The Department of Homeland Security states that there are wide variations in the quality and security of identification used to gain access to secure facilities — and specifically facilities where there is potential for terrorist attacks. In an effort to eliminate these variations, policy has been set to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. For these reasons, HSPD-12 was introduced.
HSPD-12 is short for “Homeland Security Presidential Directive 12” and is a policy that establishes a common and reliable identification verification standard for government employees and contractors. In other words, the President (at that time it was President George W. Bush) agreed to set and enforce a government-wide standard for secure and reliable identification. The directive implements a standardized badging process that is designed to enhance security, reduce identity fraud, and protect the personal privacy of the individuals who are issued government identification.
HSPD-12 calls for all federal employees and contractors to use a standard smart credential to verify their identity for secure access to federal buildings and information systems. The directive states several requirements as it relates to Personal Identity Verification (PIV). Agencies must issue secure and reliable forms of personal identification:
- Based on sound criteria to verify an individual employee identity
- That are strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
- That can provide rapid electronic verification of personal identity
- That contain identity tokens issued only by providers whose reliability has been established by an official accreditation process
- Applicable to all government organizations and contractors
- To be used to grant access to federally-controlled facilities and logical access to federally-controlled information systems
- Not applicable to identification associated with national security systems
- To be implemented in a manner that protects individual privacy
HSPD-12 helps to protect against a variety of threats including:
- Unauthorized access to physical facilities or logical assets
- Improper issuance of valid credential to malicious holder
- Counterfeiting of credentials
- Intercept or probing to access stored information
- Successful cryptanalytic attacks against stored protected information
- Use of stolen or borrowed credential to gain access to physical or logical systems
- Intercept/technical surveillance to capture PIN(s)
- Use of credential issued for access to lower sensitivity/criticality assets to achieve access to more sensitive/critical assets
The National Institute of Standards and Technology (NIST) was asked to develop the actual technical standard known as FIPS 201, also referred to as the “Personal Identity Verification (PIV) for Federal Employees and Contractors”. The standard requires the collection of fingerprint and facial information for inclusion on the credential. It is notable that government agencies already use such information to differing degrees — depending on the agency. The PIV credential requirement states that it will contain both a “contact” smart chip and a “contactless” chip. Doing this will allow the credential to be read by devices that need direct contact as well as devices that can read the credential remotely. Timeline: FIPS 201 was first issued in 2005. The first revision (FIPS 201-1) was finalized in 2006, while the second revision (FIPS 201-2) was finalized in 2013.
There is also an alternative credential standard called Personal Identity Verification - Interoperable (PIV-I) which is for issuance to non-Federal employees who are granted access to DOC information system resources for greater than 179 days. For many reasons listed at the Federal Government’s Office of Security, issuance of this special credential is reserved to bureaus and operating units.
The Office of Management and Budget (OMB) was asked to manage the implementation of each of the aforementioned credentials, but the actual uses of them have been left to the agencies themselves to decide. The Office of the Chief Information Officer (OCIO) and the Office of Security have joint responsibility for the implementation of HSPD-12 in coordination with bureau HSPD-12 representatives.
COVID-19 Pandemic Temporary Credentialing
To support social distancing requirements, the Office of the Chief Security Officer (OCSO) is offering an alternate DHS credential known as a Derived Alternate Credential (DAC) to employees in lieu of a DHS Personal Identity Verification (PIV) credential so that personnel can still gain logical access to the DHS network without visiting a DHS Credentialing Facility (DCF). Personnel who obtain a DAC will have to get a DHS PIV Card later. More info can be found at the DHS Security Information and Reference Materials page.
Credentials are normally acquired by government agency employees through the GSA USAccess Program, which was established by the GSA Managed Services Office (MSO). The USAccess Program aims to ease participants from the burden of acquiring services, coordinating integration with governments systems, and managing contracted vendors.
Only officially appointed sponsors who have completed all required training can initiate the process of credentialing. Within the Department of Commerce, PIV card sponsors are comprised of HR personnel, Contracting Officers/Contracting Officer Representatives, and Foreign National Guest Sponsors for PIV-Interoperable (PIV-I) card issuance.