[Federal Register Volume 70, Number 67 (Friday, April 8, 2005)]
[Notices]
[Pages 17975-17978]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-7038]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 041103306-5014-02]
RIN 0693-AB54


Announcing Approval of Federal Information Processing Standard 
(FIPS) Publication 201, Standard for Personal Identity Verification of 
Federal Employees and Contractors

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Commerce has approved Federal Information

[[Page 17976]]

 Processing Standard (FIPS) Publication 201, Standard for Personal 
Identity Verification of Federal Employees and Contractors, and has 
made it compulsory and binding on Federal agencies for use in issuing a 
secure and reliable form of personal identification to employees and 
contractors. The standard does not apply to personal identification 
associated with national security systems as defined by 44 U.S.C. 
3542(b)(2).
    Homeland Security Presidential Directive (HSPD) 12, Policy for a 
Common Identification Standard for Federal Employees and Contractors, 
dated August 27, 2004, directed the Secretary of Commerce to 
promulgate, by February 27, 2005, a Government-wide standard for secure 
and reliable forms of identification to be issued by the Federal 
Government to its employees and contractors (including contractor 
employees). HSPD-12 specified that the secure and reliable forms of 
identification to be issued to employees and contractors should be 
based on: sound criteria for verifying an individual employee's 
identity; strong resistance to identity fraud, tampering, and terrorist 
exploitation; capability of being rapidly authenticated electronically; 
and issuance by providers whose reliability has been established by an 
official accreditation process.
    FIPS 201 was developed to satisfy the technical, administrative, 
and timeliness requirements of HSPD 12. The standard was developed in a 
``manner consistent with the Constitution and applicable laws, 
including the Privacy Act (5 U.S.C. 552a) and other statutes protecting 
the rights of Americans'' as required in HSPD 12. In developing the 
standard, NIST used technical input solicited from industry and 
government participants in workshops and public meetings, and from a 
Federal Register notice (69 FR 68128) of November 23, 2004, inviting 
comments from industry and government on the draft standard.

DATES: This standard is effective February 24, 2005.

ADDRESSES: A copy of FIPS Publication 201 is available electronically 
from the NIST Web site at: http://csrc.nist.gov/publications/.

FOR FURTHER INFORMATION CONTACT: W. Curtis Barker, (301) 975-8443, 
National Institute of Standards and Technology, 100 Bureau Drive, STOP 
8930, Gaithersburg, MD 20899-8930, e-mail: [email protected].

