HSPD-12 and FIPS-201HSPD-12 and FIPS-201OverviewOverview

v1.4v1.4

2

Learning ObjectivesLearning Objectives

At the end of this course, you will be able At the end of this course, you will be able to:to:

Describe Homeland Security Presidential Describe Homeland Security Presidential Directive (HSPD-12) and its purposeDirective (HSPD-12) and its purpose

Describe the Personal Identification Describe the Personal Identification Verification (PIV) subsystemVerification (PIV) subsystem

Describe the different types of PIV Describe the different types of PIV standardsstandards

Describe the PIV Roles and Issuance Describe the PIV Roles and Issuance ProcessProcess

3

FIPS-201 PIV OverviewFIPS-201 PIV Overview

Why a FIPS-201 Compliant Personal Why a FIPS-201 Compliant Personal Identification Verification (PIV) systemIdentification Verification (PIV) system?? What is What is HSPD-12? HSPD-12? What isWhat is FIPS-201? FIPS-201? What is What is PIV-IPIV-I and and PIV-II?PIV-II?

FIPS – Federal Information Processing StandardFIPS – Federal Information Processing Standard

4

HSPD-12 and FIPS-201 HSPD-12 and FIPS-201 OverviewOverview

On August 27, 2004, President Bush signed On August 27, 2004, President Bush signed Homeland Security Presidential Directive 12 (HSPDHomeland Security Presidential Directive 12 (HSPD-12), -12), Policy for a Common Identification Standard for FePolicy for a Common Identification Standard for Federal Employees and Contractorsderal Employees and Contractors.. Based upon this directive, the National Institute Based upon this directive, the National Institute for Standards and Technology (NIST) developed for Standards and Technology (NIST) developed Federal Information Processing Standards PublicatiFederal Information Processing Standards Publication (FIPS Pub) 201on (FIPS Pub) 201 including a description of the minimum including a description of the minimum requirements for a Federal personal identification requirements for a Federal personal identification verification (PIV) system. HSPD-12 directs the verification (PIV) system. HSPD-12 directs the implementation of a new standardized badging implementation of a new standardized badging process, which is designed to enhance security, process, which is designed to enhance security, reduce identity fraud, and protect the personal reduce identity fraud, and protect the personal privacy of those issued government identification. privacy of those issued government identification.

5

PIV-I and PIV-IIPIV-I and PIV-II

PIV standard consists of two parts – PIV standard consists of two parts –

PIV-I:PIV-I:

PIV-I satisfies the control objectives and PIV-I satisfies the control objectives and security requirements of HSPD-12security requirements of HSPD-12

PIV-II:PIV-II:

PIV-II specifies implementation and use of PIV-II specifies implementation and use of identity credentials on integrated circuit identity credentials on integrated circuit cards (Smart Cards) for use in a Federal cards (Smart Cards) for use in a Federal personal identity verification systempersonal identity verification system..

6

What is Personal What is Personal Identification Identification

Verification (PIV)Verification (PIV) The PIV process provides a commonly accepted The PIV process provides a commonly accepted

identification card and reliable form of secure identification card and reliable form of secure identification for all Federal employees that: identification for all Federal employees that:

Is issued based on sound criteria for verifying Is issued based on sound criteria for verifying an individual’s identity an individual’s identity

Is strongly resistant to identity fraud, Is strongly resistant to identity fraud, tampering, counterfeiting and terrorist tampering, counterfeiting and terrorist exploitation exploitation

Is only issued by providers whose reliability has Is only issued by providers whose reliability has been establishedbeen established

A PIV card will allow entrance to all VA facilities A PIV card will allow entrance to all VA facilities

7

PIV RolesPIV Roles FIPS 201 requires a separation of roles (jobs) during the PIV issuance process. FIPS 201 requires a separation of roles (jobs) during the PIV issuance process.

An employee cannot perform more than one role (except for Facility PIV Card Applicant An employee cannot perform more than one role (except for Facility PIV Card Applicant Representative and Facility Privacy Official)Representative and Facility Privacy Official)

Prior to start of the PIV-I process at a facility, employees or contractors must be Prior to start of the PIV-I process at a facility, employees or contractors must be appointed and certified for each roleappointed and certified for each role

Facility PIV Card Issuance (PCI) ManagerFacility PIV Card Issuance (PCI) Manager Official who manages the PIV issuance process at a facilityOfficial who manages the PIV issuance process at a facility Ensures all services specified in FIPS 201 are provided reliably and PIV cards are Ensures all services specified in FIPS 201 are provided reliably and PIV cards are

produced and issued in accordance with requirements. (One primary and one alternate produced and issued in accordance with requirements. (One primary and one alternate per facility.)per facility.)

PIV SponsorPIV Sponsor Official who sponsors the Applicant for a PIV card or Temporary Identity BadgeOfficial who sponsors the Applicant for a PIV card or Temporary Identity Badge Is in the best position to know if Applicant requires a PIV Card. (One or more per Is in the best position to know if Applicant requires a PIV Card. (One or more per

facility. Facilities may have separate PIV sponsors for employees, contractors, and facility. Facilities may have separate PIV sponsors for employees, contractors, and volunteers/affiliates.)volunteers/affiliates.)

PIV RegistrarPIV Registrar Official who performs Applicant identity proofing and enrollment functions. (One or Official who performs Applicant identity proofing and enrollment functions. (One or

more per facility. Most likely assigned to Human Resources or Security and Law more per facility. Most likely assigned to Human Resources or Security and Law Enforcement.)Enforcement.)

PIV IssuerPIV Issuer Official who issues the PIV card or Temporary Identity Badge to the Applicant. (One or Official who issues the PIV card or Temporary Identity Badge to the Applicant. (One or

more per facility. Most likely assigned to Human Resources or Security and Law more per facility. Most likely assigned to Human Resources or Security and Law Enforcement.)Enforcement.)

Facility PIV Card Applicant RepresentativeFacility PIV Card Applicant Representative Official who represents the interests of PIV Applicants during the PIV card issuance Official who represents the interests of PIV Applicants during the PIV card issuance

process. (At least one per facility.)process. (At least one per facility.) Facility Privacy OfficialFacility Privacy Official

Official who oversees privacy issues at the facility. (At least one per facility.)Official who oversees privacy issues at the facility. (At least one per facility.)

8

PIV-I and PIV IIPIV-I and PIV II

VA will implement the PIV card in a two VA will implement the PIV card in a two phased approach. phased approach. In Phase I (PIV-I), a new process will be used for In Phase I (PIV-I), a new process will be used for

issuing current facility badges. issuing current facility badges. Starts at VACO on Dec 12, 2006Starts at VACO on Dec 12, 2006 Other VA sites will start PIV-I throughout Jan-Oct 2006 Other VA sites will start PIV-I throughout Jan-Oct 2006

In Phase II (PIV-II), the PIV Card Issuing (PCI) In Phase II (PIV-II), the PIV Card Issuing (PCI) office will issue a new identity card that will be office will issue a new identity card that will be used for both physical access to VACO buildings used for both physical access to VACO buildings and logical access to VA computer systems. and logical access to VA computer systems.

Phase II in Oct 2006. Phase II in Oct 2006.