Advertisement

​Federal smart cards about to get smarter

NIST has issued new specifications for the next generation of federal identity verification cards designed to work with mobile devices.

Federal personal identification verification cards ­— better known as PIV cards — are about to get a technical facelift.

The National Institute of Standards and Technology, or NIST, has released updated technical specifications and guidance for the next generation of “smart” identity cards used by federal government employees and contractors to gain access to government facilities and computers.

The next generation PIV cards will enable federal employees to connect securely to government computer networks from smart phones and other mobile devices, and provide enhanced security features to verify the identity of federal workers.

The PIV cards in use today contain a microchip that stores digital credentials, including an employee’s photo, fingerprint information, a PIN code and other details, but require card readers that must be attached to computers and mobile devices to complete the verification process.

Advertisement

The new specifications add protections to wireless communications between the PIV card and a mobile device.

“We specified a secure communication mechanism so that the next generation PIV Card can be used with mobile devices, enabling federal employees to connect securely to government computer networks, encrypt or sign email from such devices,” said NIST computer scientist Hildegard Ferraiolo, co-author of the publications.

The new specifications also provide additional ways to prove, or authenticate, the cardholder’s identity. One method, called on-card biometric comparison, helps preserve a cardholder’s privacy using a technique that eliminates the need for an individual’s fingerprint data to ever leave the card. Another new security feature prevents a cardholder from changing the PIN to one that is too short.

“It’s encouraging to see NIST continue to improve the capabilities and security associated with the government’s PIV card,” said Dave Wennergren, senior vice president at the Professional Services Council. A decade ago, as Navy CIO, Wennergren chaired a Defense Department working group responsible for deploying the Common Access Card, which helped launch the use of digitally encoded identification cards for government employees and contractors.

“These enhancements should continue to increase the value of the card and we should applaud NIST’s work. That said though, we must also face the fact that it takes time to implement a new version of a smart card, particularly for a large agency,” he said. “Even after the preliminary work to buy cards and prepare for issuance, new cards will slowly replace expiring cards over a period of several years,” he said.

Advertisement

Wennergren also cautioned that more than a decade after Homeland Security Presidential Directive 12, “there are still far too many government agencies not using the card’s capabilities for cryptographic log-on to networks, digital signatures and physical access. If it’s only being used as a ‘flash pass,’ the new features are wasted,” he said.

The updated NIST specifications are contained in two documents, one dealing with interfaces for personal identity verification and the other detailing cryptographic algorithms needed to maintain the security of the PIV cards. The publications are intended for U.S. government agencies to upgrade their PIV cards, or for vendors that make the cards or develop hardware and software to work with the cards.

Wyatt Kash

Written by Wyatt Kash

Wyatt Kash is an award-winning editor and journalist who has been following government IT trends for the past decade. He joined Scoop News Group in June 2014, as Vice President of Content Strategy, where he heads up the company's content strategy and editorial product development. Prior to joining SNG, Mr. Kash served as Editor of , where he developed content and community relations for the government technology market, covering big data, cloud computing, cybersecurity, enterprise architecture, mobile technology, open government and leadership trends. Previously, he co-led an AOL start team, where he helped create, launch, manage and market an online news platform, featuring advanced social media strategies, aimed at government, defense and technology industry executives. Mr. Kash has also held positions with The Washington Post Co. and subsequently 1105 Media, as Editor-in-Chief of and , where he directed editorial strategy and content operations for print, online, and mobile products and industry events. Contact the writer at wyatt.kash@fedscoop.com or on Twitter at @wyattkash.

Latest Podcasts