Feds Approve New Smart Card Standards

U.S. Commerce Secretary Carlos M. Gutierrez issued new standards Friday for government-issued smart cards specifying the technical and operational requirements to meet President Bush’s mandate for standard federal ID credentials.

The standards call for all federal agencies and their contractors to be issued a credit card sized ID that contains a PIN number, digital photograph and two digitally stored fingerprints.

Gutierrez also announced all federal agencies have until October to meet the first part of the Personal Identity Verification (PIV) standard, which sets the minimum requirements needed to meet the presidential directive.

“This new standard will enable federal agencies to issue more secure and
reliable forms of identification to better protect federal assets against
threats such as terrorist attacks. It also will help safeguard against other
risks such as identity theft,” Gutierrez said in a statement.

The standards are contained in three technical publications that outline
several aspects of the required administrative procedures and technical
specifications that are expected to change as the standard is implemented
and used.

The first publication, Integrated Circuit Card for Personal Identity
Verification, specifies the interface and data elements of the PIV card.
The second, Biometric Data Specification for Personal Identity
Verification, addresses the technical acquisition and formatting
requirements for the biometric data of the PIV system.

The third document, Recommendations for Cryptographic Algorithms and Key
Sizes, specifies the acceptable cryptographic algorithms and key sizes
to be implemented and used for the PIV system.

In addition, guidelines and recommendations have been identified as still
being needed to implement the PIV system, including the protection of the
personal privacy of federal employees and authentication procedures.
According to the Commerce Department, these activities will be pursued as
resources permit.

“Protecting federal facilities, systems and the employees who have access to
them is of vital importance to this administration,” said Gutierrez.

Currently, the government uses a wide range of ID mechanisms to authenticate
identity. For physical access, use of paper or other non-automated,
hard-carried credentials, such as driver’s licenses and badges, are
traditionally used. Access authorization to computers and data has
traditionally been authenticated through user-selected passwords.

More recently, cryptographic mechanisms and biometric techniques have been
used in physical and logical security applications, replacing or
supplementing the traditional credentials.

“This [new] standard defines authentication mechanisms offering varying
degrees of security. Federal departments and agencies will determine the
level of security and authentication mechanisms appropriate for their
applications,” the standards report states. “This standard does not specify
access control policies or requirements for federal departments and
agencies. Therefore, the scope of this standard is limited to authentication
of an individual’s identity. Access authorization decisions are outside the
scope of this standard.”