The common identification standard for all federal employees and contractors is the Personal Identity Verification (PIV) smart card, defined by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) 201. Virtually every government employee and contractor requiring access for a period of six months or longer is required to obtain, carry and use a PIV card. After many years, nearly all qualified individuals have the card, however everyday use of this electronically verifiable card to obtain both logical and physical access to secured government assets remains a work in progress. Recent GSA and OMB directives have created a host of new challenges for government agencies in accomplishing this vital mission. The good news for these government departments and agencies is that commercial off the shelf (COTS) software platforms and applications now exist that will help resolve these problems.
Below are answers to a few frequently asked questions about the PIV program and how technology is solving some of the complex issues related to managing identities and access privileges across agencies.
What Rules and Regulations Pertain to and/or Govern the Use of a PIV Card?
The Federal Chief Information Officers (CIO) Council established the Identity, Credential and Access Management Subcommittee in 2008 to guide departments in how to use the PIV Card for all access needs appropriate to their mission. This group published the Federal Identity Credential and Access Management (FICAM) Roadmap and Implementation Guidance document (FICAM Roadmap). OMB issued Memorandum M-11-11 in early 2011, with the memorandum stating that all federal agencies must align with the FICAM Roadmap. The GSA also maintains an Approved Products List (APL) of components that meet the FIPS 201 and elaborated FICAM requirements.
How is the Program Implemented?
While FICAM has provided a roadmap for government agencies to plan and execute identity, credential and access management programs that address common identity requirements, it by no means provides the concrete details of how the programming should be implemented. As a result, numerous concerns and issues have arisen in the issuance and utilization of PIV cards.
At the present time, many separate agencies of the federal government take individual responsibility to issue PIV cards to their own employees and contractors, while others choose to get PIV cards through the GSA’s USAccess Program. However, in order for the entire government to to align with FICAM, it is necessary for all physical access control systems (PACS) across all government agencies to achieve the target modernized state characterized by an enterprise connected architecture and be fully PIV-enabled. This means that a PIV card must be authenticated at the time of initial registration, be continuously verified against the certificate revocation lists (CRLs) and even be verified at time of use.
The various challenges presented by the need to comply with PIV standards and maintain the safest possible environment have delayed the full adoption of this protocol by many government agencies. However, there is technology in existence today that will solve these problems, sustain valid identities 24/7 and create an identity firewall around the organization.
How Does the Technology Solution Work?
As a FICAM solution, Physical Identity and Access Management (PIAM) software provides processes that integrate the intersection of digital identities, various credentials and physical identities into a comprehensive policy-based management approach. It streamlines and consolidates disparate systems into a single and centralized FICAM-aligned, integrated and auditable system. PIAM software provides a one-step, policy-based approach to manage and enroll PIV cardholders, together with biometric/biographic data captured from the PIV card, into various physical access control systems (PACS). Lifecycle management of the PIV card in PACS, including registration, status inquiry, lost/stolen cards, provisioning and revocation, expiration and so on, can all be managed centrally.
What Benefits Are Achieved with a PIAM solution?
Implementing this type of software solution will help government agencies preserve and leverage their existing investments in technology and data, reduce future costs and simplify many complex procedures. A robust and technologically advanced software solution to address the current challenges will provide a policy-based approach to managing and enrolling PIV cardholders into diverse PACS and constantly updating the associated authorization levels. This will enable the flexible enrollment, validation and processing of individuals gaining temporary or long-term access to a given facility, along with a policy-based approach to guard against fraud and foster real-time audit and compliance – without changing the user’s existing physical security infrastructure.
Additional benefits of PIAM software include automatic enrollment of any newly issued PIV credentials, including biometric/biographical data capture from the PIV card, in all of the diverse PACS across every government agency. The software will further enable interoperability between every PACS system and logical authoritative identity systems across all agencies, including LDAP/IdM/HR systems or other third-party PIV database applications. It will establish a single reference point of all cardholders, both PIV and non-PIV, across agencies and across diverse PACS and Logical Access Control Systems (LACS). There will be a single, centralized, rules-based process for access privilege provisioning and ongoing access management within and across agencies. The lifecycle of PIV cards including PIV card activation, status inquiry, lost or stolen cards, provisioning and revocation, card expiration policies and so on, will be managed in the physical access control system. Finally, the solution will encompass Web-based visitor enrollment and management for PIV and non-PIV cardholders.