FIPS 201: The New Federal Regulation for Identity Authentication and Access Control

By
Manager of Product Line Management for Software House

On August 27, 2004, the White House issued a Homeland Security Presidential Directive, titled HSPD-12, that calls for a new standard for verifying the identity of every employee and contractor who is granted access, both physically and logically (via computer), to all federal agencies' operations.

The National Institute of Standards (NIST) responded with FIPS, or Federal Information Processing Standard, 201, which serves as the initial part of this new standard. FIPS 201, in turn, comprises two sections: PIV-I (Personal Identity Verification), which takes effect October 27, 2005 , and PIV-II, which takes effect on October 27, 2006.

PIV-I vs. PIV-II

PIV-I deals strictly with personal ID authentication. It establishes the PIV card as the credential by which authorized individuals are admitted to a federal agency's facilities and inner workings, but does not mandate any specific PIV card technology. It does specify the items such individuals must submit and processes that must be followed prior to being issued a PIV card in order to prove that they are, indeed, who they say they are.

PIV-II outlines the technical requirements for the PIV cards that are issued once the PIV-I requirements have been met. The PIV card is, essentially, a dual technology smart card that contains both a contact chip and a contactless chip for storing data such as a biometric template, a PIN (personal identification number), an expiration date, encrypted keys for computer access, and a CHUID. CHUID stands for Card Holder Unique Identification and is assigned to each applicant by the appropriate agency.

An important requirement introduced by PIV-II is interoperability that will allow any PIV card used at one agency to be used with the same level of efficiency at any other U.S. federal agency anywhere in the world.

How Software House Is Addressing FIPS 201

Software House's C•CURE^® 800 v9.0 meets the upcoming PIV-II requirements by supporting both the PIV cards and card readers that have been developed by the leading manufacturers in the industry to address FIPS 201. It is scheduled for release this fall, one year before PIV-II comes into effect. Existing C•CURE 800 customers will be able to upgrade their software to these FIPS 201-compliant versions at no additional cost under the Service Support Agreement.

For more information about how Software House products can help federal agencies to comply with the new regulations, read our white paper entitled Access Control and FIPS 201 Regulations or call us at 781-466-6660. To find out more about HSPD-12, contact the Office of Management and Budget at 202-395-3080.