Identive Group | Article | PIV Paves the Way for Private Sector

413 views

Published on

Since launching the HSPD-12 (Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors) secure credentialing program in 2004, millions of smart cards have been issued to U.S. Government employees, military personnel and contractors. As a result, the government has streamlined and standardized the process used to vet employees and process their identities and credentials, and has defined and implemented a standardized, single credential to grant access to physical and logical security applications.

Government employees across all federal agencies now are required to use a single, secure photo ID badge to authenticate themselves, gain access to doors, gates and portals at government buildings, carry biometric and other information in a secure manner, log on to their computers and mobile devices, digitally sign emails and encrypt disks, files and emails.

With this U.S. Government initiative, for the first time, standards were applied to all elements of the identity, credential and access management ecosystem of an organization. Developed by NIST (National Institute of Standards and Technology), the Federal Information Processing Standard 201 (FIPS 201) governs the way in which federal employees provide their identities, and the workflows associated with capturing personnel data, processing credential requests, producing the credential and getting it to the employee are strictly defined. Following the FIPS 201-mandated process provides a high level of trust in the credential, which allows it to be accepted across different agencies, and to perform more functions than a typical, locally-issued proximity credential could be trusted with. These credentials are commonly referred to as PIV (Personal Identity Verification) cards. As of today, millions of PIV cards have been issued to federal workers, including both military and non-military government employees and contractors.

To produce the high volumes of smart cards the government requires for its PIV credentials, a number of agencies, including the GSA (U.S General Services Administration), established sophisticated identity and smart card management systems that not only print visually secure ID badges, but also encode the smart card chips with agency- and personnel-specific data, biometric information, encryption keys and digital certificates.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
413
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Identive Group | Article | PIV Paves the Way for Private Sector

  1. 1. The Vault | May 2013:::30 security-news.tv 31security-news.tvPIV paves the way for private sectorPIV paves the wayfor private sectorBy John Piccininni, Identive Group, Inc.Since launching the HSPD-12 (Homeland SecurityPresidential Directive 12, Policy for a CommonIdentification Standard for Federal Employeesand Contractors) secure credentialing program in2004, millions of smart cards have been issued toU.S. Government employees, military personneland contractors. As a result, the government hasstreamlined and standardized the process usedto vet employees and process their identities andcredentials, and has defined and implemented astandardized, single credential to grant access tophysical and logical security applications.With this U.S. Government initiative, for the first time, stand-ards were applied to all elements of the identity, credential andaccess management ecosystem of an organization. Developed byNIST (National Institute of Standards and Technology), the FederalInformation Processing Standard 201 (FIPS 201) governs theway in which federal employees provide their identities, and theworkflows associated with capturing personnel data, processingcredential requests, producing the credential and getting it to theemployee are strictly defined. Following the FIPS 201-mandatedprocess provides a high level of trust in the credential, which allowsit to be accepted across different agencies, and to perform morefunctions than a typical, locally-issued proximity credential couldbe trusted with. These credentials are commonly referred to as PIV(Personal Identity Verification) cards. As of today, millions of PIVcards have been issued to federal workers, including both militaryand non-military government employees and contractors.To produce the high volumes of smart cards the governmentrequires for its PIV credentials, a number of agencies, includingthe GSA (U.S General Services Administration), establishedsophisticated identity and smart card management systems thatnot only print visually secure ID badges, but also encode the smartcard chips with agency- and personnel-specific data, biometricinformation, encryption keys and digital certificates.Government standards also aid enterprisesIt took a lot of work by the government and industry, but the FIPS201 standard that supports HSPD-12 has made real the promise oftrusted, enterprise-wide credentialing and multiple applications ona single credential. Success at the federal agency level has stirredinterest among government contractors and commercial enter-prises, many of whom share the problems as the government –identifying all employees, and securely managing those identitiesand their credentials across multiple sites.There are various forms of FIPS 201 credentials that are avail-able to private and commercial organizations, allowing them tobenefit from the research and data models that have been imple-mented and shown to be effective by the federal government.Examples include TWIC (Transport Worker Identity Card), use byworkers at maritime facilities and ports, FRAC (First ResponderAccess Card) for police, fire and other local government emergencyresponse personnel, and PIV-I (PIV-Interoperable Cards) fornon-government personnel that may need to have access to U.S.Government sites and data as if they were government personnel.And there are CIV Cards. The Commercial Identity VerificationCard provides a model for technical compatibility with PIV-basedsystems deployed by the federal government. The CIV card doesn’trequire the same level of identity proofing or issuance workflowrequired to obtain a PIV card, but does provide a framework thatnon-government organizations can use to issue very secure, multi-function smart card credentials. Technically, PIV-I and CIV arevirtually identical; the difference lies in the issuing process. CIVissuers must follow the same enrollment, verification, separationof duties and full background checks that the federal governmentfollows to issue a PIV card. CIV holders are then considered vettedto the same standards as a government employee or contractor,and their credentials are handled with the same levels of securityas a government-issued card.CIV cards for smaller organizations –issued through the cloudBut what if instead of millions, your organization consists of thou-sands, or maybe hundreds of employees? While high assurance,smart-card based credentialing programs would provide moresecure physical and logical security tools and policies, the invest-ment of hundreds of thousands of dollars required to implementsuch a card management system would likely be a challenge.This is where cloud-based credentialing, or “identity as aservice” can play a role. These services allow users to bypass thesmart card infrastructure investment and to create, manage anddistribute secure, certificate-based smart card credentials suchas CIV cards through the cloud. ‘Pay-as-you-go’ models offers onefixed price so you pay only for the users you need, as you need them,eliminating the complexity and operating costs associated withmanaging and deploying an internal smart card identity project.This approach offers significant savings by avoiding upfrontcapital and ongoing management costs of replacing, installing,maintaining and managing onsite servers and systems.Typical identity as a service solutions allow an organizationto define its own credentialing workflows, badge designs andencoding data for physical access, logical access, digital signingand encryption. Badges can be printed by the service in bulk, oneat a time, or even at the customer’s facility, if they prefer to haveprinters and the associated supplies and support mechanismson site. Remote employees can log onto the service, follow thepredetermined workflows, and create their own badges, whichare then mailed to them in a secure envelope.By taking the complexity out of designing smart card datamodels, encryption, encoding, printing and issuance, cloud-based credentialing services make true, secure smart card func-tionality and deployments available to all organizations.Outside the U.S., there are similar programs starting oralready going on all over the world that use smart card-basedcredentials issued via the cloud. The underlying technology thatcreates secure, trusted identity credentials is gaining momentum.And we can be curious what the future will bring.Government employees across all federal agencies now arerequired to use a single, secure photo ID badge to authenticatethemselves, gain access to doors, gates and portals at govern-ment buildings, carry biometric and other information in a securemanner, log on to their computers and mobile devices, digitallysign emails and encrypt disks, files and emails.

×