ANSI - American National Standards Institute
 Print this article  Previous Next 

ID Interoperability: NIST Requests Public Comment on Draft Document for Use of ID to Access Federal Facilities


New York, Apr 09, 2008

In an effort to address the mandates set forth in Homeland Security Presidential Directive 12 (HSPD-12), the National Institute of Standards and Technology (NIST) has issued a request for public comment on Draft Special Publication 800-116 (SP 800-116), A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS).

Issued in 2004, HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification for all government employees, facilities and information systems.

To assist in the implementation and deployment of these new forms of identification, NIST developed Federal Information Processing Standard (FIPS) 201, Personal Identity Verification of Federal Employees and Contractors. Since the release of FIPS 201 in 2006, federal agencies have been issuing a secure form of government-wide ID known as the personal identity verification (PIV) card. [see related article]

The PIV is intended to work throughout the federal government; however, it is not currently interoperable between agencies and is not fully enabled to work with all Physical Access Control Systems (PACS). Another impediment facing HSPD-12 compliance is that PACS are not currently designed to work on a graduated level of authentication assurance. In order to be fully compliant with the Directive, PACS need to verify identity and control access by balancing a cardholder’s credentials with the level of security needed at each facility.

Draft publication SP 800-116 outlines best-practice guidelines for integrating PIV cards with PACS. The document provides a method for verifying identity through a model describing four zones of increasing security in a facility: unrestricted, controlled, limited and exclusion. SP 800-116 specifies increasingly sophisticated authentication mechanisms for these zones including:

  • CHUID authentication (cardholder unique identifier): a visual inspection of the front and back of the PIV card, and reading the unique number on the card;
  • Biometrics: the use of distinguishing features in fingerprints to grant access; and
  • PKI authentication (public key infrastructure): the exchange of cryptographic information that requires the user to enter a PIN number.

SP 800-116 considers the various types of federal facilities from single agency buildings to multi-agency campuses. It also explores how PACS systems can work with temporary ID cards for temporary employees or visitors.

Federal agencies, private organizations and individuals – particularly those responsible for implementing HSPD-12 – are invited to review the draft document and submit comments using the comment template form. Public comments are due by 5:00 p.m. on May 12, 2008, and may be submitted electronically at piv_comments@nist.gov.

Comments can also be mailed to NIST (attn: Comments on Public Draft SP 800-116, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930).

Standards Portal