The Homeland Security Presidential Directive 12 (HSPD-12) required the National Institute of Standards and Technology (NIST) to issue a Federal Information Processing Standard (FIPS-201) for secure and reliable forms of identification. The FIPS-201 standard, entitled Personal Identity Verification (PIV) for Federal Employees and Contractors, specifies the architecture and technical requirements for a common identification standard, including components, interfaces, support services, and life cycle management functions. The FIPS-201 standard also supports interoperability among identification cards, electronic card readers, communications systems, and access control system interfaces.
The FIPS-201 standard indicates that federal policy is to issue smartcards for both logical and physical access to federal spaces, without waiver, for all federal agencies and their contractors. The Office of Management and Budget (OMB) requires implementation plans for each agency, with required personnel vetting processes and procedures. OMB also requires that PIV smartcards replace all new or refreshed identification (ID) cards, with all physical access systems to be updated.
The FIPS-201 standard includes requirements to be met before issuing smartcards and requirements for the smartcards' use. However, the FIPS-201 standard does not specify the actual mechanical process of issuing these smartcards or their distribution. The FIPS-201 requirements have opened up the potential to make improvements in process performance over current smartcard issuing methodologies.
Potential failures and a breakdown in correct identification can have serious consequences for an organization. Currently smartcards and other identification methods are used for identity verification purposes. Many smartcards, driver's licenses, credit cards and other tokens are issued centrally to provide a wide range of verification. But with current systems, a centrally issued smartcard system cannot deliver a smartcard to one and only one person in an economic fashion. The hidden cost of the current systems is decentralized printing (issuance at every facility) of non-reputable smartcards. The cost includes equipments, maintenance, security, and compromises. PIV smartcard printing now requires one or more anti-counterfeiting measures, such as holograms. The strength of these measures is directly related to the expense of the printer. If the printer is inexpensive, thus widely available and affordable, anti-counterfeiting measures may fail.
Standard-based non-reputable smartcards may depend on a personal identification number (PIN) to release keys on the PIV smartcard. Only the person represented by the PIV smartcard is allowed to know the PIN. Current systems set the PIN during the issuance process in order to tie a “Hired Applicant” to the PIV smartcard. Typically, the person to whom the card is being issued is required to enter it themselves in real-time during the production of the smartcard. This process may comprise security of the PIV smartcard.
Private key infrastructures (PKIs) are used to sign certificates. However, current PKIs do not have an economical process for certificate renewal. The current approach conducts the original issuance process again, which is costly and time consuming.