Information processing standards, Federal: Federal employees and contractors; personal identification verification,
[Federal Register: April 8, 2005 (Volume 70, Number 67)]
[Notices]
[Page 17975-17978]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr08ap05-28]
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 041103306-5014-02]
RIN 0693-AB54
Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201, Standard for Personal Identity Verification of Federal Employees and Contractors
AGENCY: National Institute of Standards and Technology (NIST), Commerce.
ACTION: Notice.
SUMMARY: The Secretary of Commerce has approved Federal Information
[[Page 17976]]
Processing Standard (FIPS) Publication 201, Standard for Personal Identity Verification of Federal Employees and Contractors, and has made it compulsory and binding on Federal agencies for use in issuing a secure and reliable form of personal identification to employees and contractors. The standard does not apply to personal identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).
Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 27, 2004, directed the Secretary of Commerce to promulgate, by February 27, 2005, a Government-wide standard for secure and reliable forms of identification to be issued by the Federal Government to its employees and contractors (including contractor employees). HSPD-12 specified that the secure and reliable forms of identification to be issued to employees and contractors should be based on: sound criteria for verifying an individual employee's identity; strong resistance to identity fraud, tampering, and terrorist exploitation; capability of being rapidly authenticated electronically; and issuance by providers whose reliability has been established by an official accreditation process.
FIPS 201 was developed to satisfy the technical, administrative, and timeliness requirements of HSPD 12. The standard was developed in a ``manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans'' as required in HSPD 12. In developing the standard, NIST used technical input solicited from industry and government participants in workshops and public meetings, and from a Federal Register notice (69 FR 68128) of November 23, 2004, inviting comments from industry and government on the draft standard.
DATES: This standard is effective February 24, 2005.
ADDRESSES: A copy of FIPS Publication 201 is available electronically from the NIST Web site at: http://csrc.nist.gov/publications/.
FOR FURTHER INFORMATION CONTACT: W. Curtis Barker, (301) 975-8443, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930, e-mail: wbarker@nist.gov.
SUPPLEMENTARY INFORMATION: A notice was published in the Federal Register (69 FR 55586) on September 15, 2004, announcing a Public Workshop on Personal Identity Verification (PIV) of Federal Employees/ Contractors. The primary goal of the workshop was to obtain information on secure and reliable methods of verifying the identity of Federal employees and contractors who are given authorized access to Federal facilities and information systems. Workshop participants included representatives from government and industry organizations. An overview of the requirements of HSPD 12 and the schedule established by NIST for developing and promulgating the required standard were discussed.
A Federal Register notice [69 FR 68128] was published on November 23, 2004, announcing draft FIPS 201 and soliciting comments on the draft standard from the public, research communities, manufacturers, voluntary standards organizations, and Federal, State, and local government organizations. In addition to being published in the Federal Register, the notice was posted on the NIST Web pages. Information was provided about the submission of electronic comments and an electronic template for the submission of comments was made available.
Comments, responses, and questions were received from 55 private sector organizations, groups, or individuals, 33 Federal government organizations and one Canadian government organization.
These comments have all been made available by NIST at http://csrc.nist.gov/piv-project/fips201-support-docs.html. Many of the
comments received recommended editorial changes, provided general comments, and asked questions concerning the implementation of the standard. Many comments supported the goals of personal identity verification. Some of the comments recommended against adoption of this or any similar standard.
The primary interests and issues that were raised in the comments included: Installed or competing technology; emerging technology and standards; technology neutrality; privacy; security; timeliness; cost; interoperability; scope; applicability; flexibility; simplicity; consistency; and ease of use. Detailed technical comments covered issues including: Identity proofing and registration; smart card topology; card programming; biometrics; graduated levels of assurance/ protection; public key infrastructure supporting digital signatures for data security and authentication.
