Federal Government ID Smart Cards



Federal Government ID Smart Cards










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.

Federal Government
ID Smart Cards

by Brady Hicks

Copyright 2017, Faulkner Information Services. All Rights Reserved.

Docid: 00011424

Publication Date: 1705

Report Type: TUTORIAL

Preview

The US federal government has standardized smart cards for
personal identity verification. Currently, there are several types of
smart cards used for federal identity management, notably the Personal
Identity Verification
(PIV) card for civilian government workers; and the Common Access Card
(CAC) for military and defense personnel. This report provides
information on these and other forms of federal ID smart cards.

Report Contents:

Executive Summary

[return to
top of this report]

A "smart card," according to the Secure Technology
Alliance (formerly Smart Card Alliance), is a contact or contactless
device with an embedded microcontroller or memory chip that connects to a reader.1 Smart cards are commonly employed to validate identities and conduct secure financial transactions.

Related Faulkner Reports
US Government-Approved Smart Card Suppliers
Market

On August 27, 2004, former President George W. Bush issued Homeland Security
Presidential Directive 12 (HSPD-12): “Policy for a Common
Identification Standard for Federal Employees and Contractors.” An
outgrowth of 9/11, the purpose of HSPD-12 was to address the “wide
variations in the quality and security of identification used to gain
access to secure facilities where there is potential for terrorist
attacks.”
At the time, the Department of Commerce and National Institute of
Standards and Technology (NIST) were tasked with producing a standard
for “secure and reliable forms of identification.”

In response, NIST published Federal Information Processing Standard
201 (FIPS 201), Personal Identity Verification (PIV) of Federal
Employees and Contractors, issued on February 25, 2005.

Today, both federal agencies and enterprises alike now have FIPS
201-compliant ID programs and issue PIV cards. The FIPS 201 PIV
card is a smart card with both contact and contactless interfaces that
is now being issued to all federal employees and
contractors. Within the next five years, the Government Services
Administration (GSA) estimates that 12 million PIV cards will be used in
the federal government alone.2

Description

[return to
top of this report]

Smart card technology is recognized as
appropriate for identity applications that must meet critical security
requirements. Smart cards are used worldwide to help secure identity,
payment, and healthcare applications, as well as public corporations
that use employee ID cards to secure access to physical facilities,
computer systems, and networks. The US federal government, in
particular, has standardized on smart cards for employee and contractor
identification cards, and is also specifying smart cards in new identity
programs for citizens, transportation workers, and first responders. Also per
the Secure Technology Alliance, key tenets of a smart card include its support
for:

  • Authentication.
  • Secure Data Storage.
  • Encryption.
  • "Strong" Device Security.
  • Secure Communications.
  • Biometrics.
  • Personal Device.
  • Certifications.

Smart Card Standards

Traditionally, smart card standards are used to govern physical
properties, communication characteristics, and application identifiers
of the embedded chip and data. Nearly all standards refer to the ISO
7816-1,2, and 3 as a base reference. Table 1 looks at the current smart
card standards

Table 1. Smart Card
Standards
Standard Type Description
International Organization for Standardization (ISO) Standard that uses electrical contacts on the card, as well as cards
that communicate with readers and terminals without contacts, as
with radio frequency (RF/Contactless) technology.

  • ISO/IEC 7816
  • ISO/IEC 1443
  • ISO/IEC 15693
International Civil Aviation Organization (ICAO) Standardization and specifications for machine-readable travel
documents such as passports, visas, and other documents.
Federal Information Processing Standards (FIPS) Designed to protect federal assets, including computer and
telecommunications systems.

  • FIPS 140 (1-3)
  • FIPS 201
Europay, Mastercard, and Visa (EMV) IC card specification for payment systems that create a common
technical basis for card and system implementation of a stored value
system.
PC/SC Applies to CPU contact cards.
Comite Europeen de Normalisation (CEN) and European
Telecommunications Standards Institute (ETSI)		 Focus on telecommunications, as with the GSM and SIM for cellular
telephones.
Health Insurance Portability and Accountability Act (HIPAA) Adopts national standards for implementing a secure electronic
health transaction system in the US.
IC Communications Standards Specifically applies to the I2C and SPI EEPROM interfaces.
Global System for Mobile Communication (GSM) Uses smart cards called Subscriber Identification Modules (SIMs)
that are configured with information essential to authenticating a
GSM-compliant device. Managed by the European Telecommunication
Standards Institute, with the two most common standards for cards
including 11.11 and 11.14.
GlobalPlatform (GP) Enable an open and interoperable infrastructure for smart cards,
devices, and systems, adopted by virtually all banks worldwide for
JavaCard-based loading of cryptographic data.
Common Criteria (CC) Security evaluation framework for evaluating the security
capabilities of secure ICs, smart card OSs, and application
software.
Biometric Standards Uses biometrics and smart cards to improve the security and privacy
of an ID system.

