HSPD-12 FAQs - March 30, 2007

IMPLEMENTATION

1. What documents/programs are currently available to help agencies implement FIPS 201?

2. Is there a list of "approved" identity proofing and registration processes?
There is not a list of "approved" identity proofing and registration processes, per se. "Approved" means that the process has met the control objectives, and the head of the agency has approved in writing that the process does meet the objectives. SP 800-79 provides further guidance on the certification and accreditation of PIV card issuing organizations. (See FIPS-201, Section 2)

3. Is Personal Identity Verification different from access authorization such that having a PIV card or achieving identity verification does not automatically entitle the cardholder to physical or logical access?
Yes. Access control remains the purview of the local facility or IT system security policy.

4. Will agencies maintain records of access to facilities by individuals?
This is outside the scope of the standard. It can be anticipated that agencies will continue to maintain records, in accordance with the Privacy Act, of access to and unsuccessful attempts to access their facilities and systems as required for their security and audit needs.

5. Does compliance to FIPS 201 mean that every door in every federal building and every federal computer terminal must have a PIV card reader?
No. Generally, agencies will implement FIPS-201 access controls on facility access points (i.e. entry doors) first. Further deployment within the facility is at the discretion of the agency facility security manager. Logical access controls that provide for authentication of federal employees and contractors based on PIV credentials are recommended for IT Systems operating at E-Authentication Level 3 or higher. As agencies develop their plans in accordance with HSPD 12, they should focus on the highest-risk facilities and systems for initial deployment of readers. Over time, this could expand to lower-risk systems and facilities. (Ref: OMB M-04-04, DOJ Vulnerability Assessment of Federal Facilities Report - June 1995, ISC Security Design Criteria for New Construction and Major Modernizations - December 2004 and Security Standards in Leased Space - Jan 2005.)

6. Is a 2.5mm border where printing is not permitted required for the topology of the card?
Yes. Compliance with the dimensions specified in FIPS 201 is required.

7. Does the PIV Sponsor, Registrar, PIV Card Approval and the PIV issuer have to be all different people or can one person have multiple roles?
A two-way separation of roles is the absolute minimum that could possibly meet the FIPS 201 test. In practice, however, it would be challenging to define two roles such that each provides a reliable cross-check on all critical actions of the other. Special Publication 800-79 recommends "the roles of Applicant, Sponsor, Registrar, and PCI [PIV Card Issuer] must be played by different people when issuing a PIV Card." Such a three-way separation of roles can generally be sufficient to insure that the test of FIPS 201 is met, namely, "a single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential." However, the requirement for a particular separation of roles depends on the implementation of the PIV issuance system.

8. What format is required for the enrollment record (which encapsulates biometric records, document scans, demographic information, etc.)?
The standards permit individual departments and agencies to select the format most appropriate to their operations.

9. Does Registrar record signing only apply to pen-and-paper records, or does it also apply to electronic enrollment records?
The requirement applies to both paper and electronic storage. The method is left to individual departments and agencies. If cryptographic signature processes are employed, they must conform to the requirements of NIST standards and guidelines.

10. During reissuance, if an attribute has changed, who is responsible for verifying the change and recording the change and the reason for it?
This function is best performed by the Registrar since this is the individual rechecking the records during card re-issuance. However, this is open to individual agency discretion which may choose to utilize an alternative process.

11. Is support for PIV card logical access mandatory on enrollment systems and/or issuance systems? If so, is PIV card verification required for all operator logins?
Credential-based identification support is specified in FIPS 201. Use of the identity credentials for specific access control applications is not. However use of a PIV card to verify Registrar, Sponsor, Approval, or Issuer roles for card issuance activities as an on-going activity would be an effective mechanism for maintaining the security of the process.

12. Do PIV enrollment systems need to communicate directly with PIV Digital Signatories, PIV issuance systems or any other satellite systems, or is it expected that all of this will be conducted via the IDMS?
This will vary based on individual agency implementations.

13. Will PIV enrollment systems be expected to send Electronic Fingerprint Transmission Specification (EFTS) records directly to the FBI Integrated Automated Fingerprint Identification System (IAFIS), or is that a function that will be handled by the IDMS?
This will vary based on individual agency implementations.

14. For the facial image, is there a specific color backdrop that should be used?
There is no backdrop color requirement; however, per the recommendation of the International Committee for Information Technology Standards (INCITS) 385, the background should be uniform.

15. Can identity proofing be conducted by federal employees and also "trusted agents," where trusted agents might include contractors?
FIPS 201 does not prohibit contractors from being employed to conduct identity proofing activities under the supervision of government employees in accordance with departmental or agency security and contracts management policies.

16. How can agencies receive an advance report of the fingerprint check results?
Agencies who receive their investigations from OPM, may obtain advance reports of fingerprint check results by putting the code "R" in the Codes block of the Agency Use section of any of the standard investigative forms (SF-86, SF-85P, or SF-85).

17. How will implementation of HSPD-12 and FIPS 201 affect OPM's current case service timeliness? Is OPM prepared for this workload?
The majority of investigations which will be required by HSPD-12, and which otherwise would not have been required, will be on uncleared contractors. Currently, many of these persons are being investigated already by agencies with the resources to do so. Further, no one is certain as to the exact number of these persons although agencies have provided estimates to OMB which has been shared with OPM and FBI. Therefore, the aggregate amount of new investigations attributable to HSPD-12 cannot be known, but it will be something less than the number of uncleared government contractors. OPM is ready to accept the additional investigations this policy will create. Since the NACI (National Agency Checks and Inquiries investigation), the minimum investigation required by FIPS 201, is not a field-investigative case type, no significant impact on the timeliness of service is anticipated.

18. As of October 2006, what capabilities is an agency required to have in place? Do agencies have to use the card's capabilities (e.g. at the highest security location in the agency?) Is the use of the card optional?
In October 2006 agencies began issuing FIPS 201 compliant identity badges. OMB's HSPD 12 implementation guidance does not require agencies to complete implementation of all card capabilities on October 27, 2006. Agencies are not expected to have their entire infrastructure installed to enable use of the card at all facilities and systems. Agencies are expected to make use of the cards using a risk-based approach and phase in use of the card capabilities. Agencies will see a greater return on investment by using the cards to secure their facilities and systems.

19. Does the FIPS 201 standard include a physical access control system?
No. FIPS 201 does not specify the physical access control system (PACS). In order to effectively implement HSPD-12, each agency will need to implement a PACS for internal use. The Smart Card Interagency Advisory Board has published Technical Implementation Guidance Smart Card Enabled Physical Access Control System (TIG SCEPACS) 2.2 as a guide to assist agencies in this implementation, which is referenced by FIPS 201.

20. Is there a plan for agency IDMS and CMS systems to be linked?
Linkage of any backend identity infrastructure is not envisioned at this time due to proprietary data formats as well as security and privacy concerns. However, because PIV cards are standardized, a PIV card issued to an employee at one agency may be used at a different agency if the agency grants access.

21. How much will it cost agencies to implement FIPS 201?
The cost will vary by agency depending upon how well its current identification credential program already meets the requirements of the new standard and the level of difficulty or complexity to migrate to the new standard. Some costs (e.g., understanding requirements, initiating projects) are fixed; some (e.g., PIV card readers, PIV card issuer facilities) are proportional to the number of facilities and systems involved; some (e.g., PIV cards, PIV card issuance) are proportional to the number of employees involved. The HSPD-12 ESC-sponsored Managed Service Offering will assist agencies in cutting costs by pooling resources and sharing infrastructure.