The issuance and use of PIV smart card credentials for access to secure government systems and buildings is growing, while efforts to include the use of mobile credentials are gaining strength, government leaders reported this week at the Smart Card Alliance’s Securing Federal Identity 2016 conference in Washington, D.C.
Civilian worker PIV usage rose from 42% to 72% as a result of the push to increase usage of smart cards and is now more than 80%, says Trevor Rudolph, chief of the eGov Cyber Unit for the Executive Office of the President and the Office of Management and Budget. Also, hacks and breaches relating to weak authentication have decreased by 16% in the last two quarters of FY15.
The GSA has also seen increased agency adoption of the PIV smart card, reporting a 20% increase in PIV issuance from GSA USAccess since the OMB initiative launched, says Jim Sheire, director of the Federal Identity, Credential, and Access Management (FICAM) Program at the GSA.
The U.S. Department of Treasury and Department of Homeland Security reported in their use of PIV. Within Treasury, the use of PIV credentials is required for 100% of privileged users and 94% of unprivileged users, and PIV authentication is required for remote access solutions. Within the Homeland Security, the use of PIV credentials is required for 98% of privileged users and 97% of unprivileged users.
During another panel session, three federal program leads outlined the efforts to draft specifications and test mobile devices and mobile identity applications for the use of derived PIV credentials stored on mobile devices:
- Hildegard Ferraiolo of NIST discussed NIST’s recently released specifications, outlining requirements and an associated architecture to PIV-enable mobile devices for multi-factor authentication
- Bill Newhouse of NIST’s National Cybersecurity Center of Excellence (NCCoE) updated attendees on NCCoE’s testing labs for evaluating proof-of-concept implementations and their work on an upcoming practice guide to describe how to turn on and use derived credentials
- Chi Hickey from GSA’s Identity Assurance and Trusted Access Division shared that GSA is developing the testing program for derived credential solutions and will be adding two categories to the Approved Product List