  • ANSI-INCITS 358-2002
  • ANSI-INCITS 398
  • ANSI-INCITS
  • ANSI-INCITS 377-2004
  • ANSI-INCITS 378-2004
  • ANSI-INCITS 379-2004
  • ANSI-INCITS 381-2004
  • ANSI-INCITS 385-2004
  • ANSI-INCITS 395-2005
  • ANSI-INCITS 396-2004
  • ISO/IEC 19794

Federal Identity Management Landscape

Today’s federal identity management landscape includes the use of a number of smart card technologies:

  • HSPD-12, FIPS 201, and the PIV Card.
  • Department of Defense Common Access Card.
  • Department of Homeland Security Transportation Worker Identification Credential.
  • DHS First Responder Authentication Credential (FRAC).
  • U.S. ePassport.

Personal Identity Verification (PIV)

The PIV card system includes components and processes that
support a common (smart card-based) platform for identity authentication
across federal departments and agencies. This provides access to multiple types of
physical and logical access environments. An operational PIV system can
be logically divided into the following three major subsystems:

  1. PIV Front-End Subsystem – PIV Card, card and
    biometric readers, and PIN input device. The PIV cardholder interacts
    with these components to gain physical or logical access to the desired
    federal resource.
  2. PIV Card Issuance and Management Subsystem
    – Components responsible for identity proofing and registration, card
    and key issuance and management, and the various repositories and
    services (e.g., public key infrastructure (PKI) directory, certificate
    status servers) required as part of the verification infrastructure.
  3. PIV Relying Subsystem – Physical and logical access control systems, protected resources, and authorization data.

The PIV relying subsystem becomes relevant when the PIV Card is used
to authenticate a cardholder who is seeking access to a physical or
logical resource3. Figure 1 illustrates a notional model
for the operational PIV system, identifying the various system
components and the direction of data flow between these components.

Figure 1. Notational Model for the PIV System

Figure 1. Notational Model for the PIV System

Source: US National Institute of Standards and Technology

Common Access Card (CAC)

The CAC is the standard identification for active-duty military
personnel, selected reserve, DoD civilian employees, and eligible
contractor personnel. It is also the principal card used to enable
physical access to buildings and controlled spaces, and provides access
to defense computer networks and systems. Figure 2 shows an example of
the CAC.

Figure 2. DoD
Common Access Card

Figure 2. DoD Common Access Card

Source: US Department of Defense

Other Credentials

Other federal access credentials include:

  • Department of Homeland Security Transportation Worker Identification Credential (TWIC)The
    TWIC was established by Congress
    through the Maritime Transportation Security Act (MTSA), and
    administered by the Transportation Security Administration (TSA) and US
    Coast Guard. TWICs are tamper-resistant biometric credentials issued to
    workers who require unescorted access to secure areas of ports, vessels,
    outer continental shelf facilities, and all credentialed merchant
    mariners. Longshoremen, truckers, port employees, and others are
    required to obtain a TWIC.
  • DHS First Responder Authentication Credential
    (FRAC) – The FRAC allows first responders to quickly and easily access government buildings and
    reservations in the event of a terrorist attack or other disaster.
  • ePassport
    – The ePassport is a US passport that contains an embedded contactless
    smart card chip. The chip is used to store biographic data on the
    passport; once unlocked, the data can be displayed on a screen at
    passport control. The new technology enhances the security of the
    passport and facilitates the movement of travelers at ports of entry. It
    is issued by the US State Department’s Bureau of Consular Affairs, in
    conjunction with the US Government Printing Office and the Department of
    Homeland Security.

Current View

[return to
top of this report]

Concerning their obligation to deploy PIV
cards, federal government departments and agencies are essentially at
full compliance. The Department of Homeland
Security achieved this aim several years ago, in 2013. Table 2 looks at this
rollout in greater detail.

