Public Meeting Addressing Privacy and Policy Issues in a Common Identification Standard for Federal Employees and Contractors

AGENCY:

Office of Electronic Government and Technology, GSA.

ACTION:

Notice of public meeting.

SUMMARY:

The General Services Administration, in partnership with the Department of Commerce and the Office of Management and Budget will host a public meeting to seek individual views on the policy, privacy, and security issues associated with the Common Identification Standard for Federal Employees and Contractors as outlined in Homeland Security Presidential Directive 12 (HSPD-12). The public meeting is on the draft common identification standard (Federal Information Processing Standard 201) and will inform future HSPD-12 implementation guidance issued by the Office of Management and Budget.

DATES:

The public meeting is on January 19, 2005, from 8:30 a.m. to noon at the Auditorium of the Potomac Center Plaza, 550 12th Street, SW., Washington, DC 20202, near the Smithsonian and L'Enfant Plaza Metro Stations. The meeting is open to the public and there is no fee for attendance. All attendees must pre-register and present government-issued photo identification to enter the building. Students may present their student ID.

Registration: Please e-mail your plan to attend to Sara Caswell, sara@nist.gov. Sara can be reached at 301-975-4634 if you have questions regarding registration. Registration information must be received by 5 p.m. e.s.t., January 11, 2005.

Requests To Speak at the Meeting: Written requests to speak at the meeting are required before January 5, 2005, and should be sent via e-mail to eauth@omb.eop.gov or by fax to 202-395-5167. In their requests, individuals should include a statement describing their expertise in, or knowledge of, the issues on which the public meeting will focus. Potential speakers should provide their contact information, including a telephone number, facsimile number, and e-mail address, to enable notification if selected. Selected speakers will be notified on or before Friday, January 7, 2005. There will be open microphone time during the last half hour of the meeting.

FOR FURTHER INFORMATION CONTACT:

Ms. Jeanette Thornton, (202) 395-3562 or Ms. Judith Spencer, (202) 208-6576. An agenda and additional information for attendees will be posted on the www.csrc.nist.gov/piv-project Web site prior to the meeting.

SUPPLEMENTARY INFORMATION:

On August 27, 2004, the President issued HSPD-12 Common Identification Standard for Federal Employees and Contractors.

As the Directive explained, “wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).

“Secure and reliable forms of identification for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).”

HSPD-12 directed the Secretary of Commerce to “promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the “Standard”) not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy.”

On November 8, 2004, NIST published a draft standard. The Standard and supporting documents are available at http://csrc.nist.gov/piv-project . The standard was open for public comment until December 23, 2004. On February 27, 2005 the standard will be promulgated. Information on the past two public workshops on the standard is available at www.csrc.nist.gov/piv-project .

The public meeting to address “Privacy and Security Issues in a Common Identification Standard for Federal Employees and Contractors” will focus on the specific issues raised in HSPD-12. Meeting speakers should address the privacy and security concerns as they may affect individuals, including Federal employees and contractors as well as the public at large, in implementation.

By bringing together card and biometric experts, privacy advocates, academics, and other interested parties, the public meeting will present views on how to develop policies to implement the Standard without compromising users' privacy and security.

The session will include introductory remarks and speakers to discuss key questions, such as:

1. How do the proposed technologies in the draft FIPS 201 standard affect privacy and security?

• Does the proposed use of contact and contactless smart card chips raise privacy or security concerns?
• Do the biometric (fingerprint and facial image) standards as proposed, raise privacy or security concerns?
• Does the assignment of a permanent or persistent employee identification number raise privacy concerns?
• Do other applications or features of the card, as proposed raise concerns?

2. Do the proposed credential issuance policies and procedures raise privacy and security concerns?

3. What federal uses of the identification raise privacy and security concerns?

4. Are there means to address privacy and security in the development of the card standard and implementation guidance?

• Can privacy enhancing technologies be built into the card?
• How can we limit non-federal uses of the card?
• What training do employees and contractors need to properly secure their cards?
• What training should card issuers have? Security personnel?
• What law and policies must agencies consider in planning for and implementing the new cards?