[Federal Register Volume 77, Number 131 (Monday, July 9, 2012)]
[Notices]
[Pages 40338-40341]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-16725]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 120608158-2158-01]


Announcing Revised Draft Federal Information Processing Standard 
(FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees 
and Contractors, Request for Comments, and Public Workshop on Revised 
Draft FIPS 201-2

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice and request for comments.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
announces the Revised Draft Federal Information Processing Standard 
(FIPS) Publication 201-2, ``Personal Identity Verification of Federal 
Employees and Contractors,'' for public review and comment. The draft 
standard, designated ``Revised Draft FIPS 201-2,'' is proposed to 
supersede FIPS 201-1. NIST will hold a public workshop at NIST in 
Gaithersburg, Maryland, to present the Revised Draft FIPS 201-2. Please 
see admittance instructions in the SUPPLEMENTARY INFORMATION section 
below.

DATES: Comments must be received by Friday, August 10, 2012. The public 
workshop will be held on Wednesday, July 25, 2012. Preregistration must 
be completed by 5:00 p.m. Eastern Time on Wednesday, July 18, 2012.

ADDRESSES: Written comments may be sent to: Chief, Computer Security 
Division, Information Technology Laboratory, ATTN: Comments on Revised 
Draft FIPS 201-2, National Institute of Standards and Technology, 100 
Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930. Electronic 
comments may be sent to: [email protected]. Anyone wishing to 
attend the workshop in person, must pre-register at http://www.nist.gov/allevents.cfm. Additional workshop details and webcast 
will be available on the NIST Computer Security Resource Center Web 
site at http://csrc.nist.gov.

FOR FURTHER INFORMATION CONTACT: Hildegard Ferraiolo, (301) 975-6972, 
National Institute of Standards and Technology, 100 Bureau Drive, Mail 
Stop 8930, Gaithersburg, MD 20899-8930, email: 
[email protected], or David Cooper, (301) 975-3194, email: 
[email protected].

SUPPLEMENTARY INFORMATION: FIPS 201 was issued on April 8, 2005 (70 FR 
17975), and in accordance with NIST policy was due for review in 2010. 
In consideration of technological advancement over the last five years 
and specific requests for changes from United States Government (USG) 
stakeholders, NIST determined that a revision of FIPS 201-1 (version in 
effect) was warranted. NIST received numerous change requests, some of 
which, after analysis and coordination with Office of Management and 
Budget (OMB) and USG stakeholders, were incorporated in the Draft FIPS 
201-2. Other change requests incorporated in the Draft FIPS 201-2 
resulted from the 2010 Business Requirements Meeting held at NIST. The 
meeting focused on business requirements of federal departments and 
agencies. On March 8, 2011, a notice was published in the Federal 
Register (76 FR 12712), soliciting public comments on a proposed 
revision of FIPS 201-1 (hereafter referred to as the ``2011 Draft''). 
During the public comment period, a public workshop was held at NIST on 
April 18-19, 2011, in order to present the 2011 Draft. NIST developed 
the Revised Draft FIPS 201-2 that is announced in this notice using the 
comments received in response to the March 8, 2011, notice.
    Comments and questions regarding the 2011 Draft were submitted by 
46 entities, composed of 25 U.S. federal government organizations, two 
state government organizations, one foreign government organization, 16 
private sector organizations, and two private individuals. These 
comments have all been made available by NIST at http://csrc.nist.gov. 
None of the commenters opposed the approval of a revised standard. Some 
commenters asked for clarification of the text of the standard and/or 
recommended editorial and/or formatting changes. Other commenters 
suggested modifying the requirements. All of the suggestions, 
questions, and recommendations within the scope of this FIPS were 
carefully reviewed, and changes were made to the standard, where 
appropriate. Some commenters submitted questions or raised issues that 
were related but outside the scope of this FIPS. Comments that were 
outside the scope of this FIPS, but that were within the scope of one 
of the related Special Publications, were deferred for later 
consideration in the context of the revisions to the supporting Special 
Publications. The disposition of each comment that was received has 
been provided along with the comments at http://csrc.nist.gov.

