The size of a credit card, the PIV card will use cryptographic and biometric technologies to support the required graduated levels of security for agency applications. Cards will contain a Personal Identification Number (PIN); this is the data used to authenticate the cardholder to the card, as a PIN is used with an ATM card. The PIN never leaves the card, and it cannot be read from the card. The card will also have a Cardholder Unique Identifier (CHUID), which identifies the individual within the PIV system. There will also be two electronic fingerprints, which will be securely stored and protected on integrated circuit chips. Public Key Infrastructure (PKI)-based cryptography will be used to protect the integrity of information that will be stored on the card.

No other personal information, such as Social Security number, address, or telephone number, is required by FIPS 201 to be stored on the card. The release of biometric information required to be stored on the card by FIPS 201 and use of the private key takes place only after the cardholder provides the correct PIN. Only the CHUID will be available through a wireless interface.

Fingerprints were chosen as the biometric information to be stored on the cards because fingerprints are the least invasive and most cost-effective, reliable, repeatable, and accurate means of verification available using public available technology. Two fingerprints will be stored on the cards. An electronic facial image is not required, but may be used. A printed photograph of the cardholder is required to be printed on the card for visual inspection and verification. Also the cardholder’s name and the expiration date of the card will be printed on the card. Agencies may include other optional information such as their agency seals and the issue date of the card if they wish to do so.

PIV II Requirements

The second part (PIV II) of FIPS 201 explains the many components and processes that will support a smart-card-based platform, including the PIV card and card and biometric readers. The specifications for PIV components support interoperability between components in systems and among the different department and agency systems. An operational system contains three subsystems:

• PIV Front-End Subsystem – PIV card, card and biometric readers, and personal identification (PIN) input device.
• PIV Card Issuance and Management Subsystem – components responsible for identity proofing and registration, card and key issuance and management, and repositories and services such as the public key infrastructure (PKI directory).
• Access Control Subsystem – physical and logical access control systems, the protected resources, and the authorization data.

PIV II also describes a means to collect, store, and maintain information and documentation needed to authenticate and assure an individual’s identity.

Schedule for Implementation of FIPS 201

By June 27, 2005, agencies must establish a program to ensure that the identification forms issued by their organizations meets the PIV standard. By August 27, 2005, they are required to identify any additional applications, beyond the scope of the standard, for which the standard should be used, and report them to the Assistant to the President for Homeland Security and to OMB.

By October 27, 2005, agencies must have procedures in place for verifying employees’ identities and for issuing smart cards that meet the requirements of PIV I. To operate and maintain PIV systems, agencies will have to obtain the services of an accredited PIV card issuer, and adopt procedures for PIV card applicants to provide acceptable identity source documents. Agencies also will need to acquire services for capturing biometric information, as well as PIV card readers and PKI services.

With the October 27th implementation of PIV I by all federal agencies, there will be a basis for trust among agencies and for the mutual recognition of their employee and contractor credentials. PIV II, which will take longer to implement because of the many electronic credential systems now in place, focuses on the common technical interoperability requirements of HSPD 12. When this part is implemented, a card from one agency will be electronically recognized by any other agency so that a decision about granting access to the cardholder can be made.

Source: (Information Technology Laboratory, National Institute of Standards and Technology) 2007