We Will All Use Smart Prox

The U.S. Commerce Secretary, Carlos M. Gutierrez, recently approved the new standard for a smart card-based form of identification. As well as covering government employees, prox-based smart cards will be issued to all their employees as well as all contractors requiring access to federal facilities and systems. The U.S. government is the West’s single largest employer and the move gives smart card developers the global killer app they’ve sought for the best part of 10 years. It’s virtually certain that smart prox biometric IDs will infiltrate all aspects of official identification over the next few years. “Protecting federal facilities, systems and the employees who have access to them is of vital importance to this Administration,” said Gutierrez. “This new standard will enable federal agencies to issue more secure and reliable forms of identification to better protect federal assets against threats such as terrorist attacks. It also will help safeguard against other risks such as identity theft,” said Gutierrez. Last year the U.S. issued a Homeland Security Presidential Directive calling for a mandatory, government-wide personal identification standard. The directive specified that the secure and reliable forms of identification should be based on sound criteria for verifying the cardholder’s identity; be strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation; use electronic methods of rapid authentication; and be issued only by providers whose reliability has been established by an official accreditation process. Computer security specialists at the Commerce Department’s National Institute of Standards and Technology (NIST) worked closely with other federal agencies—including the Office of Management and Budget (OMB), the Office of Science and Technology Policy, and the Departments of Defense, State, Justice and Homeland Security—as well as private industry to develop Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors. NIST received comments from more than 80 organizations and individuals. These comments were carefully considered and led to many changes in the final standard. The standard specifies the technical and operational requirements for the PIV system and card. The first part of the standard describes the minimum requirements needed to meet the control and security objectives of the Presidential directive, including the process to prove an individual’s identity. By October 2005, agencies must meet the requirements of the first part of the standard. The second section explains the many components and processes that will support a smart-card-based platform, including the PIV card and card and biometric readers. It also describes a means to collect, store and maintain information and documentation needed to authenticate and assure an individual’s identity. OMB will determine the timeline for agencies to comply with the second part of the standard. The standard provides graduated levels of security to give agencies flexibility in selecting the appropriate level of security for each application. Agencies will continue to have full flexibility in determining who is allowed to have access to their systems and facilities. The PIV card is the primary component of the system. About the size of a credit card, the PIV card will contain integrated circuit chips for storing electronic information, a personal identification number and biometric data, a printed photograph and two electronically stored fingerprints. The standard includes requirements to protect the privacy of PIV cardholders. OMB will provide privacy and implementation guidelines to federal agencies. NIST also is working to develop two key companion documents to FIPS 201. Interfaces for Personal Identity Verification (NIST Special Publication 800-73) will specify interface requirements for retrieving and using data from the PIV card. Biometric Data Specification for Personal Identity Verification (NIST Special Publication 800-76) will specify technical acquisition and formatting requirements for the biometric credentials of the PIV system.