SUPPLEMENTARY INFORMATION: A notice was published in the Federal 
Register (69 FR 55586) on September 15, 2004, announcing a Public 
Workshop on Personal Identity Verification (PIV) of Federal Employees/
Contractors. The primary goal of the workshop was to obtain information 
on secure and reliable methods of verifying the identity of Federal 
employees and contractors who are given authorized access to Federal 
facilities and information systems. Workshop participants included 
representatives from government and industry organizations. An overview 
of the requirements of HSPD 12 and the schedule established by NIST for 
developing and promulgating the required standard were discussed.
    A Federal Register notice [69 FR 68128] was published on November 
23, 2004, announcing draft FIPS 201 and soliciting comments on the 
draft standard from the public, research communities, manufacturers, 
voluntary standards organizations, and Federal, State, and local 
government organizations. In addition to being published in the Federal 
Register, the notice was posted on the NIST Web pages. Information was 
provided about the submission of electronic comments and an electronic 
template for the submission of comments was made available.
    Comments, responses, and questions were received from 55 private 
sector organizations, groups, or individuals, 33 Federal government 
organizations and one Canadian government organization.
    These comments have all been made available by NIST at http://csrc.nist.gov/piv-project/fips201-support-docs.html. Many of the 
comments received recommended editorial changes, provided general 
comments, and asked questions concerning the implementation of the 
standard. Many comments supported the goals of personal identity 
verification. Some of the comments recommended against adoption of this 
or any similar standard.
    The primary interests and issues that were raised in the comments 
included: Installed or competing technology; emerging technology and 
standards; technology neutrality; privacy; security; timeliness; cost; 
interoperability; scope; applicability; flexibility; simplicity; 
consistency; and ease of use. Detailed technical comments covered 
issues including: Identity proofing and registration; smart card 
topology; card programming; biometrics; graduated levels of assurance/
protection; public key infrastructure supporting digital signatures for 
data security and authentication.
    The technical specifications were modified based on the comments 
received, while maintaining a complete, coherent standard. The standard 
was modified to strengthen the process for assuring the secure and 
reliable identification of Federal employees and contractors to whom 
PIV cards are to be issued. Applicants for PIV cards are to appear in 
person, provide two original documents showing identity, and provide 
background information that can be verified. Agencies are required to 
photograph and fingerprint applicants, to initiate background checks 
using the National Agency Check with Inquiries (NACI) or National 
Agency Check (NAC) procedures, and to complete other steps to assure 
security, privacy and proper storage of information. NIST has also 
revised the standard to provide for specified graduated security levels 
of protection features from the least secure to the most secure, in 
accordance with the requirements of HSPD-12. These features are 
provided within the standard with technical assurances and for agency 
use in selecting the appropriate level of security for each 
application. Other technical questions and issues including the 
specifications for the PIV card interface and the biometric algorithm 
interface are addressed in technical publications that accompany and 
support the implementation of FIPS 201. Draft NIST Special Publication 
800-73, Integrated Circuit Card for Personal Identity Verification, and 
draft NIST Special Publication 800-76, Biometric Data Specification for 
Personal Identity Verification, have been posted on NIST's Web pages 
for public review and comment. These documents can be found at http://csrc.nist.gov/publications/drafts.html. Additional Special Publications 
will be developed as needed and made available for public review.
    Issues concerning agency budget constraints and the schedule for 
implementation of the standard have been referred to the Office of 
Management and Budget (OMB). Comments noting ambiguities or asking for 
clarification concerning the standard have been incorporated into a 
Frequently Asked Questions (FAQ) document to be published and 
maintained on NIST's Web pages in the PIV Project Web site. All of the 
editorial suggestions were carefully reviewed and changes were made to 
the standard where appropriate.
    A Federal Register notice [69 FR 78033] was published on December 
29, 2004, announcing a public meeting that was held on January 19, 
2005, to discuss the privacy, security, and policy issues associated 
with HSPD-12. Many other meetings and discussions with industry and 
government representatives were

[[Page 17977]]

