Physical Access Control Systems (PACSs) must comply with FIPS PUB 201-3 in order to secure government facilities and information systems, with NIST receiving numerous comments from USG stakeholders that were integrated into this revision of this standard.

The most notable changes include elevating face biometrics to its highest assurance level, creating new definitions of PIV credentials derived from parent ID numbers, and adding remote identity proofing processes with supervision.

Requirements for PIV Cards

PIV cards are essential tools in maintaining trust between issuance and management agencies and individuals. Agencies must create processes for issuing PIV cards that ensure its complete and accurate nature before issuing to an individual, including scanning supporting documents and quality biometric and photographic capture; additionally, card packages should be adequately sanitized to avoid contamination as well as protect privacy.

At each stage of PIV card issuance, agencies must ensure an individual satisfies all qualifications and background checks required for Federal employment (as detailed in Section 2.2). Furthermore, National Security community investigation checks shall also be verified; should these not be completed and adjudicated correctly within 60 days, their application must be removed from the PIV Card system.

Once a PIV Card has been issued, it must be linked with its associated identity account. When binding takes place, its attributes become available for authentication within a subsystem that relies upon it – this process and data flow are governed by FIPS 201-3.

For logical or physical access authentication, the relying subsystem sends a request to a PIV Card/derived PIV credential and verifies their identity using attributes from their PIV identity account. Once verified, status reports back to them based on attributes contained within PIV identity account – this data allows the relying subsystem to make their decision regarding whether or not access should be granted.

Requirements for PIV Identity Accounts

FIPS 201 standards govern nearly five million PIV cards currently issued to federal employees to access facilities and information systems with multifactor authentication. FIPS 201 specifies both how issuance requirements should be fulfilled as well as lifecycle activities to use, update, and manage these credentials throughout their livescycles.

This standard also contains guidelines and specifications for issuing PIV credentials that are linked to a PIV Identity Account, making use of one card possible in terms of physical access control in an increasingly digital world comprised of mobile devices and cellular networks.

One key requirement of PIV standards is ensuring high confidence in the identity of cardholders. To do this, the issuing process must include collecting documents to confirm that an applicant for a PIV Card is who they claim they are; additionally, OPM guidelines regarding background checks must be strictly adhered to, with all required National Security Community investigations completed and adjudicated prior to issuing of their card.

As PIV Cards continue to increase their use for both physical and logical access control, program managers and engineers need to be familiar with identifiers associated with credentials used as part of account linking processes. This practice occurs frequently across applications including network domains and social media apps.

Requirements for Derived PIV Credentials

Derived PIV credentials – mobile versions of the cryptographic credentials on PIV cards – provide Federal employees with an effective means of using two factor authentication (2FA) on phones or other technologies like USB keys without the need for cumbersome additional hardware. Furthermore, this enables workers to carry their logical and physical access credentials with them wherever they work allowing greater flexibility in how and where they do their work.

A derived credential consists of an asymmetric cryptographic key pair linked to a public/private key pair on a PIV card managed through an authentication system, providing for more secure means of accessing facilities or information, without altering access authorization decisions made by department or agency officials.

To use their derived credential, end users will submit the private key of their PIV card in order to sign and authenticate requests submitted via their personal identification verification (PIV). Next, the system will validate these requests against information on the cardholder’s personal identification verification (PIV) card before allowing its validation against information contained there. Ultimately, their derived credential can then be used as an access token in underlying systems and applications and managed according to same processes and procedures used for managing original PIV cards, including reporting cards, managing card records management as well as periodic privacy impact assessments.

Requirements for PIV Reporting Cards

To complete enrollment of your PIV card, you will need to present two forms of identification to the registrar – at least one must be your primary form. If any questions arise regarding this matter, please reach out directly to your agency registrar for more information.

Registrars are organizations responsible for enrolling individuals as Federal employees under Homeland Security Presidential Directive 12 (HSPD-12). A registrar must use an Identity Management System (IDMS) which manages quality assurance processes to assess identity-proofing evidence prior to issuing PIV cards.

Once the Registrar has verified that an individual is either new or current Federal employee, they should conduct an HSPD-12 background check to make sure they fulfill all requirements for accessing secure facilities and systems. Once complete, they should issue them their PIV card.

FIPS 201-3 was revised based on public review and virtual workshop held by NIST on December 9, 2020, drawing upon comments received during public review and virtual workshop held by NIST on the same date. The updated version of this Standard contains changes that align better with current NIST technical guidelines for identity management, OMB policy guidance, and changes in commercially-available technologies. Furthermore, FIPS 201-3 expands definition of Derived PIV Credentials used on platforms/environments without smart cards; its usage will be guided by two Special Publications published by PIV associated Special Publications SP 800-157 R1 Guidelines for Derived PIV Credentials and SP 800-217 Guidelines for PIV Federation published by PIV associated Special Publications which can also provide further guidance.

Requirements for PIV Enrollment Records

As part of PIV front-end subsystem, Identity Management System (IDMS) is responsible for collecting, storing and managing the necessary information needed to authenticate cardholders. Furthermore, the IDMS manages the process by which PIV cards are issued to individuals known as Applicants who undergo at least two verification processes during Identity Proofing and Registration processes in person.

IDMS keeps enrollment records for Federal employees and long-term contractors requiring access to agency facilities or IT systems; at their discretion, participating agencies can also include short-term employees and contractors within PIV IDMS for risk evaluation before making decisions about whether to conduct background investigations for them.

FIPS 201-3 aligns with NIST technical guidelines on identity management and OMB policy guidance, accommodating additional types of authenticators through expanded definition of Derived PIV credentials and providing for more secure messaging authentication mechanisms through remote identity proofing processes.

Additionally, this standard specifies a 12-year maximum lifecycle for both iris and face biometrics, with the requirement that agencies use a standard form of facial comparison in order to avoid mismatches caused by natural changes to human faces over time. Multiple commenters requested more clarity as to when direct and federated authentication mechanisms should be utilized; however, the standard leaves this decision up to each agency.

Requirements for PIV Management Systems

PIV systems are comprised of hardware, software and supporting processes which manage issuance and lifecycle activities for PIV cards issued to federal employees and civilian contractors. PIV cards provide both physical and logical access control into federal facilities, equipment and information systems.

Figure 2-1 depicts the front-end subsystem, consisting of cards and readers used for authentication, while Figure 3-2 represents its back-end counterpart, known as an Identity Management System (IDMS), which manages its lifecycle as well as authenticating cardholders by issuing assertions of attributes to relying systems, providing assurances that they are who they claim to be.

An individual or relying party could link the PIV-I credential with additional off-credential data to determine fitness or personnel vetting, for instance through background investigation checks conducted by OPM or the FBI or entitlements attributes based on job duties or location.

IDMS also facilitates PIV enrollment by collecting biometric and photographic data in-person, processing it, and sending it directly to the PIV issuance authority for review and approval prior to sending out credentials through systems with approved identity proofing processes that have been accredited by their agency; additionally they certify that any changes have not been made or modifications tampered with for purposes of non-repudiation.

Categorized in: