The dawn of a new era in federal government facility access

jlovelock's picture

It all started in the aftermath of 9/11, in August 2004....

...when then President G.W. Bush signed the Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors. HSPD 12 was meant to eliminate the wide variations in the quality and security of identification used to gain access to secure facilities with the potential for terrorist attacks. The initiative intended to enhance security, increase government efficiency, reduce identity fraud and protect personal privacy by establishing a mandatory standard for secure and reliable forms of identification.

The National Institute for Standards and Technology (NIST) proceeded to develop the Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, released in March of 2006. The FIPS 201 standard specifies the architecture and technical requirements for the common ID card issued to federal employees and contractors. It describes the requirements for the system to verify personal identities, including personal identity proofing, registration and issuance, as well as the detailed specifications that will ensure interoperability among PIV systems of federal departments and agencies.

With the FIPS 201 standard in place, federal agencies started to issue PIV credentials to their employees. With millions of cards entering circulation, NIST issued Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. Issued in November 2008, SP 800-116 describes a strategy for agencies to enable their physical access control systems (PACS) to leverage PIV credentials and select appropriate authentication mechanisms to manage physical access to federal government facilities and assets.

The time soon came to consider how to apply PIV technology to federal government contractors. So in May 2009 the Federal CIO Council issued Personal Identity Verification Interoperability for Non-Federal Issuers. The CIO Council document describes how non-federal organizations can issue cards that are not only interoperable with the federal PIV systems, but are also issued in a manner that allows the federal government to trust the cards. These cards that are intended for use by contractors to the federal government are called PIV-I which stands for PIV Interoperable.

HID Global is one of a few vendors who have been accredited to issue PIV-I credentials. The HID Global PIV-I Service issues certified PIV-I smart cards with printed cardholder information and certificates that comply with government security regulations. In accordance with government mandates and standards, the PIV-I Service requires that contractors, and their employees, complete a series of simple steps to register and obtain PIV-I credentials.

Finally, in 2011 the president's Cyberspace Policy Review again highlighted the importance of identity management in protecting the nation's infrastructure through OMB memorandum M-11-11, which instructs agencies to develop and issue an implementation policy, requiring the use of PIV credentials as the common means of identification for access to that agency's facilities, networks and information systems. The memorandum also includes the requirement that existing systems must be upgraded to use PIV credentials as of the beginning of FY2012.

We are definitely entering a new era in secure physical access to federal government facilities. Instead of simple flash cards which were easy to counterfeit, employees and contractors will now be able to obtain secure access by using their PIV or PIV-I credential at card readers which will electronically check and verify its validity!