Alliance Activities : Publications : PIV-Interoperable Credential Case Studies

PIV-Interoperable Credential Case Studies

Publication Date: February 2012

Homeland Security Presidential Directive 12 (HSPD-12) mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. Signed by President George W. Bush in August 2004, HSPD-12 initiated the development of a set of technical standards and issuance policies (referred to as Federal Information Processing Standard, FIPS 201) [1] that create the Federal identity infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies, regardless of which agency issues the credential.

The Federal government has issued well over 5 million of these credentials, called Personal Identity Verification (PIV) cards, to both employees and contractors. Federal agencies use the PIV card to authorize employee access to both physical and logical resources and to assign access privileges. The success of the program is largely due to the development of goals, issuance policies, and technical specifications that all Federal agencies have agreed to follow. A cross-certification policy establishes trust between agencies, so that employees from one agency can use their PIV credentials to access controlled resources while visiting other agencies. Products and systems that conform to the defined technical interoperability standards are offered by a variety of suppliers. New standards-compliant products are introduced frequently.

As the benefits of a common identity credential become clear, interest in such a credential is growing among non-Federal issuers. PIV-interoperable (PIV-I) cards are already being issued by Federal contractors to those employees who need access to Federal buildings and IT networks. [2] The PIV-I credential is technically interoperable with the Federal government PIV systems (e.g., readers) and is issued in a manner that allows Federal government agencies to trust the card. PIV-I credentials comply with Federal Bridge guidance on identity-proofing, registration, and issuance. PIV-I credentials are cross-certified with the Federal Public Key Infrastructure (PKI) Bridge [3] to allow contractor personnel to access authorized resources. Private enterprises can also take advantage of this technology. The Commercial Identity Verification (CIV) credential leverages the PIV-I specifications, technology, and data model without any requirement for identity proofing or PKI cross-certification. [4] Any enterprise can create, issue, and use CIV credentials to achieve whatever level of assurance is required in that enterprise’s environment.

This white paper provides case studies from Booz Allen Hamilton, SAIC, Xtec Incorporated and the Commonwealth of Virginia that identify realized benefits, describe best practices, and illustrate how and why the featured organizations chose to establish an identity program using the PIV-I credential. It represents one of the first efforts to document and share information about PIV-I deployments. These case studies represent the initial enterprise deployments outside of first responder use cases. Commercial off-the-shelf physical, logical, and mobile enterprise applications are increasingly supporting PIV (and therefore PIV-I) authentication methods. This support makes it easier for enterprise IT budgets to leverage their investment in identity, credentialing, access, and security services.

As the case studies indicate, a variety of organizations, including large corporations, consulting firms, and state and local governments, are all beginning to deploy PIV-I solutions. While each entity has its own specific reasons for doing so, certain common drivers are beginning to emerge:

  • Economies of scale. As PIV and PIV-I credentials gain marketplace traction, the card and card reader become commodities and supporting middleware is available in popular operating systems, helping reduce the cost of implementation, speed deployment and simplify use.
  • Published credential standard. The credential is based on the open, published NIST PIV and related standards, making it easier for software providers and developers to enable an increasing number of applications to use the credential.
  • Interoperability. As the PIV-I credentials are based on NIST and other standards, developers can leverage this to allow its use across a variety of applications and devices. For example, individuals can use one credential to access offices, the parking garage, and client locations and networks (if a trust relationship is established).
  • Fewer credentials. The ultimate goal is to reduce the number of identity credentials that individuals must carry and/or remember in order to prove that they are who they claim to be.
  • Identity assurance. Individuals with PIV-I credentials have been verified through an identity proofing process and enrollment system, and entities can rely on a base level of identity confirmation,
  • Privacy and secure web and messaging applications. Use of the PIV-I credential allows for the secure transfer and storage of data and messages using encryption and digital signatures.
  • Remote access. PIV-I credentials use smart card technology and can offer strong authentication for remote and wireless access to corporate networks.

References

[1] Draft FIPS PUB 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, National Institute of Standards, March 2011

[2] Personal Identity Verification Interoperability for Non-Federal Issuers, Version 1.1, Federal CIO Council, July 2010

[3] Federal Public Key Infrastructure

[4] Commercial Identity Verification (CIV) Credential–Leveraging FIPS 201 and the PIV Specifications, Smart Card Alliance Access Control Council white paper, October 2011,

About this White Paper

This white paper was developed by the Smart Card Alliance Identity Council to document the benefits of using PIV-interoperable credentials for enterprises and to provide implementation case studies of enterprises that are issuing or planning to issue PIV-I credentials.

Identity Council members involved in the development of this white paper included: Booz Allen Hamilton; Consult Hyperion; Datacard Group; Deloitte & Touche LLP; GSA; HP Enterprise Services; IDenticard Systems, Inc.;Identification Technology Partners; Identive Group; IDmachines; Intellisoft, Inc.; NagraID Security; NXP Semiconductors; Probaris; SAIC; Software House/Tyco;XTec, Inc..

About the Smart Card Alliance Identity Council

The Smart Card Alliance Identity Council is focused on promoting best policies and practices concerning person and machine identity, including strong authentication and the appropriate authorization across different use cases. Through its activities the Council encourages the use of digital identities that provide strong authentication across assurance environments through smart credentials–e.g., smart ID cards, mobile devices, enhanced driver’s licenses, and other tokens.

The Council addresses the challenges of securing identity and develops guidance for organizations so that they can realize the benefits that secure identity delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.