NIST issues revised FIPS 201

Changes include options for mobile devices and additional biometric capabilities
 by: 
SDN Staff
  - 
Monday, July 16, 2012

WASHINGTON—The National Institute of Standards and Technology has released a new draft of its security standard for the Personal Identity Verification cards that all federal employees and contractors must use.

The institute is seeking public comments on this revised version of the Federal Information Processing Standard (FIPS) 201, which is intended to be the last draft before the final version is published.

The original FIPS 201, released in February 2005, required all PIV cards to contain an integrated circuit chip for storing electronic information, a personal identification number and protected biometric data (a printed photograph and two fingerprints).

The initial document indicated the standard should be reviewed after five years, so the revisions should not be a surprise, according to NIST computer security researcher Hildegard Ferraiolo. "After implementing the standard, federal departments and agencies learned a number of lessons that, combined with technological changes over the years, made an update worthwhile," he said in a statement.

The revisions will not require anyone to replace their current PIV card, Ferraiolo said, but will make new cards more flexible and effective.

Among the revisions are the ability to update a card's credentials remotely without the need to appear in person where the cards are issued; to create additional credentials for use on mobile devices such as smart phones; and to offer additional capabilities, such as on-card fingerprint comparison and the option to collect and store iris biometric data on the card. These new capabilities will provide flexibility when selecting the appropriate level of security for PIV card holders.

The revision also changes the maximum life of a PIV card from five to six years.

Comments on the revised document should be submitted by email to piv_comments@nist.gov, and must be received by August 10, 2012. Comments will be incorporated into the final version, to be called FIPS 201-2.

NIST also is holding a free public workshop to discuss the revised draft next week. Register online for the July 25 workshop here. The workshop will be webcast as well.

Tags: 
national institute of standards and technology,
Federal Information Processing Standard 201,
FIPS 201,
FIPS 201-2,
identity management,
PIV cards,
Homeland Security,
Hildegard Ferraiolo,
Security Director News

Comments

Submitted by IDmachines on Tue, 07/17/2012 - 10:17am

Actually this is a revision of the Draft of FIPS-201-2 was issued about a year ago, and for which there have already been workshops that have incorporated industry and other comments.  The article makes it seem as if there has been no update since 2005.  http://idmachines.blogspot.com/2011/04/draft-fips-201-2-workshop-personal.html is a blog post that I did based on Hildy's presentation at the workshop that goes through some of the significant changes between FIPS 201-1 and FIPS 201-2.