Personal Identity Verification Interoperability (PIV-I) for Non-Federal Issuers: Trusted Identities for Citizens across States, Counties, Cities and Businesses
Publication Date: February 2011
Solid identity management and strong credentialing practices are critical to government organizations and enterprises that must verify the identities of a wide variety of individuals–employees, business partners, emergency response officials, and citizens. As a result governments around the world are putting in place the legal framework to leverage strong identity credentials for eGovernment, eHealth and eCommerce and use of these credentials is growing. This brief talks about the progress in the United States in establishing a standard for identity and credentialing and the associated and necessary trust framework.
Driven by the issuance of Homeland Security Presidential Directive 12 (HSPD-12) in 2004, the U.S. Federal Government has invested significant effort and resources in implementing robust, interoperable credentialing processes and technologies. The resulting standard, Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, provides a framework of the policies, processes, and technology required to establish a strong, comprehensive program. And in fact, since 2005, the Federal Government has successfully used this framework to issue over 5 million PIV cards to Federal employees and contractors. In addition, Federal agencies have developed an infrastructure for using these interoperable credentials to support additional requisite functions, including the following:
- Physical security, including facility access and video analytics
- Logical security, including network and application access
- Incident monitoring and response
- Encryption and protection of sensitive data
State and local governments and other organizations can leverage the Federal program. Two publications–Personal Identity Verification Interoperability (PIV-I) for Non-Federal Issuers (issued by the Federal CIO Council in May 2009) and PIV-I Frequently Asked Questions–provide states, local jurisdictions, and commercial organizations with applicable standards and guidance. The definition of PIV interoperability builds on the Federal PIV standard and the supporting framework of policies, processes, and technologies. The maturity of the Federal standards, the availability of compliant commercial off-the-shelf (COTS) products, and the ability to use a single, interoperable, and secure PIV credential across multiple application areas can enable states, local jurisdictions, and enterprises to improve their security postures, infrastructures, and services for employees, contractors, businesses, and consumers. Using the PIV-I standards helps to provide a foundation for a cost-effective approach.
Identity Credentials: The Move toward PIV-I
Many state and local organizations point to the PIV standard as a way to achieve a more holistic approach to issuing identity credentials, and improving their own business processes, notwithstanding the additional requirements of implementing supporting infrastructure and applications. More than 16 states are currently planning or implementing some form of PIV-interoperable (PIV-I) or PIV-compatible (PIV-C) strategy. Early state adoption of PIV-I credentials and infrastructure in the Commonwealth of Virginia, the State of Colorado, and the State of Illinois has established baselines for achieving interoperability with Federal credentials, services, and systems. These PIV-I credentials are being used in regional and national interoperability exercises sponsored by the Federal Emergency Management Agency (FEMA) and for piloting operations in other areas, such as accessing Federal systems. In the July 2010 white paper, Moving towards Credentialing Interoperability: Case Studies at the State, Local and Regional Level, seven states highlighted ongoing and planned activities for deploying PIV-I credentials within their jurisdictions.
During the April 2010 National Association of State Chief Information Officers (NASCIO) Digital Identity Workshop, a working group was established to put together a charter for a NASCIO Digital Identity Working Group. Many states and jurisdictions already use components of PIV-I policy or process, such as strong identity vetting procedures, public key infrastructure (PKI), and smart cards, within their enterprises. These existing components can be leveraged to establish interoperable digital identities.
This white paper suggests that NASCIO recommend and advocate standards, policies, and technology based on the PIV-I guidance established by the Federal Government. The identity, credentialing, and access management (ICAM) guidance and roadmap that accompany the PIV standard and PIV-I guidance provide states with a process for this effort. The identity credentials issued by states can be made more widely applicable, be used more efficiently, and enhance citizen privacy when used to support state privacy legislation and policies and state initiatives to protect citizen personal information. States can move from issuing multiple credentials for a variety of state programs to issuing a single, multi-purpose, trusted PIV-I credential.
Education is key to enabling state and local governments to appreciate the industry-wide investment in, experience with, and benefits of current PIV and PIV-I deployments and solutions. Such education includes highlighting ongoing developments in both public and private enterprises and the availability of over 500 PIV-compliant products currently on the General Services Administration (GSA) Approved Products List.
This white paper is intended to help state and local jurisdictions explore the following issues:
- The policies, processes, and technologies available to achieve interoperability
- The value of a single multi-purpose credential, including cost, security, and privacy benefits
- What state programs are suitable candidates for considering a move to an interoperable identity credential
- Future considerations for technology migration
About the White Paper
The Smart Card Alliance developed this white paper to describe the benefits of FIPS 201, PIV standards and PIV-I framework for state and local governments to enable interoperability and trust across different government issuers for a wide variety of identity credentialing programs.
Council members involved in the development and review of this white paper included: Accenture LLP; AMAG Technology; CardLogix; CertiPath; Datacard Group; Datawatch; Deloitte; Gemalto; General Services Administration (GSA); Hewlett-Packard; HID Global; Hirsch Electronics; IDenticard; Identification Technology Partners: IDmachines; Intellisoft, Inc.; L-1 Identity Solutions; NagraID Security; NASA; Northrop Grumman Corporation; Organization Change Future Workplace, LLC (OCFW); Probaris, Inc.; Roehr Consulting; SCM Microsystems; Software House / Tyco; Technica; U.S. Dept. of Defense/Defense Manpower Data Center (DMDC); U.S. Dept. of State; XTec, Inc..
About the Smart Card Alliance Physical Access Council
The Smart Card Alliance Physical Access Council is focused on accelerating widespread acceptance, use, and application of smart card technology for physical access control. The Council brings together leading users and technologists from both the public and private sectors in an open forum and works on activities that are important to the physical access industry and address key issues that end user organizations have in deploying new physical access system technology. The Physical Access Council includes participants from across the smart card and physical access control system industry, including end users; smart card chip, card, software, and reader vendors; physical access control system vendors; and integration service providers.
About the Smart Card Alliance Identity Council
The Smart Card Alliance Identity Council is focused on promoting the need for technologies and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.