Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201, Standard for Personal Identity Verification of Federal Employees and Contractors, 17975-17978 [05-7038]
Download as PDF
<![CDATA[
Federal Register / Vol. 70, No. 67 / Friday, April 8, 2005 / Notices
whether benefits conferred thereunder
to the subject merchandise are
countervailable.
As for the fairs and exhibitions grant,
because it was received in 2004,
subsequent to the POR, we preliminarily
find that no benefit was provided to
Lensi during the POR from this grant.
III. Programs Preliminarily Determined
Not to Have Been Used During the POR
We examined the following programs
and preliminarily determine that the
producers and/or exporters of the
subject merchandise under review did
not apply for or receive benefits under
these programs during the POR:
A. Industrial Development Grants Under
Law 488/92
B. Industrial Development Loans Under
Law 64/86
C. European Regional Development
Fund Grants
D. Law 236/93 Training Grants
E. Law 1329/65 Interest Contributions
(Sabatini Law) (Formerly Lump-Sum
Interest Payment Under the Sabatini
Law for Companies in Southern Italy)
F. Development Grants Under Law 30 of
1984
G. Law 908/55 Fondo di Rotazione
Iniziative Economiche (Revolving
Fund for Economic Initiatives) Loans
H. Industrial Development Grants Under
Law 64/86
I. Law 317/91 Benefits for Innovative
Investments
J. Tremonti Law 489/94 (Formerly Law
Decree 357/94)
k. Ministerial Decree 87/02
L. Law 10/91 Grants to Fund Energy
Conservation
M. Law 341/95 Interest Contributions on
Debt Consolidation Loans (Formerly
Debt Consolidation Law 341/95)
N. Regional Tax Exemptions Under
IRAP
O. Corporate Income Tax (IRPEG)
Exemptions
P. Export Restitution Payments
Q. VAT Reductions Under Laws 64/86
and 675/55
R. Export Credits Under Law 227/77
S. Capital Grants Under Law 675/77
T. Retraining Grants Under Law 675/77
U. Interest Contributions on Bank Loans
Under Law 675/77
V. Interest Grants Financed by IRI
Bonds
W. Preferential Financing for Export
Promotion Under Law 394/81
X. Urban Redevelopment Under Law
181
Y. Grant Received Pursuant to the
Community Initiative Concerning the
Preparation of Enterprises for the
Single Market (PRISMA)
Z. Industrial Development Grants under
Law
VerDate jul<14>2003
19:00 Apr 07, 2005
Jkt 205001
AA. Interest Subsidies Under Law 598/
94
AB. Duty-Free Import Rights
AC. Remission of Taxes on Export
Credit Insurance Under Article 33 of
Law 227/77
AD. European Social Fund Grants
AE. Law 113/86 Training Grants
AF. European Agricultural Guidance
and Guarantee Fund
Preliminary Results of Review
In accordance with 19 CFR
351.221(b)(4)(i), we calculated an
individual subsidy rate for each
producer/exporter covered by this
administrative review. For the period
January 1, 2003 through December 31,
2003, we preliminarily find the net
subsidy rates for the producers/
exporters under review to be those
specified in the chart shown below:
Producer/exporter
Pasta Lensi S.r.1. .......................
Pastificio Corticella S.p.A./
Pastificio Combattenti S.p.A. ..
1 De
Net
subsidy
rate
(percent)
1 0.00
1 0.06
minimis.
The calculations will be disclosed to the
interested parties in accordance with 19
CFR 351.224(b).
If the final results of this review
remain the same as these preliminary
results, because the countervailing duty
rates for all of the above-noted
companies are less than 0.5 percent and,
consequently, de minimis, we will
instruct Customs to liquidate entries
during the period January 1, 2003
through December 31, 2003 without
regard to countervailing duties in
accordance with 19 CFR 351.106(c)(1).
The Department will issue appropriate
instructions directly to Customs within
15 days of publication of these final
results of this review.
For all other companies that were not
reviewed (except Barilla G. e R. F.IIi
S.p.A. and Gruppo Agricoltura Sana
S.r.L., which are excluded from the
order), the Department has directed
Customs to assess countervailing duties
on all entries between January 1, 2003
and December 31, 2003 at the rates in
effect at the time of entry.
The Department also intends to
instruct Customs to collect cash
deposits of estimated countervailing
duties for the above-noted companies at
the above-noted rates on the f.o.b. value
of all shipments of the subject
merchandise from the producers/
exporters under review that are entered,
or withdrawn from warehouse, for
consumption on or after the date of
PO 00000
Frm 00020
Fmt 4703
Sfmt 4703
17975
publication of the final results of this
administrative review. For all nonreviewed firms (except Barilla G. e R.
