Draft guidelines have been released to help agencies verify that organizations issuing new governmentwide identification cards are up to the job.
The new cards were mandated in Homeland Security Presidential Directive 12, titled “Policy for a Common Identification Standard for Federal Employees and Contractors.” More detailed objectives for the Personal ID Verification (PIV) Card were laid out in Federal Information Processing Standard 201, and specifications for the standard are spelled out in a series of special publications from the National Institute of Standards and Technology.
A requirement of HSPD 12 is that card issuers be accredited. The most recent NIST publication, SP 800-79, provides Guidelines for Certification and Accreditation of PIV Card Issuing Organizations. The draft is offered for public comment until July 10.
The new ID card will be an interoperable smart card that can be used across agencies. The cards will incorporate a common set of identity proofing and issuing standards, as well as other technologies. Agencies must have plans in place for implementing HSPD 12 this year, and have until October 2006 to begin issuing the cards.
Each agency will be responsible for certifying and accrediting the issuer of its cards. Certification is the process of assessing the reliability, availability and capabilities of the issuer’s personnel, equipment, finances and support infrastructure. Accreditation — the management decision to authorize operation — is done by a designated authority within an agency.
NIST has broken the certification and accreditation process into 10 tasks:
Preparation, which includes establishing security categories for the cards
Resource identification, which includes identifying resources needed for the C&A process
Plan analysis and acceptance, which includes identifying requirements for a card issuer and an issuer’s plan analysis
Card issuer attribute assessment, which includes documenting and assessing the issuer’s resources
Certification documentation, which includes updates to and signing off on the issuer’s plans
Accreditation decision, which includes a review of the certification
Accreditation documentation, which includes the decision to authorize the issuer
Issuer operations management, which includes analysis of the issuer’s performance
Issuer status monitoring, which includes ongoing assessment of the issuer
Status monitoring and documentation, which includes updates and monitoring of the issuer’s plans.
More details on FIPS-201 and PIV Card specifications are available from the NIST Web site in special publications 800-73, Interfaces for Personal Identity Verification; 800-76, Biometric Data Specifications for Personal Identity Verification; and 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification.
Digg
De.licio.us
Slashdot
Technorati
