The Commercial Identity Verification (CIV) Credential–Leveraging FIPS 201 and the PIV Specifications
Click here for a comparison of PIV, PIV-I and CIV credentials
Homeland Security Presidential Directive 12 (HSPD-12) mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. Signed by President George W. Bush in August 2004, HSPD-12 initiated the development of a set of technical standards and issuance policies (FIPS 201) that create the Federal infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies, regardless of which agency issues the credential.
This credential, the Personal Identity Verification (PIV) card, is now deployed and used by Federal agencies to assign controlled resource access privileges to Federal employees and to authorize the cardholder to access both physical and logical resources. The success of this program is largely due to the development of goals, issuance policies, and technical specifications that all agencies agree to follow. A cross-certification policy establishes trust between agencies, so that employees from one agency can use their PIV credentials to access controlled resources while visiting other agencies. Products and systems that conform to the defined technical interoperability standards are offered by a variety of suppliers. New standards-compliant products are introduced frequently. Today, well over 5 million PIV cards have been issued by the Federal government to employees and contractors.
As the benefits of a common identity credential become clear, interest is growing among non-Federal issuers. PIV-interoperable (PIV-I) cards are already being issued by Federal contractors to those employees who need access to Federal buildings and networks. The PIV-I credentials are technically interoperable with the PIV infrastructure. PIV-I issuers comply with the identity-proofing, registration, and issuance policies described in FIPS 201 and are cross-certified with the Federal Public Key Infrastructure (PKI) Bridge to allow contractor employees to access authorized resources.
Private enterprises can also take advantage of this technology. This white paper defines the Commercial Identity Verification (CIV) credential, which leverages the PIV-I specifications, technology and data model without the requirement for cross-certification. Any enterprise can create, issue, and use CIV credentials according to requirements established within that enterprise’s unique corporate environment.
The CIV credential is technically compatible with the PIV-I credential specifications. However, a CIV credential issuer need not comply with the strict policy framework associated with issuance and use of the PIV and PIV-I credentials. This freedom allows corporate enterprises to deploy the standardized technologies in a manner that is suitable for their own corporate environments.
About this White Paper
This white paper was developed by the Smart Card Alliance Physical Access Council to provide guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standards-based commercial identity credentialing program. The white paper defines the Commercial Identity Verification (CIV) credential as a credential that uses the same technology and data model as the PIV-I credential. The white paper explores the following topics:
Definition of the CIV credential similarities to and differences from PIV-I and PIV credentials
Corporate benefits of adopting the CIV credential
Planning considerations
Implementation considerations and best practices
CIV credential use cases
Physical Access Council members involved in the development of this white paper included: ActivIdentity; AMAG Technology; Bioscrypt/L-1 Identity Solutions; Booz Allen Hamilton; Codebench, Inc.; Datacard Group; Datawatch; Diebold Security; E & M Technologies; HID Global; Hirsch Electronics; HP Enterprise Services; IDenticard; Identification Technology Partners; IDmachines; Intellisoft, Inc.; NagraID Security; NXP Semiconductors; Roehr Consulting; SAIC; SCM Microsystems; Software House/Tyco; Unisys; U.S. Department of State; XTec, Inc..