[[Page 40339]]

    The following is a summary and analysis of the comments received 
during the public comment period and NIST's responses to them:
    Comment: Seven commenters stated that the document should be 
reorganized since it includes logical card characteristics in the 
section on physical card characteristics and it does not describe the 
requirements for the collection of biometric data until long after 
references to the biometric data are first made.
    Response: Requirements for the collection of biometric data and 
recommendations for the maintenance of a chain-of-trust have been moved 
from Section 4 to the beginning of Section 2. Section 4 has also been 
reorganized to separate the requirements for the logical card 
characteristics from the requirements for the physical card 
characteristics.
    Comment: The 2011 Draft proposed a secure messaging capability. Six 
commenters indicated that the proposed secure messaging capability 
needs to be enhanced in order to permit all functionality of the PIV 
Card to be accessible over the contactless interface of the card.
    Response: The Revised Draft FIPS 201-2 introduces the concept of a 
virtual contact interface, over which all functionality of the PIV Card 
is accessible.
    Comment: Seven commenters indicated that the standard needs to 
accommodate the Federal Government's movement towards mobile devices 
and permit the issuance of PIV Cards that have form factors other than 
the current International Organization for Standardization (ISO)/
International Electrotechnical Commission (IEC) 7810 (credit-card) form 
factor.
    Response: The Revised Draft FIPS 201-2 continues to require every 
cardholder to be issued an ISO/IEC 7810 form factor PIV Card, but it 
introduces the ability to issue PIV derived credentials, which may be 
provisioned to devices other than an ISO/IEC 7810 form factor.
    Comment: The 2011 Draft introduced iris images as an alternative to 
fingerprints for individuals from whom fingerprints cannot be 
collected. Three commenters suggested that the use of iris as an 
alternative is an undue burden. Six commenters noted that the 2011 
Draft is unclear about how to address applicants from whom neither 
fingerprints nor iris images can be obtained.
    Response: The Revised Draft FIPS 201-2 makes collection of iris 
images optional. During PIV Card issuance and maintenance processes a 
one-to-one biometric match is required. However, the Revised Draft FIPS 
201-2 permits the use of automated iris or facial image matching when 
fingerprints are unavailable. In cases where iris or facial image data 
is not available or where the issuer does not support automated 
biometric comparison based on these types of biometrics, identity 
source documents may be used to verify the identity of the applicant or 
cardholder.
    Comment: Twelve comments addressed the Lightweight Directory Access 
Protocol (LDAP) as a means to distribute certificates and Certificate 
Revocation Lists (CRLs). These comments indicated that LDAP is not used 
and the Hypertext Transfer Protocol (HTTP) is now considered the 
preferred option to distribute certificates and Certificate Revocation 
Lists (CRLs).
    Response: The Revised Draft FIPS 201-2 removes the requirement to 
distribute certificates and CRLs via LDAP, but continues to require 
conformance to the ``X.509 Certificate and Certificate Revocation List 
(CRL) Extensions Profile for the Shared Service Provider (SSP) 
Program,'' which can be updated as necessary to account for changes in 
technology.
    Comment: Ten comments indicated that the requirements for issuing 
PIV Cards to applicants during the grace period are unclear and appear 
to conflict with guidance from the Office of Personnel Management (OPM) 
with respect to requirements for background re-investigations.
    Response: The section describing the grace period has been 
rewritten to clarify the requirements and to make it clear that 
background re-investigations only need to be performed if required, in 
accordance with OPM guidance.
    Comment: Twelve commenters noted that the difference between 
reissuance and renewal of PIV Cards is unclear.
    Response: The Revised Draft FIPS 201-2 indicates that PIV Card 
renewal applies when a valid PIV Card is replaced with a new card and 
that PIV Card reissuance applies when a new PIV Card is issued to 
replace a lost, stolen, or damaged card. PIV Card reissuance also 
applies when a card is replaced because one or more of its logical 
credentials have been compromised.
    Comment: Four commenters indicated that Federal agencies should be 
able to perform Personal Identification Number (PIN) resets without 
requiring cardholders to appear in person before a card issuer. It is 
unclear whether remote resets are permitted in the 2011 Draft.
    Response: The requirements for resetting PINs have been rewritten 
in the Revised Draft FIPS 201-2. The Revised Draft FIPS 201-2 specifies 
different requirements for resetting a PIN depending on whether the PIN 
is reset in-person at an issuer's facility, at an unattended issuer-
operated kiosk, or remotely from a general computing platform (e.g., 
desktop or laptop).
    Comment: FIPS 201-1 and the 2011 Draft describe two very weak 
authentication mechanisms as providing some assurance in the identity 
of the cardholder: Visual inspection of the PIV Card by a human guard 
(VIS) and reading the cardholder unique identifier from the card 
(CHUID). Fifteen comments were received about the CHUID and VIS 
authentication mechanisms indicating that the use of these two 
authentication mechanisms should be deprecated.
    Response: The Revised Draft FIPS 201-2 states that the VIS and 
CHUID authentication mechanisms provide little or no assurance in the 
identity of the cardholder. The Revised Draft FIPS 201-2 also 
deprecates the use of the CHUID authentication mechanism.
    Comment: The 2011 Draft defines some authentication mechanisms that 
may be difficult or impossible for individuals with certain 
disabilities to perform. Three commenters noted that the 2011 Draft 
does not clearly indicate what departments and agencies need to do to 
accommodate individuals with disabilities.
    Response: The processes for issuing, reissuing, renewing, and 
resetting PIV Cards have been updated to include new options for 
authenticating the cardholder in the case that authentication cannot be 
performed using a match of either fingerprints or iris images. While 
Revised Draft FIPS 201-2 describes authentication mechanisms that can 
be implemented using the PIV Card, which may be used to authenticate 
individuals who are attempting to gain physical access to federally 
controlled facilities or logical access to federally controlled 
information systems, it is the responsibility of departments and 
agencies developing access control systems to choose the authentication 
mechanisms that are appropriate for their systems. The Revised Draft 
FIPS 201-2 includes a reminder to departments and agencies that when 
implementing PIV systems they should consider provisions to accommodate 
employees and contractors with disabilities in accordance with Section 
508 of the Rehabilitation Act.
    Comment: Information about card topography is currently split 
between the 2011 Draft and NIST Special Publication 800-104, A Scheme 
for PIV Visual Card Topography. Three

