Alliance Activities : Publications : PIV-Interoperable Credential Case Studies

PIV-Interoperable Credential Case Studies

Publication Date: February 2012

Homeland Security Presidential Directive 12 (HSPD-12) mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. Signed by President George W. Bush in August 2004, HSPD-12 initiated the development of a set of technical standards and issuance policies (referred to as Federal Information Processing Standard, FIPS 201) [1] that create the Federal identity infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies, regardless of which agency issues the credential.

The Federal government has issued well over 5 million of these credentials, called Personal Identity Verification (PIV) cards, to both employees and contractors. Federal agencies use the PIV card to authorize employee access to both physical and logical resources and to assign access privileges. The success of the program is largely due to the development of goals, issuance policies, and technical specifications that all Federal agencies have agreed to follow. A cross-certification policy establishes trust between agencies, so that employees from one agency can use their PIV credentials to access controlled resources while visiting other agencies. Products and systems that conform to the defined technical interoperability standards are offered by a variety of suppliers. New standards-compliant products are introduced frequently.

As the benefits of a common identity credential become clear, interest in such a credential is growing among non-Federal issuers. PIV-interoperable (PIV-I) cards are already being issued by Federal contractors to those employees who need access to Federal buildings and IT networks. [2] The PIV-I credential is technically interoperable with the Federal government PIV systems (e.g., readers) and is issued in a manner that allows Federal government agencies to trust the card. PIV-I credentials comply with Federal Bridge guidance on identity-proofing, registration, and issuance. PIV-I credentials are cross-certified with the Federal Public Key Infrastructure (PKI) Bridge [3] to allow contractor personnel to access authorized resources. Private enterprises can also take advantage of this technology. The Commercial Identity Verification (CIV) credential leverages the PIV-I specifications, technology, and data model without any requirement for identity proofing or PKI cross-certification. [4] Any enterprise can create, issue, and use CIV credentials to achieve whatever level of assurance is required in that enterprise’s environment.

This white paper provides case studies from Booz Allen Hamilton, SAIC, Xtec Incorporated and the Commonwealth of Virginia that identify realized benefits, describe best practices, and illustrate how and why the featured organizations chose to establish an identity program using the PIV-I credential. It represents one of the first efforts to document and share information about PIV-I deployments. These case studies represent the initial enterprise deployments outside of first responder use cases. Commercial off-the-shelf physical, logical, and mobile enterprise applications are increasingly supporting PIV (and therefore PIV-I) authentication methods. This support makes it easier for enterprise IT budgets to leverage their investment in identity, credentialing, access, and security services.

As the case studies indicate, a variety of organizations, including large corporations, consulting firms, and state and local governments, are all beginning to deploy PIV-I solutions. While each entity has its own specific reasons for doing so, certain common drivers are beginning to emerge:

References

[1] Draft FIPS PUB 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, National Institute of Standards, March 2011

[2] Personal Identity Verification Interoperability for Non-Federal Issuers, Version 1.1, Federal CIO Council, July 2010

[3] Federal Public Key Infrastructure

[4] Commercial Identity Verification (CIV) Credential–Leveraging FIPS 201 and the PIV Specifications, Smart Card Alliance Access Control Council white paper, October 2011,

About this White Paper

This white paper was developed by the Smart Card Alliance Identity Council to document the benefits of using PIV-interoperable credentials for enterprises and to provide implementation case studies of enterprises that are issuing or planning to issue PIV-I credentials.

Identity Council members involved in the development of this white paper included: Booz Allen Hamilton; Consult Hyperion; Datacard Group; Deloitte & Touche LLP; GSA; HP Enterprise Services; IDenticard Systems, Inc.;Identification Technology Partners; Identive Group; IDmachines; Intellisoft, Inc.; NagraID Security; NXP Semiconductors; Probaris; SAIC; Software House/Tyco;XTec, Inc..

About the Smart Card Alliance Identity Council

The Smart Card Alliance Identity Council is focused on promoting best policies and practices concerning person and machine identity, including strong authentication and the appropriate authorization across different use cases. Through its activities the Council encourages the use of digital identities that provide strong authentication across assurance environments through smart credentials–e.g., smart ID cards, mobile devices, enhanced driver’s licenses, and other tokens.

The Council addresses the challenges of securing identity and develops guidance for organizations so that they can realize the benefits that secure identity delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.