Personal Identity Verification (PIV) of Federal Employees and Contractors

On August 27, 2004, the President signed Homeland Security Presidential Directive 12 (HSPD-12), entitled "Policy for a Common Identification Standard for Federal Employees and Contractors." HSPD-12 required the development and implementation of a government-wide standard for secure and reliable forms of identification for Federal employees and contractors. As required by HSPD-12, the National Institute of Standards and Technology (NIST) developed Federal Information Processing Standard 201 (FIPS 201) titled “Personal Identity Verification (PIV) of Federal Employees and Contractors” in coordination with other government agencies and the private sector. Subsequently, NIST issued several special publications, in support of FIPS 201 to enable interoperable implementations.
 
The form factor for the HSPD-12 “common identification standard” is an integrated-circuit identification card (PIV card) that contains identity credentials such as cryptographic keys, and biometrics to achieve graduated levels of security, from least secure to most secure, ensuring flexibility in selecting the appropriate level of security for federal application. The identity credentials are securely stored and protected on the Integrated Circuit Chip (ICC). Cryptographic key material and a Personal Identification Number (PIN) on the card provide for the protection of sensitive stored and communicated data using NIST approved algorithms.
.
The release of FIPS 201 in 2005 marked the beginning of a learn-design-develop-test-validate phase for both the private sector and Federal departments and agencies. In 2009, five years later, over 300 standard-conformant products have been developed, validated, and brought to market in support of the PIV card and its infrastructure. Departments and agencies developed and refined their PIV card issuance processes. PIV card issuance systems are operating, and the emphasis had shifted to high-volume enrollment of Federal employees in the PIV System. According to the Office of Management and Budget (OMB)’s PIV Card issuance statistics, more than 2.5 million PIV Cards have been issued to-date to Federal government employees and contractors and another three million cards are expected to be issued in the near future.

The success of the PIV program is based, in part, on NIST specifications and contributions including:
 
Establish National PIV Program — NIST established the NIST Personal Identity Verification Program (NPIVP) to validate PIV system components required by Federal Information Processing Standard (FIPS) 201. The program facilitated rigorous testing of PIV products through National Voluntary Laboratory Accreditation Program (NVLAP) approved test laboratories. NIST and the test laboratories worked together to establish criteria for conformance to PIV products and to ensure tested products are interoperable. NIST developed and published conformance test suite through the Special Publication SP 800-85A (test PIV card interfaces) and SP 800-85B (test PIV card data model). NIST also developed test tool to automate the product testing and to enable consistent testing among the accredited test laboratories. Through an iterative test and validation process with the laboratories, NIST provided additional clarifications and details on the implementation of the PIV standard.   
 
PIV Product Demonstrations — NIST sought voluntary participation by companies offering products and services supporting FIPS 201 for the PIV Demonstration. The PIV Demonstration took place from May 15 to June 14, 2006. Forty-four companies voluntarily participated through a Cooperative Research and Development Agreement (CRADA). Over 25 different Federal agencies and departments attended the PIV Demonstration. The PIV Demonstration provided NIST the opportunity to conduct proof of concept and interoperability demonstrations of products supporting FIPS 201 and accompanying special publications. The demonstration proved that commercial products are available to facilitate HSPD-12 mandate for Federal Agencies. The demonstration enabled exchange of useful information between the participating companies and Federal agencies which aided agencies in implementing HSPD-12 solution.
 
PIV Reference Implementation — To aid and guide proper PIV implementation, NIST also provided reference implementation of the PIV standards. Specifically, NIST developed a PIV Card Simulator that behaves and responds exactly like a PIV Card. NIST also developed PIV Middleware that implements the Application Programming Interface (API) as specified in SP 800-73-2. Both the source code and executables were made available on the PIV website as a reference. Moreover, in response to the request for a sample PIV data, NIST developed a software tool that generates PIV data consistent with FIPS 201. The data generator and a sample data were made available on the PIV website. The software generated mandatory and optional PIV data elements.
 
Refinement of Standards —NIST performs standards maintenance support activities such as implementation guidelines, reference implementation, and conformance testing. The performance of these follow-on activities ensured interoperability among Federal government identity verification systems. NIST continued to enhance and refine standards so that the implementing agencies were able to interoperate and benefit from lessons learned. NIST revised FIPS 201, SP 800-73, SP 800-76, and SP 800-78 to incorporate changes in Office of Management and Budget (OMB) policies and to remove possibility of different interpretations.