held to balance the different, conflicting, and often mutually 
exclusive interests of the parties providing comments. The approved 
standard reflects these balanced interests while meeting the overall 
objectives of quality and timeliness of the standard.
    Following is an analysis of the comments received, including the 
interests, concerns, recommendations, and issues considered in the 
development of FIPS 201. More information about the development of FIPS 
201 is available on NIST's Web pages at http://www.csrc.nist.gov.
    Comment: Some Federal agencies were concerned about the cost of 
implementing the standard, their ability to implement the standard 
within their budget constraints and the tight schedule specified in the 
standard for implementation.
    Response: Issues concerning the costs of implementing the standard 
and the schedule for implementation have been referred to the Office of 
Management and Budget (OMB).
    Comment: Comments were received about protecting the privacy of 
individuals, and limiting the sharing of information on personal 
identity between organizations. Some comments expressed concern about 
the interoperability provisions of the PIV card possibly leading to the 
linking of databases with information about individuals, and the 
issuance of a national identity card.
    Response: The privacy requirements contained in FIPS 201 and 
guidance to agencies to ensure the privacy of applicants for PIV cards 
have been strengthened in Section 2.3. The requirements for agencies 
include: The appointment of a PIV Privacy Official; the assessment of 
systems for their impact on privacy; identification of information to 
be collected about individuals and how the information will be used; 
assurance that systems containing personal information adhere to fair 
information practices; and audits of systems for compliance with 
privacy policies and practices. OMB has informed NIST that it intends 
to issue privacy and implementation guidance to agencies.
    Comment: Comments were received about ambiguities in the standard 
and issues that needed to be clarified, both in the text of the 
standard and in the diagrams that accompany the text. Other comments 
and questions pertained to agency authority in determining those 
individuals to whom PIV cards should be issued.
    Response: Comments noting technical ambiguities and requests for 
clarification concerning specific provisions in the standard were 
reviewed and changes to clarify the intent were incorporated into the 
standard where appropriate. Comments requesting clarification on issues 
not specifically addressed in the technical specifications, such as 
costs, policies, agency roles and responsibilities have been addressed 
and answered in a document of Frequently Asked Questions (FAQ). This 
document will be published when the standard is approved and will be 
maintained on NIST's Web pages in the PIV Project Web site. Other 
comments noting ambiguities dealing with implementation of the standard 
will be addressed in the implementation guidance currently under 
development.
    Comment: Technical issues were raised concerning identity 
validation or ``proofing'' to be performed when initiating the issuance 
of a PIV Card, and the graduated criteria from the least secure to the 
most secure. These protection features were required in HSPD-12 to 
ensure flexibility in selecting the appropriate level of security for 
each application.
    Response: The technical specifications were modified based on the 
comments received, while maintaining a complete, coherent standard, and 
including the required graduated security levels of protection. The 
specifications were modified to allow for the use of a government-
issued document and a background check to assure the identity of the 
individual to whom a card would be issued. The security features are 
provided within the revised standard with technical assurances, and are 
available for agency use in selecting the appropriate level of 
security, from some security to very high security, for each form of 
identity issued and for each application.
    Comment: Technical issues were raised concerning the PIV Card 
interface and the biometric specifications. Some comments pointed out 
that the requirement for two fingerprint images and a facial image 
would occupy most of the storage capabilities of the chip on the card. 
Other comments pertained to the number of fingerprints that should be 
included on a PIV card, and recommended the use of additional biometric 
information.
    Response: Since the storage of a facial image of the applicant on 
the chip would consume much of the electronic memory of a PIV card, the 
specifications were modified to require only two fingerprint storage. 
The use of fingerprint data provides a reliable and secure means of 
automated identification, and agencies are required to put photographs 
of applicants on the cards for a visual means of identification. The 
use of a stored facial image on the PIV card can be evaluated in the 
future as card capacity increases. Issues concerning the card interface 
and the storage of personal information are addressed in technical 
publications that accompany FIPS 201, including draft NIST Special 
Publication 800-73, Integrated Circuit Card for Personal Identity 
Verification, and other planned Special Publications. Additionally, the 
interface and formatting requirements for biometric information are 
addressed in draft NIST Special Publication 800-76, Biometric Data 
Specification for Personal Identity Verification. SP 800-73 and SP 800-
76 have been posted on NIST's web pages for public review and comment 
[http://csrc.nist.gov/ publications/drafts.html]. The issuance of 
recommendations for interfaces, storage and formatting specifications 
in Special Publications allows for flexibility and adaptability as the 
technology improves.
    Comment: Issues were raised about the card specifications, 
including the use of certain authentication protocols. Other issues 
concerned the topology, or physical layout, of the card, and the 
authority of agencies to select formats, appearances of the card and 
special security threats.
    Response: Clarifications were made to the text of the standard to 
make the requirements for authentication protocols more specific. The 
authentication mechanisms that are provided in the standard enable 
agencies to implement methods including visual identification, use of 
biometric data, and use of asymmetric keys, which help to establish the 
agency's confidence in the identity of a cardholder presenting a PIV 
card. The text was clarified to identify those areas where agencies can 
have flexibility in determining the format and appearance of the card. 
The inclusion of a photograph of a PIV cardholder is mandatory. The use 
of an agency seal is optional. Because of certain heightened overseas 
threats an agency may issue credentials that do not contain (or 
otherwise do not fully support) the wireless and/or biometric 
capabilities.
    Comment: Issues were raised concerning the secure administration of 
the card-issuing system, including processes for renewal of cards, for 
making changes to the cards, for protecting against fraud, 
counterfeiting, and modification of cards, and for including agency and 
personal information on cards.
    Response: These topics will be addressed in the Frequently Asked

[[Page 17978]]

Questions document that will be available on NIST's web pages when the 
standard is issued, and in currently available draft Special 
Publications, as well as future NIST Special Publications.
    This action has been determined to be significant under E.O. 12866.

    Authority: In accordance with the Information Technology 
Management Reform Act of 1996 (Pub. L. 104-106) and the Federal 
Information Security Management Act (FISMA) of 2002 (Pub. L. 107-
347), the Secretary of Commerce is authorized to approve Federal 
Information Processing Standards (FIPS). Homeland Security 
Presidential Directive (HSPD) 12 entitled ``Policy for a Common 
Identification Standard for Federal Employees and Contractors'', 
dated August 27, 2004, directed the Secretary of Commerce to 
promulgate, by February 27, 2005, a Government-wide standard for 
secure and reliable forms of identification to be issued by the 
Federal Government to its employees and contractors.

    Dated: March 30, 2005.
Hratch G. Semerjian,
Acting Director, NIST.
[FR Doc. 05-7038 Filed 4-7-05; 8:45 am]
BILLING CODE 3510-CN-P