A handful of first responder groups and state and local agencies have begun the process to issue credentials under the PIV Interoperability for Non-Federal Issuers standard.
This fall, Washington, DC will issue its first PIV-I credentials to cab drivers and select employees of the Office of the Chief Technology Officer (OCTO), says Bryan Sivak, chief technology officer for the District of Columbia.
To provide the new badges, the District plans to expand the credentialing capabilities of the DC One Card. The consolidated ID badge serves as an access card for DC government employees and, through an integrated smart chip, enables residents to ride the Metro, check out library books and access schools and recreation centers.
OCTO employees will eventually use the PIV-I cards for network and system access, digital signing and data encryption, Sivak says.
The cab driver badges will be part of a pilot program known as the Taxicab with Smart Chip Credential (TSCC) Initiative. The initiative’s goal is to better enforce cab driver licensing through a secure ID credential, increase cab revenues and enable passengers to pay by credit card.
Once the new system is in place, the DC Taxicab Commission will receive a message that an unauthenticated driver is using the cab if a cab driver fails to provide the proper credentials. They could prevent the meter from activating, Sivak says. The system would also track real-time traffic flow and the locations of cabs.
DC is following the lead of cabs in New York and Boston, which have implemented their own enhanced metering systems that accept credit cards and come equipped with GPS. The DC system would be similar although use of the PIV-I integrated smart chip credential is unique to the TSCC Initiative, according to Sivak.
The driver would use the DC One card for authentication via a PIV-I-enabled smart meter. The card would contain a high-assurance credential that would require a biometric or other strong authentication to activate the meter, Sivak says.
The TSCC Initiative also sets out to automate the current paper-based trip recording process. “It’s very difficult for us to know how much money a cab driver is earning. We’ve found that many cab drivers underreport income,” he says.
DC has encountered licensing and fraud problems among its drivers. The District has 6,000 licensed cab drivers, but there are 8,000 to 12,000 cabs on the street, says Stephen Papadopulos, an official with the CTO’s office. In October 39 people linked with DC’s taxicab industry were indicted on bribery charges following accusations that they paid $330,000 to the DC Taxicab Commission to obtain licenses.
Pending the DC Taxicab Commission’s approval, PIV-I will be used as the credentialing standard ensuring that every driver is adequately certified and licensed by the city, Sivak says. “Right now when you step into a cab, the only thing you have to validate the driver is the image they keep above their visor,” Sivak says.
While DC’s current fare system is cash only, the new system would enable passengers to pay by credit card. That convenience factor has the added potential of bringing in more tips for the cab drivers, Sivak says.
Ideally, implementing the system would cost the District nothing, Sivak says. “The idea is that the vendor would be responsible for installing and maintaining the systems in the cabs.”
The touch-screen monitors that passengers would use to make credit card payments could display news, financial information and advertisements for added revenues, much like the system in New York, Sivak says. Other potential funding sources include fees for credit card transactions and other service offerings.
Earlier this year, DC issued a request for information to gauge interest in the taxicab project and received several responses from potential vendors, Sivak says. He hopes to have a contract awarded by the end of summer.
Until the release of the PIV-I standard, Personal Identity Verification was the sole domain of the federal government. Today, non-federal entities can successfully issue interoperable PIV credentials by complying with the PIV-I version of the standard.
In March, ActivIdentity Corp. launched its own PIV-Interoperable initiative to help streamline this process for non-federal organizations issuing employee ID cards. The company has been working to assist states and first responders address interoperability concerns, says John Bys, regional vice president for ActivIdentity.
“DC is showing leadership in that area in terms of broader based-use at a state or local level. They’re following the lead of the Department of Defense in using the common access card,” he says.
Bys would not confirm whether ActivIdentity will bid on the TSCC project but says that given the firm’s involvement with implementing PIV-I, “it’s hard to imagine we wouldn’t be involved with those RFPs, whether directly or indirectly.”
While DC is calling TSCC a pilot program, Sivak reports that he “fully expects this is something that will become a full implementation.” The goal is to have outfitted cabs on the street by the end of the year and eventually equip all 6,000 cabs in the District.
So you want to issue PIV-I cards?
New document addresses pressing questions
It’s been more than a year since the first document regarding the PIV-Interoperable specification was released. In that time there was a lot of interest in the document but not a lot of guidance on how to deploy an actual PIV-I credential.
This is changing. Government contractors, first responders and others who want to issue an identity credential that has some level of interoperability with the federal government now have more information to guide them.
The Federal Identity, Credential and Access Management (ICAM), part of the CIO Council, released a frequently asked questions document offering guidance for organizations that want to issue PIV-I credentials. “For industry now there’s something to build to,” says Sal D’Agostino, CEO at IDmachines. “That’s critical … while you could have pursued it, not having policy and technical publications locked down made it hard to commit. ”
The ICAM document identified four areas where non-federal issuers are unable to meet the full FIPS 201 standard. Alternative approaches are recommended.
Credential numbering: FIPS 201 defines a specific numbering system that can only be used by federal issuers. PIV-I issuers should use the Universally Unique Identifier, a 128-bit long code that is unique to each credential.
PKI technology mapping: The Certificate Policy for the U.S. Federal PKI Common Policy Framework defines an object identifier (OID) that is specific to federal issuers. Non-Federal issuers must map their policies to the PIV-I hardware policy object identifiers and be cross-certified with the Federal Bridge Certificate Authority to meet the requirements of PIV-I.
Background investigations: FIPS 201 mandates the use of a National Agency Check with Written Inquiries (NAC-I) before obtaining a PIV card. This background check is only available to federal employee applicants so the FAQ offers alternatives to the NAC-I.
Visual distinction: The document defines certain visual security features the PIV-I card should include such as photo, name, organizational affiliation or issuer, and expiration date. But it also mandates visual distinction from a federal PIV card to ensure no suggestion of attempting to create a fraudulent Federal PIV Card.
With the release of the documents questions have been answered, D’Agostino says. Other areas where there were questions were around the object identifier and with new guidelines for connecting the Federal Bridge due out soon vendors and issuers would be able to go ahead with any PIV-I projects.
While this new documents clarified the picture for PIV-I issuance there have been some industry insiders who question whether or not others will issue the credentials. There has been no strong economic reason to spend the money to voluntarily issue the converged smart card IDs, some say.
D’Agostino disagrees and says that a PIV-I credential could help organizations comply with any of a litany of regulatory challenges such as PCI and Sarbanes Oxley. “If you adopt PIV-I you are addressing all your compliance and regulatory concerns with one fall swoop,” he says. “By following strong identity policy and then using it–and the authentication factors–via a PIV-I framework, you can address all these things.”