Chapter 1 – Introduction
1.1 PURPOSE
This DOI Guidance provides policies and procedures governing the Personal Identity Verification (PIV) process and Smartcard (DOI ID Badge) issuance requirements of the following directive, standards, and policies:
Homeland Security Presidential Directive 12 (HSPD-12), “Policy for a Common Identification Standard for Federal Employees and Contractors,” dated August 27, 2004
National Institute of Standards and Technology (NIST) Federal Information Processing Standards 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, dated February 25, 2005
Office of Management and Budget (OMB) Memorandum M-05-24, dated August 5, 2005
HSPD-12 mandates the development and implementation of a mandatory, government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (and contractor employees).
FIPS 201 defines a reliable, government-wide Personal Identity Verification (PIV) process for use in applications such as access to federally controlled facilities and information systems. It also specifies a PIV Part II (PIV-II) system within which common identification credentials can be created and later used to verify a claimed identity.
OMB Memorandum M-05-24 provides guidance for implementing the requirements in FIPS 201 and HSPD-12. The guidance clarifies timelines, applicability, and the requirements of PIV-I.
For purposes of this Guidance, DOI organizations are collectively referred to as “Offices.”
No provision in this Guidance shall have the effect of nullifying or limiting protections for equal employment opportunity as defined under Title VII of the Civil Rights Act, 42 U.S.C. 3535(d), Executive Order (EO) 11478, or DOI’s implementing regulations under 24 CFR Part 7. DOI will not implement this Guidance in such a way as to impede equal employment opportunity on the basis of race, color, religion, sex, national origin, age, or disability.
1.2 BACKGROUND
In years past, government agencies required levels and means of authenticating the identification of Federal employees and contractors as a requirement to enter government facilities and use of government systems. Where appropriate, the agencies also implemented authentication mechanisms to allow access to specific areas or systems. The methods and levels of assurance for authentication and authorization, (i.e., identification and permission) varied widely from agency to agency, and sometimes within a single agency.
HSPD-12 requires that all government agencies develop specific and consistent standards for both physical and logical identification systems. The National Institute of Standards and Technology’s (NIST’s) FIPS 201 establishes detailed standards on implementing processes and systems to fulfill the requirements of HSPD-12. FIPS 201 outlines two phases to implementing an HSPD-12 program. Part I (PIV-I) describes the registration and identity proofing process that must be in place beginning October 27, 2005. Part II (PIV-II) describes the technical and interoperability requirements of an HSPD-12-compliant system that must be in place beginning October 27, 2006. This Guidance addresses the PIV-I requirements only.
The 2002 Federal Information Security Management Act (FISMA) does not permit waivers to the FIPS 201 standards.
1.3 APPLICABILITY
According to FIPS 201, the standard “is applicable to identification issued by Federal departments and agencies to Federal employees and contractors (including contractor employees) for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems except for ‘national security systems’ as defined by 44 U.S.C. §3542(b)(2).”
Specifically, PIV-I applies to all Federal employees, as defined in title 5 U.S.C §2105 “Employee,” within a department or agency. In addition, all individuals under long-term (6 months or longer) contract to the Federal government will be subject to PIV.
It is not required that temporary employees (less than 6 months), short-term guests, and occasional visitors to Federal facilities be subject to PIV-I. These individuals can be issued alternate credentials as described in section 2.8 of this Guidance. DOI reserves the right to subject any individual to the PIV-I process following a risk-based assessment. Office of Law Enforcement and Security Memorandum, Definition of Card Issuance and Facility Guidance Regarding HSPD-12, dated July 14, 2005 (Appendix G), outlines requirements for temporary federal employees, contractors, and others affiliated with the agency for less than 6 months. Background investigations are long-standing requirements and not a new requirement of the HSPD-12 and PIV-I process.
(Appendix A for an excerpt from OMB Memorandum M-05-24)
1.4 SCHEDULES AND DEADLINES
Per HSPD-12, FIPS 201, and OMB Memorandum 05-24, all Federal Agencies must create and implement a PIV-I-compliant process beginning no later than October 27, 2005.
All Agencies must create and begin implementation on a PIV-II-compliant system for new employees and contractors beginning no later than October 27, 2006.
All existing DOI contractors must be identity proofed (with at minimum a National Agency Check with Written Inquiries (NACI)) no later than October 27, 2007 or upon contract renewal or ID expiration, whichever is earlier.
All Federal employees with less than 15 years of Federal service, as of October 27, 2005, must be identity proofed with at minimum a NACI no later than October 27, 2007.
All Federal employees with more than 15 years of Federal service, as of October 27, 2005, whose NACI or other OPM approved background investigation is not on file must be identity proofed with at minimum a NACI, no later than October 27, 2008.
Access to DOI’s local area network (LAN) will require use of the PIV-II Card by employees and contractors no later than October 27, 2007.
Access to DOI’s NCI and level 4 physical facilities (GSA-owned and leased space, or others as deemed necessary based on risk assessment) will require use of the PIV-II Card by employees and contractors no later than October 27, 2007. (Appendix G)