Table 2. DHS HSPD-12 Implementation Status Report: June 30, 2013
Date Number of Employees requiring PIV credentials Total Number of PIV credentials Issued to Employees Number of Contractors requiring PIV credentials Total Number of PIV credentials Issued to Contractors Number of other individuals (e.g. guest researchers) requiring PIV credentials Total Number of PIV credentials issued to individuals other than employees or contractors (e.g. guest researchers)
June 2013 0 303,768 0 88,311 0 4,087
March 2013 0 271,266 0 79,360 0 3,204

December 2012

0

252,800

0

73,951

0

3,079

September 2012

0

243,156

0

69,613

0

2,811

June 2012

0

233,145

0

65,581

0

2,514

March 2012

0

224,147

0

62,066

0

2,298

December 2011

0

206,187

0

51,011

0

2,079

September 2011

0

207,855

36,662

54,938

842

88

June 2011

0

190,450

41,612

49,988

842

88

March 2011

3,744

159,702

46,879

44,721

842

88

December 2010

52,907

110,539

55,311

36,289

842

88

Source: US Department of Homeland Security

Notes:

  • Current employees, contractors, and other individuals’ numbers do
    not include the US Coast Guard (USCG), as the USCG primarily uses the
    DoD CAC card.
  • Contractor and other individuals’ numbers represent an estimate of
    total number of contractors and other individuals based on estimates.
  • The total number of PIV credentials issued has been adjusted to show the number of cards issued to eligible personnel.

Outlook

[return to
top of this report]

Personal Identity Verification is increasingly viewed as a vital tool in affecting cybersecurity.

In a March 2012 blog post4, Howard
A. Schmidt, the White House Cybersecurity Coordinator (and Special
Assistant to the President) announced that his office – in coordination
with federal security experts from the Department of Homeland Security
(DHS), Department of Defense (DoD), the National Institute of
Standards and Technology (NIST), and the Office of Management and Budget
(OMB) – had identified three priority areas for improvement within
federal cybersecurity:

  1. Trusted Internet Connections (TIC)
    – Consolidate external telecommunication connections and ensure a set
    of baseline security capabilities for situational awareness and enhanced
    monitoring.
  2. Continuous Monitoring of Federal Information Systems – Transform
    the otherwise static security control assessment and authorization
    process into a dynamic risk mitigation program that provides essential,
    near real-time security status and remediation, increasing visibility
    into system operations, and helping security personnel make
    risk-management decisions based on increased situational awareness.
  3. Strong Authentication
    – Passwords alone provide little security.

Mr. Schmidt’s outlined goal, he concluded, is that “federal
departments and agencies will achieve 95 percent utilization of critical
… cybersecurity capabilities on federal information systems,
including Trusted Internet Connections (TIC), Continuous Monitoring, and
Strong Authentication."

Derived PIV Credentials for Mobile Devices

The National Institute of Standards and Technology (NIST)’s
“Guidelines for Derived Personal Identity Verification (PIV)
Credentials” dictate that logical access be geared toward traditional
computing devices (i.e., desktop and laptop computers) where the PIV
Card provides common authentication mechanisms through integrated
readers across the federal government. With the emergence of a
newer generation of computing devices and, in particular, with mobile
devices, the use of PIV Cards has proved
challenging. 

NIST is offering an alternative to the PIV Card in cases where
conventional card use would be impractical. Instead of the PIV
Card, the NIST Guidelines suggest the use of an alternative token, which
can be implemented and deployed directly on mobile devices (such as
smartphones and tablets). The PIV credential associated with this
alternative token is called a Derived PIV Credential.6

Recommendations

[return to
top of this report]

Just as public sector officials have embraced the smart card as a Personal
Identity Verification tool, private sector officials – i.e., enterprise owners
and operators – should adopt smart card technology. Specifically, they should
utilize smart cards as part of a multi-factor – ideally, a triple-factor –
authentication scheme, where enterprise data users are identified by:

  1. What they know (a PIN or a password).
  2. What they possess (a smart card or other access token).
  3. A unique physical characteristic (a biometric marker like a fingerprint or iris signature).

In terms of engaging smart card suppliers, enterprise officials
should insist on cards that adhere to at least the FIPS 201 PIV standard.

References

  • 1 "What is a smart card?" Secure Technology Alliance.

  • 2     Ibid.

  • 3     FIPS PUB 201-2: “Personal Identity Verification (PIV) of Federal
    Employees and Contractors” REVISED DRAFT. US National Institute of
    Standards and Technology. July 2012:19-20.
  • 4
    Schmidt, Howard A.. “Federal Departments and Agencies focus
    Cybersecurity Activity on three Administration Priorities.” The White
    House Blog. March 23, 2012.

  • 6     Burr, William, Hildegard Ferraiolo, David Cooper, Salvatore
    Francomacaro, Andrew Regenscheid, Jason Mohler, and Sarbari Gupta. SP
    800-157: “Guildelines for Derived Personal Identity Verification (PIV)
    Credentials.” US National Institute of Standards and Technology.
    December 2014.

[return to
top of this report]

Secure Technology Alliance:
http://www.smartcardalliance.org/

US National Institute of Standards and Technology:
http://www.nist.gov/

About the Author

[return to
top of this report]

Brady Hicks is an editor with Faulkner Information
Services. He writes about computer and networking hardware, software,
communications networks and equipment, and the Internet.

[return to top of this report]