[[Page 40340]]

commenters noted that it would be clearer if all of this information is 
consolidated in one document.
    Response: All of the information from Special Publication 800-104 
has been incorporated into the Revised Draft FIPS 201-2, and Special 
Publication 800-104 will be withdrawn after FIPS 201-2 has been 
approved. As a result of incorporating Special Publication 800-104 into 
Revised Draft FIPS 201-2, the employee affiliation color-coding and the 
large expiration date in the upper right-hand corner of the card are 
now mandatory. Revised Draft FIPS 201-2 also now states that the 
``Federal Emergency Response Official'' indicator or country of 
citizenship information, when present, shall be indicated at the bottom 
of the card.
    Comment: Three commenters noted that there is no information on 
adoption/migration between versions of FIPS 201 and that guidance is 
needed to distinguish which version of FIPS 201 was used to issue a 
given card. Seven commenters also pointed out that guidance is needed 
on the adoption/migration of new features.
    Response: The version management for PIV Cards and middleware will 
be addressed in revisions to Special Publication 800-73, Interfaces for 
Personal Identity Verification. New features of FIPS 201-2 that depend 
upon the release of new or revised NIST Special Publications are 
effective immediately upon final publication of the supporting Special 
Publication. A timetable to achieve compliance with FIPS 201-2 has been 
coordinated with OMB and is included in the Revised Draft FIPS 201-2.
    Comment: One commenter noted that the chain-of-trust introduces a 
new requirement that is cost-prohibitive to implement.
    Response: The chain-of-trust is optional in the Revised Draft FIPS 
201-2. The concept of chain-of-trust was requested by federal agencies 
as a cost savings measure that streamlines current practices for 
issuance, reissuance, and renewal procedures. Agencies can use their 
internally defined enrollment data records as the means to implement 
the chain-of-trust. The Revised Draft FIPS 201-2 only requires specific 
formats and structures for the import and export of chain-of-trust 
records for agencies choosing to implement interagency transfer of 
enrollment data records.
    Comment: Six commenters noted that it is unclear what type of data 
is part of the chain-of-trust records.
    Response: In the Revised Draft FIPS 201-2, the section describing 
the chain-of-trust includes recommendations for the type of data to be 
collected and included in the chain-of-trust.
    Comment: Five commenters noted that in addition to printing the 
facial image on the card, most issuers today also store the facial 
image electronically in the chip on the card. FIPS 201-2 should make 
this mandatory in order to provide a low cost alternative for 
cardholder identification and authentication.
    Response: As requested by federal agencies, Revised Draft FIPS 201-
2 defines the facial image as part of HSPD-12 ``common identification'' 
credential by including it as one of the core mandatory logical 
credentials of the PIV Card. The digital signature key and key 
management key are also included as core mandatory credentials of the 
PIV card. These additional changes were requested by OMB in order to 
align the Revised Draft FIPS 201-2 with the Federal Identity, 
Credential, and Access Management (FICAM) Roadmap and Implementation 
Guidance.
    Comment: Seven commenters requested that the Universally Unique 
Identifier (UUID) be made mandatory for interoperability between PIV 
and PIV-Interoperable (PIV-I) ecosystems.
    Response: In response to the many similar comments, the Revised 
Draft FIPS 201-2 specifies the UUID as a mandatory unique identifier 
for the PIV Card, in addition to the Federal Agency Smart Credential 
Number (FASC-N).
    Comment: Many federal employees and contractors prefer to be known 
by a professional name that is different from the name used in personal 
lives. Three commenters requested that FIPS 201-2 permit the 
cardholder's professional name to be printed on the PIV Card rather 
than the name appearing on the cardholder's identity source documents.
