Announcing Draft of Federal Information Processing Standard (FIPS) 201, Personal Identification Verification for Federal Employees and Contractors

AGENCY:

National Institute of Standards and Technology (NIST), Commerce.

ACTION:

Notice.

SUMMARY:

This notice announces Draft Federal Information Processing Standard (FIPS) 201, Personal Identification Verification for Federal Employees and Contractors, for public review and comment. The draft of FIPS 201 is being proposed in response to tasking to the Secretary of Commerce by the President to promulgate, in accordance with applicable law, a Federal standard for secure and reliable forms of identification for Federal employees. The standard specifies the minimum necessary technical and operational requirements for such Federal identification credentials. Prior to the submission of this proposed standard to the Secretary of Commerce for review and approval, it is essential that consideration be given to the needs and views of the public, users, the information technology industry, and Federal, State and local government organizations. The purpose of this notice is to solicit such views.

DATES:

Comments must be received on or before December 23, 2004.

ADDRESSES:

Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Comments on Draft FIPS 201, 100 Bureau Drive—Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: DRAFTFIPS201@nist.gov. The draft of the standard is available via http://csrc.nist.gov/piv-project/index.html. Comments received in response to this notice will be published electronically at http://csrc.nist.gov.

FOR FURTHER INFORMATION CONTACT:

William Barker, Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301) 975-8443, e-mail: william.barker@nist.gov.

SUPPLEMENTARY INFORMATION:

On August 27, 2004, the President signed Homeland Security Presidential Directive (HSPD) Number 12 that directed the Secretary of Commerce to promulgate a Federal Standard by February 27, 2005, that assures secure and reliable forms of identification of Federal and Federal contractor employees. In response, the NIST Computer Security Division has initiated development of this standard. The principal requirements of HSPD Number 12 are to create a secure and reliable automated system that may be used Government-wide to: (1) Establish the authentic true identity of an individual; (2) issue an identity credential token to each authenticated individual containing an “electronic representation” of the identity and the person to whom it is issued which can later be verified using appropriate technical means when access to a secure Federal facility or information system is requested; (3) provide graduated criteria that provide appropriate levels of assurance and security to the application; (4) be strongly resistant to identity fraud, counterfeiting, and exploitation by individuals, terrorist organizations, or conspiracy groups; (5) initiate development and use of interoperable automated systems meeting these requirements.

To meet these requirements, the draft FIPS proposes (1) a credential issuance process that relies upon identity documentation supplemented by record checking; (2) specifications for storage of biometric information on the identity credential; (3) use of existing graduated criteria for employee position sensitivity and physical/logical access levels; (4) security controls to counter fraud and exploitation; and (5) information to facilitate agency establishment of real-time credential validity checking and integration of the new credential into physical and logical access systems.

Under the requirements of HSPD Number 12, the standard must be promulgated by February 27, 2005. NIST anticipates that the initial standard will be augmented over the course of two to three years as additional supporting technical guidelines, recommendations, reference implementations, and conformance tests are developed.

Authority: NIST's activities to develop computer security standards to protect Federal non-national security systems is undertaken pursuant to specific responsibilities assigned to NIST in the Federal Information Security Management Act of 2002. In addition, development of FIPS 201 is being undertaken in response to Homeland Security Presidential Directive Number 12.