Government Credentialing Programs

In 2004 the United States Homeland Security Presidential Directive 12 (HSPD-12) was published which set forth broad goals for access control and identity management of government employees and contractors. In response to the goals of HSPD-12, the National Institute of Standards and Technology (NIST) developed the Federal Information Processing Standard 201 (FIPs 201). The United States government program known as Personal Identity Verification (PIV) addresses the secure credentialing requirements of federal employees and contractors and is based on FIPs 201. To assist agencies choosing the appropriate products when implementing a PIV program, there is a General Services Administration (GSA) certified product list.

In addition to PIV, there are several other credentialing programs that are "aligned" with FIPs including the Transportation Worker Identification Credential (TWIC) and the Aviation Credential Interoperability Solution (ACIS). These are Transportation Security Administration (TSA) directed programs under the umbrella of the United States Department of Homeland Security. The two programs add security through identity management in the maritime and airport environments. Unlike PIV, which is strictly for government employees and contractors, TWIC and ACIS are for civilians who work in airport and maritime environments.

Biometrics is an important part of FIPs 201, adding multiple factors of authentication for identification processing. Traditionally access control systems have relied on ID cards that can be stolen, lost, shared or copied. With a biometric template, such as a face or fingerprint template stored on the card, there is a secure and efficient way to ensure the person holding a card is the rightful owner.

Biometric Advantages

Typically, there are three accepted ways to authenticate or prove identity to a system or an authorized person.

  • Something you have - like an ID card.
  • Something you know - such as a PIN number.
  • Something you are - a biometric, such as facial features, fingerprints, etc.

When two or more of these are used together for an identification decision it is called multi-factor authentication. FIPs guidelines allow for a flexible environment that can use single-, two-, or three-factor authentication. How the programs are implemented will depend on risk levels of the facilities and the mandates of specific programs. Ideally a reader that can work in many modes and dynamically switch based on changing threat levels will be best suited to these environments. An example would be for a reader to use card only mode (singe-factor) during times of low threat levels and change to card, PIN and biometric mode (triple-factor) for the duration of increased threat levels.

Related Links

Bioscrypt is an active participant in government credentialing programs visit the following links for more information on our involvement:

TWIC
ACIS
TSA
PIV
FIPs 201