NIST issues new PIV standards including rules for digital IDs
The U.S. government has issued a draft update to its biometric PIV card standard addressing initial identity proofing, interoperability infrastructure and other functions addressing evolving system needs.
The update also covers derived personal identity verification (PIV) credentials, which are verification credentials rendered digital for mobile devices. It details new specifications for use of derived PIV credentials.
Federal employees and contractors are required to carry this particular PIV card for logical and physical access. A PIV account stores attributes of a cardholder and enrollment data as well as information about the card itself and derived PIV credentials assigned to the account.
NIST, which published the expanded standard, added required procedures for supervised remote identity proofing, issuance and registration. Those rules set out the conditions of monitoring the proofing session, and note the necessity of biometric data collection to perform identity proofing remotely.
Its staff also created rules for front end subsystems for PIV systems, setting out requirements for cards and readers, logical data elements, cryptography and biometric records.
NIST defined card-supported authentication mechanisms as well as the mechanisms’ applicability to rules for “graduated levels of identity assurance.”
At the same time, NIST addressed interoperability protocols making it possible to use PIV systems used in other agencies.
The update is the result of a five-year review of the 15-year-old federal information processing standard 201.
A virtual, public meeting on the changes will be held December 9.