Revised Personal Identity Verification (PIV) Guidance
The National Institute of Standards and Technology (NIST) has recently released a revised draft of the FIPS 201 standards which gives agencies the option to issue derived credentials for use with mobile devices under Homeland Security Presidential Directive-12.
“The revised draft FIPS 201-2 continues to require every cardholder to be issued an ISO/IEC 7810 form factor PIV card, but it introduces the ability to issue PIV derived credentials, which may be provisioned to devices other than an ISO/IEC 7810 form factor,” NIST wrote in the response to the comments on the first draft which was released in March 2011.
Agencies would create a secure representation of the HSPD-12 credential on a smartphone or tablet computer, which would then communicate with the back end systems giving the employee or consultant safe access to the network. The option for derived credentials along with traditional identity-card security data is one of several changes NIST is proposing under the draft revised Federal Information Processing Standard 201-2.
The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and the Defense Information Systems Agency (DISA) have issued policy statements in the past and managed successful pilots of multifactor authentication technology that leverages a combination of something you know—a high-entropy password—with something you have—a one-time password device—to enable access to for official use only (FOUO) information, personally identifiable information and electronic protected health information in compliance with NIST guidance for remote identity proofing.
For those who are not eligible for an HSPD-12 card or can’t use one, even a mobile version, remote identity proofing and NIST-compliant multifactor authentication are another way to ensure security of the data. For more information about ways to secure your agency’s data and still offer appropriate access, contact our specialists.
Recommended For You
Companies have spent a great deal of time and money protecting their core systems and infrastructure from cyber attacks — hardening […]
Should people share their web site credentials with their spouses? How about their Significant Others? According to a study on […]
According the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center (IC3), cyber […]
The National Cyber Security Alliance (NCSA) hosts a Data Privacy Day each year on January 28. This event highlights the […]