The technical specifications were modified based on the comments received, while maintaining a complete, coherent standard. The standard was modified to strengthen the process for assuring the secure and reliable identification of Federal employees and contractors to whom PIV cards are to be issued. Applicants for PIV cards are to appear in person, provide two original documents showing identity, and provide background information that can be verified. Agencies are required to photograph and fingerprint applicants, to initiate background checks using the National Agency Check with Inquiries (NACI) or National Agency Check (NAC) procedures, and to complete other steps to assure security, privacy and proper storage of information. NIST has also revised the standard to provide for specified graduated security levels of protection features from the least secure to the most secure, in accordance with the requirements of HSPD-12. These features are provided within the standard with technical assurances and for agency use in selecting the appropriate level of security for each application. Other technical questions and issues including the specifications for the PIV card interface and the biometric algorithm interface are addressed in technical publications that accompany and support the implementation of FIPS 201. Draft NIST Special Publication 800-73, Integrated Circuit Card for Personal Identity Verification, and draft NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification, have been posted on NIST's Web pages for public review and comment. These documents can be found at http://csrc.nist.gov/publications/drafts.html. Additional Special Publications
will be developed as needed and made available for public review.
Issues concerning agency budget constraints and the schedule for implementation of the standard have been referred to the Office of Management and Budget (OMB). Comments noting ambiguities or asking for clarification concerning the standard have been incorporated into a Frequently Asked Questions (FAQ) document to be published and maintained on NIST's Web pages in the PIV Project Web site. All of the editorial suggestions were carefully reviewed and changes were made to the standard where appropriate.
A Federal Register notice [69 FR 78033] was published on December 29, 2004, announcing a public meeting that was held on January 19, 2005, to discuss the privacy, security, and policy issues associated with HSPD-12. Many other meetings and discussions with industry and government representatives were
[[Page 17977]]
held to balance the different, conflicting, and often mutually exclusive interests of the parties providing comments. The approved standard reflects these balanced interests while meeting the overall objectives of quality and timeliness of the standard.
Following is an analysis of the comments received, including the interests, concerns, recommendations, and issues considered in the development of FIPS 201. More information about the development of FIPS 201 is available on NIST's Web pages at http://www.csrc.nist.gov.
Comment: Some Federal agencies were concerned about the cost of implementing the standard, their ability to implement the standard within their budget constraints and the tight schedule specified in the standard for implementation.
Response: Issues concerning the costs of implementing the standard and the schedule for implementation have been referred to the Office of Management and Budget (OMB).
Comment: Comments were received about protecting the privacy of individuals, and limiting the sharing of information on personal identity between organizations. Some comments expressed concern about the interoperability provisions of the PIV card possibly leading to the linking of databases with information about individuals, and the issuance of a national identity card.
Response: The privacy requirements contained in FIPS 201 and guidance to agencies to ensure the privacy of applicants for PIV cards have been strengthened in Section 2.3. The requirements for agencies include: The appointment of a PIV Privacy Official; the assessment of systems for their impact on privacy; identification of information to be collected about individuals and how the information will be used; assurance that systems containing personal information adhere to fair information practices; and audits of systems for compliance with privacy policies and practices. OMB has informed NIST that it intends to issue privacy and implementation guidance to agencies.
Comment: Comments were received about ambiguities in the standard and issues that needed to be clarified, both in the text of the standard and in the diagrams that accompany the text. Other comments and questions pertained to agency authority in determining those individuals to whom PIV cards should be issued.
Response: Comments noting technical ambiguities and requests for clarification concerning specific provisions in the standard were reviewed and changes to clarify the intent were incorporated into the standard where appropriate. Comments requesting clarification on issues not specifically addressed in the technical specifications, such as costs, policies, agency roles and responsibilities have been addressed and answered in a document of Frequently Asked Questions (FAQ). This document will be published when the standard is approved and will be maintained on NIST's Web pages in the PIV Project Web site. Other comments noting ambiguities dealing with implementation of the standard will be addressed in the implementation guidance currently under development.
