[Federal Register Volume 71, Number 62 (Friday, March 31, 2006)]
[Notices]
[Pages 16289-16290]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-4722]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

RIN 0693-AB56
[Docket No. 050825229-5308-02]


Announcing Approval of Federal Information Processing Standard 
(FIPS) Publication 201-1, Standard for Personal Identity Verification 
of Federal Employees and Contractors

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice announces the Secretary of Commerce's approval of 
Federal Information Processing Standard (FIPS) Publication 201-1, 
Standard for Personal Identity Verification of Federal Employees and 
Contractors. The changes to Section 2.2, PIV Identify Proofing and 
Registration Requirements, Section 4.3, Cryptographic Specifications, 
Section 5.2, PIV Identity Proofing and Registration Requirements, and 
to Section 5.3.1, PIV Card Issuance, clarify the identity proofing and 
registration process that departments and agencies

[[Page 16290]]

should follow when issuing identity credentials. These changes are 
needed to make FIPS 201-1 consistent with the Memorandum for All 
Departments and Agencies (M-05-24), issued by the Office of Management 
and Budget on August 5, 2005, Implementation of Homeland Security 
Presidential Directive (HSPD) 12--Policy for a Common Identification 
Standard for Federal Employees and Contractors.

DATES: The approved changes are effective as of March 31, 2006.

ADDRESSES: The approved changes to FIPS Publication 201-1 are available 
electronically from the NIST Web site at: http://csrc.nist.gov/piv-program/. Comments that were received on the proposed changes will also 
be published electronically at http://csrc.nist.gov/piv-program/.

FOR FURTHER INFORMATION CONTACT: W. Curtis Barker, (301) 975-8443, 
National Institute of Standards and Technology, 100 Bureau Drive, STOP 
8930, Gaithersburg, MD 20899-8930, e-mail: [email protected].
    Information about FIPS 201-1 and the PIV program is available on 
the NIST Web pages: http://csrc.nist.gov/piv-program/.

SUPPLEMENTARY INFORMATION: A Federal Register notice (70 FR 17975-78) 
on April 8, 2005, announced that the Secretary of Commerce had approved 
FIPS Publication 201, Standard for Personal Identity Verification of 
Federal Employees and Contractors. HSPD 12, Policy for a Common 
Identification Standard for Federal Employees and Contractors, dated 
August 27, 2004, directed the Secretary of Commerce to promulgate, by 
February 27, 2005, a Government-wide standard for secure and reliable 
forms of identification to be issued to Federal government employees 
and contractors (including contractor employees).
    FIPS 201 was effective on February 25, 2005, and was made 
compulsory and binding on Federal agencies for use in issuing a secure 
and reliable form of personal identification to employees and 
contractors. The standard does not apply to personal identification 
associated with national security systems as defined by 44 U.S.C. 
3542(b)(2).
    A notice was published in the Federal Register (70 FR 53346-47) on 
September 8, 2005, announcing the proposed changes to FIPS 201. The 
primary goal for the changes are to make FIPS 201-1 consistent with the 
Memorandum for All Departments and Agencies (M-05-24), issued by the 
Office of Management and Budget on August 5, 2005, Implementation of 
Homeland Security Presidential Directive (HSPD) 12--Policy for a Common 
Identification Standard for Federal Employees and Contractors.
    The Federal Register notice solicited comments on the draft 
standard from the public, research communities, manufacturers, 
voluntary standards organizations, and Federal, State, and local 
government organizations. In addition to being published in the Federal 
Register, the notice was posted on the NIST Web pages. Information was 
provided about the submission of electronic comments and an electronic 
template for the submission of comments was made available.
    Comments, responses, and questions were received from private 
sector organizations, groups, or individuals, and Federal government 
organizations. These comments have all been made available by NIST at 
http://csrc.nist.gov/piv-program/. Following is an analysis of the 
comments received, including the interests, concerns, recommendations, 
and issues considered in the development of FIPS 201-1.
    Comment: The requirement to include electronically distinguishable 
NACI indicator in the identity credential should apply to PIV-II only.
    Response: NIST agrees that the NACI indicator does not apply to 
PIV-1. Moved this requirement to Section 5.2 of FIPS 201-1.
    Comment: The exact nature of the electronically distinguishable 
feature must be defined to ensure adequate interoperability.
    Response: NIST specified implementation of the NACI Interim 
Indicator in the PIV Authentication certificate and updated Section 
4.3, Section 5.4.2.1, and the PIV Certificate definition Appendix. 
Specifically, the Interim Indicator shall be implemented as a non-
critical private extension in the PIV Authentication certificate.
    Comment: Agencies do not support 5-day waiting period for the 
completion of the NAC. Agencies strongly disagree with the requirement 
for the NAC completion prior to an employee or contractor receiving a 
credential or access to federally controlled facilities or logical 
access to federally controlled information system. Moreover, agencies 
believed that the NAC results will not be received within five days in 
a majority of the cases. In that regard, the agency leadership must 
delay the hiring process for five additional days with no concomitant 
security benefit.
    Response: NIST removed specific waiting period and NAC without 
written inquiries as a qualifier in Section 2.2 of FIPS 201-1. The 
five-day waiting period did introduce artificial delay in the routine 
card issuance. As a result, pending receipt of the results of the NACI, 
an agency may issue an identity credential based on the FBI National 
Criminal History Check (fingerprint check).
    Comment: Agencies do not support the inclusion of a NACI indicator 
within the identity credential. Agencies believe this requirement will 
be costly to implement because the requirement would require facilities 
to alter or replace the identity credential when the NAC is complete. 
They recommend further analysis regarding the intended use, CONOPS, and 
benefits for this distinguishable element within the identity 
credential is required before their acceptance.
    Response: This requirement is imposed to be consistent with the OMB 
memorandum M-05-24. The NACI indicator relays the rigor of identity 
proofing completed on the PIV cardholder when the card was issued. The 
relying parties, such as federal agencies, may require NACI completion 
to allow access to their resources. The NACI indicator will enable 
agencies to make an informed decision about the cardholders binding to 
the identity credentials.

    Authority: In accordance with the Information Technology 
Management Reform Act of 1996 (Pub. L. 104-106) and the Federal 
Information Security Management Act (FISMA) of 2002 (Pub. L. 107-
347), the Secretary of Commerce is authorized to approve Federal 
Information Processing Standards (FIPS). Homeland Security 
Presidential Directive (HSPD) 12, Policy for a Common Identification 
Standard for Federal Employees and Contractors, dated August 27, 
2004, directed the Secretary of Commerce to promulgate, by February 
27, 2005, a Government-wide standard for secure and reliable forms 
of identification to be issued to Federal government employees and 
contractors.

    E.O. 12866: This notice has been determined to be significant for 
the purposes of E.O. 12866.

    Dated: March 23, 2006.
William Jeffrey,
Director.
 [FR Doc. E6-4722 Filed 3-30-06; 8:45 am]
BILLING CODE 3510-CN-P