    Response: NIST raised this issue with OMB, which is responsible for 
making decisions on this type of issue. Because the PIV card is an 
official USG issued card, OMB determined that the name that appears on 
the PIV Card must be the name that has been verified through identity 
source documents.
    Comment: One commenter requested that the Revised Draft FIPS 201-2 
should reaffirm that PIV Card Issuers' self-accreditation as specified 
in SP 800-79, Guidelines for the Accreditation of Personal Identity 
Verification Card Issuers, remains in effect.
    Response: The Revised Draft FIPS 201-2 clarifies that self-
accreditation as per SP 800-79 continues to be acceptable, so long as 
it is supplemented by a third-party accreditation review.
    Comment: Three commenters stated that requiring a biometric match 
between the full set of fingerprints collected for law enforcement 
checks and the two fingerprints collected for placement on the PIV Card 
is an undue burden since these two sets of fingerprints are commonly 
collected on two different systems that are not integrated.
    Response: The Revised Draft FIPS 201-2 makes it clear that a 
biometric match is only required if the two sets of fingerprints are 
collected on separate occasions, and is not required if the two sets 
are collected at the same time on different systems. The Revised Draft 
FIPS 201-2 also clarifies that a full set of fingerprints does not need 
to be collected from an applicant if a completed and favorably 
adjudicated National Agency Check with Written Inquiries (NACI) (or 
equivalent or higher) or Tier 1 or higher federal background 
investigation can be located and referenced for the individual.
    Comment: Four commenters noted that Federal agencies should be 
permitted to register PIV-Interoperable (PIV-I) credentials in lieu of 
issuing PIV credentials provided that attributes such as successful 
completion of a NACI can be electronically validated.
    Response: HSPD-12 specifies that agencies shall use ``secure and 
reliable forms of identification issued by the Federal Government to 
its employees and contractors (including contractor employees).'' The 
use of an externally issued credential, such as a PIV-I credential, as 
an alternative to issuing a PIV Card, would not be consistent with 
HSPD-12.
    FIPS 201-1 and Revised Draft FIPS 201-2 are available 
electronically from the NIST Web site at: http://csrc.nist.gov/publications/fips/index/html.
    Public Workshop: NIST will hold a public workshop on Revised Draft 
FIPS 201-2 on Wednesday, July 25, 2012, at NIST in Gaithersburg, 
Maryland. The workshop may also be attended remotely via webcast. The 
agenda, webcast, and related information for the public workshop will 
be available before the workshop on the NIST Computer Security Resource 
Center Web site at http://csrc.nist.gov. This workshop is not being 
held in anticipation of a procurement activity. Anyone wishing to 
attend the workshop in person must pre-register at http://www.nist.gov/allevents.cfm by 5:00 p.m. Eastern Time on July 18, 2012, in order to 
enter the NIST facility and attend the workshop.

    Authority: In accordance with the Information Technology 
Management Reform

[[Page 40341]]

Act of 1996 (Pub. L. 104-106) and the Federal Information Security 
Management Act of 2002 (FISMA) (Pub. L. 107-347), the Secretary of 
Commerce is authorized to approve Federal Information Processing 
Standards (FIPS). Homeland Security Presidential Directive (HSPD) 
12, entitled ``Policy for a Common Identification Standard for 
Federal Employees and Contractors,'' dated August 27, 2004, directed 
the Secretary of Commerce to promulgate, by February 27, 2005, ``* * 
* a Federal standard for secure and reliable forms of identification 
(the `Standard') * * *,'' and further directed that the Secretary of 
Commerce ``shall periodically review the Standard and update the 
Standard as appropriate in consultation with the affected 
agencies.''

    E.O. 12866: This notice has been determined to be not significant 
for purposes of E.O. 12866.

    Dated: July 2, 2012.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2012-16725 Filed 7-6-12; 8:45 am]
BILLING CODE 3510-13-P