Gutierrez Commerce Secretary Announces New ID Standard

Commerce Secretary Announces New ID Standard for Federal Agencies

U.S. Commerce Secretary Carlos M. Gutierrez today announced he has approved a new standard for a smart-card-based form of identification for all federal government departments and agencies to issue to their employees and contractors requiring access to federal facilities and systems.

“Protecting federal facilities, systems and the employees who have access to them is of vital importance to this Administration,” said Gutierrez. “This new standard will enable federal agencies to issue more secure and reliable forms of identification to better protect federal assets against threats such as terrorist attacks. It also will help safeguard against other risks such as identity theft,” said Gutierrez.

On Aug. 27, 2004, President Bush issued a Homeland Security Presidential Directive calling for a mandatory, government-wide personal identification standard. The directive specified that the secure and reliable forms of identification should be based on sound criteria for verifying the cardholder’s identity; be strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation; use electronic methods of rapid authentication; and be issued only by providers whose reliability has been established by an official accreditation process. (The presidential directive is available at whitehouse.gov/news/releases/.)

Computer security specialists at the Commerce Department’s National Institute of Standards and Technology (NIST) worked closely with other federal agencies—including the Office of Management and Budget (OMB), the Office of Science and Technology Policy, and the Departments of Defense, State, Justice and Homeland Security—as well as private industry to develop Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors.

As a result of public meetings, briefings by NIST and OMB, and the public availability of the draft FIPS as announced previously in the Federal Register, NIST received comments from more than 80 organizations and individuals. These comments were carefully considered and led to many changes in the final standard. (Comments are available at csrc.nist.gov/piv-project/.)

The standard specifies the technical and operational requirements for the PIV system and card. The first part of the standard describes the minimum requirements needed to meet the control and security objectives of the presidential directive, including the process to prove an individual’s identity. By October 2005, agencies must meet the requirements of the first part of the standard.

The second section explains the many components and processes that will support a smart-card-based platform, including the PIV card and card and biometric readers. It also describes a means to collect, store and maintain information and documentation needed to authenticate and assure an individual’s identity. OMB will determine the timeline for agencies to comply with the second part of the standard.

The standard provides graduated levels of security to give agencies flexibility in selecting the appropriate level of security for each application. Agencies will continue to have full flexibility in determining who is allowed to have access to their systems and facilities.

The PIV card is the primary component of the system. About the size of a credit card, the PIV card will contain integrated circuit chips for storing electronic information, a personal identification number and biometric data—a printed photograph and two electronically-stored fingerprints. The standard includes requirements to protect the privacy of PIV cardholders. OMB will provide privacy and implementation guidelines to federal agencies.

NIST also is working to develop two key companion documents to FIPS 201. Interfaces for Personal Identity Verification (NIST Special Publication 800-73) will specify interface requirements for retrieving and using data from the PIV card. Biometric Data Specification for Personal Identity Verification (NIST Special Publication 800-76) will specify technical acquisition and formatting requirements for the biometric credentials of the PIV system.

A copy of FIPS 201and other information are available at csrc.nist.gov/piv-project/.

Since 1972, NIST has been developing technical standards and guidelines for federal computer systems. NIST typically develops FIPS when there are compelling federal government requirements, such as for security and interoperability, for which there are no acceptable industry standards or solutions. In doing so, NIST is carrying out its responsibilities under the Federal Information Security Management Act of 2002.

As a non-regulatory agency of the U.S. Department of Commerce’s Technology Administration, NIST develops and promotes measurement, standards and technology to enhance productivity, facilitate trade and improve the quality of life.

FOR IMMEDIATE RELEASE Friday, February 25, 2005