Keeping tabs on the U.S. federal government’s smart card progress is tough. Memorize a list of acronyms today and they are likely to become old news as new agencies and initiatives take precedence. Though somewhat frustrating, this is a very positive indicator of the rapid progress being made as the U.S. federal government’s smart card approach matures. In recent weeks, this progress has been further expedited by a Presidential Directive (HSPD-12), a national standardization effort (FIPS 201), and progress toward a potential international standard (ISO 24727).
What does all this mean?
Let’s take a look back as a means to look forward. Through years of work by a large number of dedicated government employees, contractors, and industry representatives a smart card standard was established for the U.S. federal government. It was released by the National Institute for Standards and Technology (NIST) and is called the Government Smart Card Interoperability Standard (GSC-IS). The current version is GSC-ISv2.1.
There has been a plan within the federal government to submit GSC-ISv2.1 to the appropriate standards-making bodies to be considered for national and international standards status (in addition to its federal government status). But as Presidents sometimes do, U.S. President George W. Bush recently altered these plans–expediting the timeline and bringing a new sense of urgency to an already fervent process.
Weeks ago (August 27, 2004), President Bush released the Homeland Security Presidential Directive 12 (HSPD-12) mandating that all federal agencies move rapidly (extremely rapidly) to deploy a common smart card platform within their organizations as a means to increase security. The process toward smart card standardization that was started years prior and resulted in the GSC-ISv2.1 was put on the fast track toward mandated government-wide implementation.
HSPD-12 is basically an order from the boss to make this happen “enterprise-wide”. The plan to make this happen is to further codify the GSC-ISv2.1 and other applicable standards and documents into an overriding standardization document that will enable an agency to meet the mandate of issuing smart cards to their employees. This document – in essence the work product of HSPD-12 – is to become the Federal Information Processing Standard 201 (FIPS 201).
According to NIST, the FIPS 201 is necessary to:
- “properly protect the personal privacy of all subscribers of the PIV system;
- authenticate identity source documents to obtain the correct legal name of the person applying for a PIV “card”;
- electronically obtain and store appropriate biometric data (e.g., fingerprints, facial images) from the PIV system subscriber;
- create a PIV “card” that is “personalized” with data needed by the PIV system to later grant access to the subscriber to Federal facilities and information systems;
- assure appropriate levels of security for all applicable Federal applications; and
- provide interoperability among Federal organizations using the standards.”
Because we don’t have enough acronyms floating around this topic yet, it was decided that FIPS 201 would be titled the Personal Identity Verification Standard and would be known by the letters PIV. As it now stands, FIPS 201 and PIV are synonymous. In charge of the FIPS 201 creation is one of the overseers of the GSC-IS creation, Teresa Swartzhoff of NIST.
According to Ms. Swartzhoff, FIPS 201 will “be based upon the evolved GSC core (GSC-IS 2.1),” and will also include “ISO 7810 (physical card characteristics), ISO 7816 (contact chip standard), ISO 14443 (contactless chip standard), as well as the PACS 2.2 (Physical Access Control Systems specification developed by an interagency group) and the FICC data model (Federal Identity Card Credential developed via another interagency effort).
Because the President’s mandate in HSPD-12 required such a tight timeline for compliance, the FIPS 201 process is equally tight. According to Ms. Swartzhoff, “it must be approved by February 25, 2005.”
A preliminary draft is already posted to the NIST web site and comments are now being accepted. Ms. Swartzhoff stresses that this initial version of the document is being released as “an informal review process so we will not be able to respond back to comments.” This informal review and comments received will help NIST and company to craft the November 8, 2004 version of the document that will be released for a more official and traditional review.
International standardization progressing concurrently
The preparation of the GSC-ISv2.1 document for submission to the International Organization for Standards (ISO) has jumped another hurdle and now has a name. ISO 24727 will identify this effort as it moves through the stringent ISO consideration process. ISO 24727 will be presented as a Committee Draft (CD) from the committee named Subcommittee 17/Working Group 4/Task Force 9 (SC17/WG4/TF9) by March 2005. Says Ms. Swartzhoff, “we are targeting a two-year process for completion (of the standard).” Like the rest of the related efforts, this is extremely ambitious as most ISO standards take a minimum of three years to complete.
It looks to be a very busy period for Ms. Swartzhoff, NIST, and all those individuals involved in the federal government identity arena. Their enormous progress, however, will unquestionably continue the advancement of secure identity and credentialing technology in markets, applications, and industries around the world.
- To read a copy of HSPD-12 click here.
- To review the preliminary working draft of the FIPS 201 document (comments accepted until October 30, 2004), click here.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.