HSPD-12 and FIPS-201 Overview v1.4

2 Learning Objectives At the end of this course, you will be able to: Describe Homeland Security Presidential Directive (HSPD-12) and its purpose Describe Homeland Security Presidential Directive (HSPD-12) and its purpose Describe the Personal Identification Verification (PIV) subsystem Describe the Personal Identification Verification (PIV) subsystem Describe the different types of PIV standards Describe the different types of PIV standards Describe the PIV Roles and Issuance Process Describe the PIV Roles and Issuance Process

3 FIPS-201 PIV Overview Why a FIPS-201 Compliant Personal Identification Verification (PIV) system? Why a FIPS-201 Compliant Personal Identification Verification (PIV) system? What is HSPD-12? What is HSPD-12? What is FIPS-201? What is FIPS-201? What is PIV-I and PIV-II? What is PIV-I and PIV-II? FIPS – Federal Information Processing Standard

4 HSPD-12 and FIPS-201 Overview On August 27, 2004, President Bush signed Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors. Based upon this directive, the National Institute for Standards and Technology (NIST) developed Federal Information Processing Standards Publication (FIPS Pub) 201 including a description of the minimum requirements for a Federal personal identification verification (PIV) system. HSPD-12 directs the implementation of a new standardized badging process, which is designed to enhance security, reduce identity fraud, and protect the personal privacy of those issued government identification. On August 27, 2004, President Bush signed Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors. Based upon this directive, the National Institute for Standards and Technology (NIST) developed Federal Information Processing Standards Publication (FIPS Pub) 201 including a description of the minimum requirements for a Federal personal identification verification (PIV) system. HSPD-12 directs the implementation of a new standardized badging process, which is designed to enhance security, reduce identity fraud, and protect the personal privacy of those issued government identification.Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors Federal Information Processing Standards Publication (FIPS Pub) 201Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors Federal Information Processing Standards Publication (FIPS Pub) 201

5 PIV-I and PIV-II PIV standard consists of two parts – PIV standard consists of two parts –PIV-I: PIV-I satisfies the control objectives and security requirements of HSPD-12 PIV-II: PIV-II specifies implementation and use of identity credentials on integrated circuit cards (Smart Cards) for use in a Federal personal identity verification system.

6 What is Personal Identification Verification (PIV) The PIV process provides a commonly accepted identification card and reliable form of secure identification for all Federal employees that: The PIV process provides a commonly accepted identification card and reliable form of secure identification for all Federal employees that: Is issued based on sound criteria for verifying an individual’s identity Is issued based on sound criteria for verifying an individual’s identity Is strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation Is strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation Is only issued by providers whose reliability has been established Is only issued by providers whose reliability has been established A PIV card will allow entrance to all VA facilities A PIV card will allow entrance to all VA facilities

7 PIV Roles FIPS 201 requires a separation of roles (jobs) during the PIV issuance process. FIPS 201 requires a separation of roles (jobs) during the PIV issuance process. An employee cannot perform more than one role (except for Facility PIV Card Applicant Representative and Facility Privacy Official) An employee cannot perform more than one role (except for Facility PIV Card Applicant Representative and Facility Privacy Official) Prior to start of the PIV-I process at a facility, employees or contractors must be appointed and certified for each role Prior to start of the PIV-I process at a facility, employees or contractors must be appointed and certified for each role Facility PIV Card Issuance (PCI) Manager Facility PIV Card Issuance (PCI) Manager Official who manages the PIV issuance process at a facility Official who manages the PIV issuance process at a facility Ensures all services specified in FIPS 201 are provided reliably and PIV cards are produced and issued in accordance with requirements. (One primary and one alternate per facility.) Ensures all services specified in FIPS 201 are provided reliably and PIV cards are produced and issued in accordance with requirements. (One primary and one alternate per facility.) PIV Sponsor PIV Sponsor Official who sponsors the Applicant for a PIV card or Temporary Identity Badge Official who sponsors the Applicant for a PIV card or Temporary Identity Badge Is in the best position to know if Applicant requires a PIV Card. (One or more per facility. Facilities may have separate PIV sponsors for employees, contractors, and volunteers/affiliates.) Is in the best position to know if Applicant requires a PIV Card. (One or more per facility. Facilities may have separate PIV sponsors for employees, contractors, and volunteers/affiliates.) PIV Registrar PIV Registrar Official who performs Applicant identity proofing and enrollment functions. (One or more per facility. Most likely assigned to Human Resources or Security and Law Enforcement.) Official who performs Applicant identity proofing and enrollment functions. (One or more per facility. Most likely assigned to Human Resources or Security and Law Enforcement.) PIV Issuer PIV Issuer Official who issues the PIV card or Temporary Identity Badge to the Applicant. (One or more per facility. Most likely assigned to Human Resources or Security and Law Enforcement.) Official who issues the PIV card or Temporary Identity Badge to the Applicant. (One or more per facility. Most likely assigned to Human Resources or Security and Law Enforcement.) Facility PIV Card Applicant Representative Facility PIV Card Applicant Representative Official who represents the interests of PIV Applicants during the PIV card issuance process. (At least one per facility.) Official who represents the interests of PIV Applicants during the PIV card issuance process. (At least one per facility.) Facility Privacy Official Facility Privacy Official Official who oversees privacy issues at the facility. (At least one per facility.) Official who oversees privacy issues at the facility. (At least one per facility.)

8 PIV-I and PIV II VA will implement the PIV card in a two phased approach. VA will implement the PIV card in a two phased approach. In Phase I (PIV-I), a new process will be used for issuing current facility badges. In Phase I (PIV-I), a new process will be used for issuing current facility badges. Starts at VACO on Dec 12, 2006 Starts at VACO on Dec 12, 2006 Other VA sites will start PIV-I throughout Jan-Oct 2006 Other VA sites will start PIV-I throughout Jan-Oct 2006 In Phase II (PIV-II), the PIV Card Issuing (PCI) office will issue a new identity card that will be used for both physical access to VACO buildings and logical access to VA computer systems. In Phase II (PIV-II), the PIV Card Issuing (PCI) office will issue a new identity card that will be used for both physical access to VACO buildings and logical access to VA computer systems. Phase II in Oct Phase II in Oct 2006.