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, issued on February 25, 2005, and a number of special publications that provide more detail on the implementation of the standard.

Both Federal agencies and enterprises are now implementing FIPS 201-compliant ID programs.

In September 2008, the Federal CIO Council established the Information Security & Identity Management Committee. The ISIMC, as it is commonly called, was charged with overseeing the government-wide activities related to Cybersecurity and Identity Management. In turn, the ISIMC established four subcommittees. The Identity, Credential and Access Management Subcommittee, often referred to as ICAM is co-chaired by GSA and DoD and is tasked with aligning the Identity Management activities of government, while the remaining three deal with the cybersecurity taskings.

The resources below were compiled by the Smart Card Alliance to assist organizations with their implementation of government identity/credentialing initiatives.

Smart Card Alliance Resources

• Assurance Levels Overview and Recommendations, March 2010

• Authentication Mechanisms for Physical Access Control Systems, October 2009

• The Commercial Identity Verification (CIV) Credential–Leveraging FIPS 201 and the PIV Specifications, October 2011

• Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility, Smart Card Alliance Physical Access Council white paper, September 2006

• Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery, Identity Council and Physical Access Council white paper, October 2008

• Expert Series Videos: Biometrics, Commercial Identity Verification, FICAM, First Responder Authentication Credentials, NSTIC, PIV-Interoperable (PIV-I) Credentials

• FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, May 2010

• FIPS 201 and Physical Access Control: An Overview of the Impact of FIPS 201 on Federal Physical Access Control Systems, a Smart Card Alliance Physical Access Council white paper, September 2005

• FIPS 201 PIV II Card Use with Physical Access Control Systems: Recommendations to Optimize Transaction Time and User Experience, Smart Card Alliance Physical Access Council white paper, May 2007

• FIPS 201 PIV II Card Use with Physical Access Control Systems: Recommendations to Optimize Transaction Time and User Experience, Smart Card Alliance Physical Access Council white paper, May 2007

• Identifiers and Authentication–Smart Credential Choices to Protect Digital Identity, September 2009

• Interoperable Identity Credentials for the Air Transport Industry, Physical Access Council and Identity Council white paper, October 2008

• NSTIC Frequently Asked Questions, August 2011

• Personal Identity Verification Interoperable (PIV-I): A Secure ID Credential for Non-Federal Issuers slide show

• Personal Identity Verification Interoperability (PIV-I) for Non-Federal Issuers: Trusted Identities for Citizens across States, Counties, Cities and Businesses, February 2011

• Physical Access Control System Migration Options for Using FIPS 201-1 Compliant Credentials, Smart Card Alliance Physical Access Council white paper developed in collaboration with the Open Security Exchange, Security Industry Association and International Biometric Industry Association, September 2007

• Physical Access Control Systems and FIPS 201, a Smart Card Alliance Physical Access Council briefing presentation, January 2006

• PIV-I for Non-Federal Issuers Webinar, NASCIO and Smart Card Alliance webinar, March 17, 2011

• Recommendation on the Credential Numbering Scheme for the FIPS 201 PIV Card Global Unique Identifier, March 2009

• Securing Identity and Enabling Employment Verification: How Do Immigration Reform and Citizen Identification Align?, May 2010

• Smart Cards and Biometrics, March 2011

• Using FIPS 201 and the PIV Card for the Corporate Enterprise, Identity Council and Physical Access Council white paper, October 2008

Federal CIO Council / Identity, Credential and Access Management (ICAM) Subcommittee

• IDManagement.gov, federal web site with information for citizens, businesses, and government entities interested in identity management activities, including topics related to Homeland Security Presidential Directive 12, Public Key Infrastructure, and E-Authentication
• Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, Version 2.0, December, 2011. This document provides Federal agencies with architecture and implementation guidance that addresses existing ICAM concerns and issues.
• Identity, Credential, and Access Management (ICAM) Roadmap Snapshot. This document provides a snapshot that describes the core components of ICAM, provides a description of the Roadmap, lists five strategic goals and their related objectives, as well as the value proposition of the ICAM segment architecture
• PIV Interoperability for Non-Federal Issuers, July 2010. This document advocates a set of minimum requirements for non-federally issued identity cards that can be trusted by the Federal government.

NIST Publications and Programs

• Federal Information Processing Standard Publication 201-1 (FIPS 201-1), Personal Identity Verification (PIV) of Federal Employees and Contractors, NIST, March 2006
• NIST PIV web site
• NIST Personal Identity Verification Program (NPIVP) web site
• NIST Special Publication 800-63-1 (SP 800-63-1), December 2011: Electronic Authentication Guideline
• NIST Special Publication 800-73-3 (SP 800-73-3), February 2010: Interfaces for Personal Identity Verification (4 Parts)
  • Part 1 - End Point PIV Card Application Namespace, Data Model and Representation
  • Part 2 - PIV Card Application Interface
  • Part 3 - PIV Client Application Programming Interface
  • Part 4 - The PIV Transitional Data Model and Interfaces
• NIST Special Publication 800-76-1 (SP 800-76-1), January 2007: Biometric Data Specification for Personal Identity Verification
• NIST Special Publication 800-78-3 (SP 800-78-3), December 2010: Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)
• NIST Special Publication 800-79-1 (SP 800-79-1), June 2008: Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI’s)
• NIST Special Publication 800-85 A-2(SP 800-85A-2), July 2010: PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-3 Compliance)
• NIST Special Publication 800-85 B (SP 800-85B), July 2006: PIV Data Model Test Guidelines
• NIST DRAFT Special Publication 800-85 B-1 (SP 800-85B-1), September 11, 2009: DRAFT PIV Data Model Conformance Test Guidelines
• NIST Special Publication 800-87 Rev 1 (SP 800-87), April 2008: Codes for the Identification of Federal and Federally-Assisted Organizations
• NIST Special Publication 800-96 (SP 800-96), September 2006: PIV Card to Reader Interoperability Guidelines
• NIST Special Publication 800-116 (SP 800-116), November 2008: A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

Office of Management and Budget (OMB) Guidance

• IDManagement.gov, http://www.idmanagement.gov
• HSPD-12 Implementation Reports
• “E-Authentication Guidance to Federal Agencies,” OMB Memorandum M-04-04, December 16, 2003

General Services Administration (GSA) Guidance on Implementation and Acquisition

• “Acquisitions of Products and Services for Implementation of HSPD-12,” General Services Administration (GSA) memorandum, August 10, 2005
• GSA Approved Products List
• GSA FIPS 201 Evaluation Program

Federal Identity Credentialing Interagency Advisory Board (IAB) Publications

• Government Smart Card Interagency Advisory Board (IAB) web site
• Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems, Version 2.2, July 30, 2004 (PACS 2.2)

Presidential Directives

• Homeland Security Presidential Directive/HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004
• Homeland Security Presidential Directive/HSPD-11: Comprehensive Terrorist-Related Screening Procedures, August 27, 2004

Industry Associations

• International Biometrics and Identification Association (IBIA)
• Kantara Initiative
• Open Identity Exchange
• Open Security Exchange
• Security Industry Association (SIA)
• Smart Card Alliance

Other Resources

• FIPS201.com, a complete source for FIPS 201 and GSA Approved Identity and Credentialing Products from Avisian Publications