SILVER SPRING, Md. —The Security Industry Association’s (SIA) Personal Identity Verification (PIV) Working Group submitted new comments to the National Institute of Standards and Technology (NIST) regarding the revised draft of FIPS 201-2, the standard for PIV. SIA’s goal is to make the PIV card more usable in physical access control applications, especially those that address the high security objectives of Homeland Security Presidential Directive-12 (HSPD-12).
NIST released the first draft of the update to the 2005 FIPS 201 more than a year ago and has again sought industry input on their latest work product. Though NIST has extensively addressed the comments received on the first draft, it has also introduced a number of new concepts, which have drawn strong reaction from industry. One of the main issues is the need to get the specification fully effective near term, since it will not be changed for at least five years after its anticipated release in early 2013.
There are several issues that are important to SIA and the security industry, including the ability to achieve technical interoperability in Physical Access Control Systems (PACS); recognition of three-factor authentication (card, PIN, biometrics), a long time industry practice; and outdoor environmental challenges which necessitate the use of contactless readers. Per the current draft standard, contactless readers cannot be used for “High” or “Very High” confidence assurance levels.
“NIST has come a long way since 2004 when HSPD-12 dictated the first versions of PIV be brought to market,” says Rob Zivney, chair, PIV Working Group, SIA. “However, the initial implementations often used the basic card holder unique identifier [CHUID] reader technology, which is now being deprecated and demoted to low assurance levels, which is appropriate. Now we need to more fully embrace the cryptographic and biometric capabilities of the card so we can use them securely over the contactless interface for the highest three-factor authentication — even when embedded in a mobile phone.”
SIA has offered suggestions that would bring the new technology to the PIV card much sooner than waiting out current lifecycles of both the Standard and the PIV Card, Zivney says.
PIV card technology use has begun to spread beyond federal employees and contractors. A range of companies and entities that do business with the federal government — aerospace and defense contractors, international banks and state governments — use PIV-Interoperable (PIV-I). Seaports and truckers use the Transportation Worker Identification Credential (TWIC) in the private sector and first responders are using the First Responder Authentication Credential (FRAC). All of these and more are based on PIV. As a result, SIA’s comments are as critical to the private sector as they are for the federal sector for which PIV was originally chartered.
The view SIA’s comments, click here.