Comment: Technical issues were raised concerning identity validation or ``proofing'' to be performed when initiating the issuance of a PIV Card, and the graduated criteria from the least secure to the most secure. These protection features were required in HSPD-12 to ensure flexibility in selecting the appropriate level of security for each application.
Response: The technical specifications were modified based on the comments received, while maintaining a complete, coherent standard, and including the required graduated security levels of protection. The specifications were modified to allow for the use of a government- issued document and a background check to assure the identity of the individual to whom a card would be issued. The security features are provided within the revised standard with technical assurances, and are available for agency use in selecting the appropriate level of security, from some security to very high security, for each form of identity issued and for each application.
Comment: Technical issues were raised concerning the PIV Card interface and the biometric specifications. Some comments pointed out that the requirement for two fingerprint images and a facial image would occupy most of the storage capabilities of the chip on the card. Other comments pertained to the number of fingerprints that should be included on a PIV card, and recommended the use of additional biometric information.
Response: Since the storage of a facial image of the applicant on the chip would consume much of the electronic memory of a PIV card, the specifications were modified to require only two fingerprint storage. The use of fingerprint data provides a reliable and secure means of automated identification, and agencies are required to put photographs of applicants on the cards for a visual means of identification. The use of a stored facial image on the PIV card can be evaluated in the future as card capacity increases. Issues concerning the card interface and the storage of personal information are addressed in technical publications that accompany FIPS 201, including draft NIST Special Publication 800-73, Integrated Circuit Card for Personal Identity Verification, and other planned Special Publications. Additionally, the interface and formatting requirements for biometric information are addressed in draft NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. SP 800-73 and SP 800- 76 have been posted on NIST's web pages for public review and comment
[http://csrc.nist.gov/ publications/drafts.html] . The issuance of
recommendations for interfaces, storage and formatting specifications in Special Publications allows for flexibility and adaptability as the technology improves.
Comment: Issues were raised about the card specifications, including the use of certain authentication protocols. Other issues concerned the topology, or physical layout, of the card, and the authority of agencies to select formats, appearances of the card and special security threats.
Response: Clarifications were made to the text of the standard to make the requirements for authentication protocols more specific. The authentication mechanisms that are provided in the standard enable agencies to implement methods including visual identification, use of biometric data, and use of asymmetric keys, which help to establish the agency's confidence in the identity of a cardholder presenting a PIV card. The text was clarified to identify those areas where agencies can have flexibility in determining the format and appearance of the card. The inclusion of a photograph of a PIV cardholder is mandatory. The use of an agency seal is optional. Because of certain heightened overseas threats an agency may issue credentials that do not contain (or otherwise do not fully support) the wireless and/or biometric capabilities.
Comment: Issues were raised concerning the secure administration of the card-issuing system, including processes for renewal of cards, for making changes to the cards, for protecting against fraud, counterfeiting, and modification of cards, and for including agency and personal information on cards.
Response: These topics will be addressed in the Frequently Asked
[[Page 17978]]
Questions document that will be available on NIST's web pages when the standard is issued, and in currently available draft Special Publications, as well as future NIST Special Publications.
This action has been determined to be significant under E.O. 12866.
Authority: In accordance with the Information Technology Management Reform Act of 1996 (Pub. L. 104-106) and the Federal Information Security Management Act (FISMA) of 2002 (Pub. L. 107- 347), the Secretary of Commerce is authorized to approve Federal Information Processing Standards (FIPS). Homeland Security Presidential Directive (HSPD) 12 entitled ``Policy for a Common Identification Standard for Federal Employees and Contractors'', dated August 27, 2004, directed the Secretary of Commerce to promulgate, by February 27, 2005, a Government-wide standard for secure and reliable forms of identification to be issued by the Federal Government to its employees and contractors.
Dated: March 30, 2005. Hratch G. Semerjian, Acting Director, NIST.
[FR Doc. 05-7038 Filed 4-7-05; 8:45 am]
