ANSI - American National Standards Institute
 Print this article  Previous Next 

Commerce Secretary Announces New ID Standard for Federal Agencies


New York, Feb 25, 2005

The U.S. Department of Commerce has approved a new standard for a smart-card-based form of identification for all federal government departments and agencies to issue to their employees and contractors requiring access to federal facilities and systems. Compliance with this standard and the specifications in the supporting documents is mandatory; however, there are concerns that government agencies will have difficulty meeting the successive deadlines determined by the Office of Management and Budget (OMB). The Federal ID Credentialing Committee is expected to issue a handbook soon to aid agencies in the transition process.

The Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, was developed by computer security specialists at the National Institute of Standards and Technology (NIST) in collaboration with several other federal agencies—including the OMB, the Office of Science and Technology Policy, and the Departments of Defense, State, Justice and Homeland Security—as well as representatives from the private sector. During the development process NIST received comments from more than 80 organizations and individuals. According to Commerce, these comments were carefully considered and led to many changes in the final standard.

An August 2004 presidential directive called for a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors. The directive specified that the secure and reliable forms of identification should be based on sound criteria for verifying the cardholder’s identity; be strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation; use electronic methods of rapid authentication; and be issued only by providers whose reliability has been established by an official accreditation process.

The FIPS 201 standard specifies the technical and operational requirements for the PIV system and card. The first part of the standard describes the minimum requirements needed to meet the control and security objectives of the presidential directive, including the process to prove an individual’s identity. By October 2005, agencies must meet the requirements of the first part of the standard. The second section explains the many components and processes that will support a smart-card-based platform, including the PIV card and biometric readers. It also describes a means to collect, store and maintain information and documentation needed to authenticate and assure an individual’s identity. OMB will determine the timeline for agencies to comply with the second part of the standard.

“Protecting federal facilities, systems and the employees who have access to them is of vital importance to this Administration,” said Commerce Secretary Carlos M. Gutierrez. “This new standard will enable federal agencies to issue more secure and reliable forms of identification to better protect federal assets against threats such as terrorist attacks. It also will help safeguard against other risks such as identity theft."

The smart card will contain a programmable chip supporting four levels of security, including cryptographic tools, and biometric data to verify identity. NIST is also working to develop two key companion documents to FIPS 201. Interfaces for Personal Identity Verification (NIST Special Publication 800-73) will specify interface requirements for retrieving and using data from the PIV card. Biometric Data Specification for Personal Identity Verification (NIST Special Publication 800-76) will specify technical acquisition and formatting requirements for the biometric credentials of the PIV system. A copy of FIPS 201 and other information are available at http://csrc.nist.gov/piv-project/index.html.

ANSI Membership