F.IIi S.p.A, and Gruppe Agricoltura
Sana S.r.L., which are excluded from
the order), we will instruct Customs to
collect cash deposits of estimated
countervailing duties at the most recent
company-specific or all others rate
applicable to the company. These rates
shall apply to all non-reviewed
companies until a review of a company
assigned these rates is requested.
Public Comment
Interested parties may submit written
arguments in case briefs within 30 days
of the date of publication of this notice.
Rebuttal briefs, limited to issues raised
in case briefs, may be filed not later than
five days after the date of filing the case
briefs. Parties who submit briefs in this
proceeding should provide a summary
of the arguments not to exceed five
pages and a table of statutes,
regulations, and cases cited. Copies of
case briefs and rebuttal briefs must be
served on interested parties in
accordance with 19 CFR 351.303(f).
Interested parties may request a
hearing within 30 days after the date of
publication of this notice. Any hearing,
if requested, will be held two days after
the scheduled date for submission of
rebuttal briefs.
The Department will publish a notice
of the final results of this administrative
review within 120 days from the
publication of these preliminary results.
We are issuing and publishing these
results in accordance with sections
751(a)(1) and 777(i)(1) of the Act.
Dated: March 31, 2005.
Joseph A. Spetrini,
Acting Assistant Secretary for Import
Administration.
[FR Doc. 05–6958 Filed 4–7–05; 8:45 am]
BILLING CODE 3510–DS–M
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 041103306–5014–02]
RIN 0693–AB54
Announcing Approval of Federal
Information Processing Standard
(FIPS) Publication 201, Standard for
Personal Identity Verification of
Federal Employees and Contractors
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice.
AGENCY:
SUMMARY: The Secretary of Commerce
has approved Federal Information
E:\FR\FM\08APN1.SGM
08APN1
17976
Federal Register / Vol. 70, No. 67 / Friday, April 8, 2005 / Notices
Processing Standard (FIPS) Publication
201, Standard for Personal Identity
Verification of Federal Employees and
Contractors, and has made it
compulsory and binding on Federal
agencies for use in issuing a secure and
reliable form of personal identification
to employees and contractors. The
standard does not apply to personal
identification associated with national
security systems as defined by 44 U.S.C.
3542(b)(2).
Homeland Security Presidential
Directive (HSPD) 12, Policy for a
Common Identification Standard for
Federal Employees and Contractors,
dated August 27, 2004, directed the
Secretary of Commerce to promulgate,
by February 27, 2005, a Governmentwide standard for secure and reliable
forms of identification to be issued by
the Federal Government to its
employees and contractors (including
contractor employees). HSPD–12
specified that the secure and reliable
forms of identification to be issued to
employees and contractors should be
based on: sound criteria for verifying an
individual employee’s identity; strong
resistance to identity fraud, tampering,
and terrorist exploitation; capability of
being rapidly authenticated
electronically; and issuance by
providers whose reliability has been
established by an official accreditation
process.
FIPS 201 was developed to satisfy the
technical, administrative, and
timeliness requirements of HSPD 12.
The standard was developed in a
‘‘manner consistent with the
Constitution and applicable laws,
including the Privacy Act (5 U.S.C.
552a) and other statutes protecting the
rights of Americans’’ as required in
HSPD 12. In developing the standard,
NIST used technical input solicited
from industry and government
participants in workshops and public
meetings, and from a Federal Register
notice (69 FR 68128) of November 23,
2004, inviting comments from industry
and government on the draft standard.
DATES: This standard is effective
February 24, 2005.
ADDRESSES: A copy of FIPS Publication
201 is available electronically from the
NIST Web site at: https://csrc.nist.gov/
publications/.
FOR FURTHER INFORMATION CONTACT: W.
Curtis Barker, (301) 975–8443, National
Institute of Standards and Technology,
100 Bureau Drive, STOP 8930,
Gaithersburg, MD 20899–8930, e-mail:
wbarker@nist.gov.
SUPPLEMENTARY INFORMATION: A notice
was published in the Federal Register
(69 FR 55586) on September 15, 2004,
VerDate jul<14>2003
19:00 Apr 07, 2005
Jkt 205001
announcing a Public Workshop on
Personal Identity Verification (PIV) of
Federal Employees/Contractors. The
primary goal of the workshop was to
obtain information on secure and
reliable methods of verifying the
identity of Federal employees and
contractors who are given authorized
access to Federal facilities and
information systems. Workshop
participants included representatives
from government and industry
organizations. An overview of the
requirements of HSPD 12 and the
schedule established by NIST for
developing and promulgating the
required standard were discussed.
A Federal Register notice [69 FR
68128] was published on November 23,
2004, announcing draft FIPS 201 and
soliciting comments on the draft
standard from the public, research
communities, manufacturers, voluntary
standards organizations, and Federal,
State, and local government
organizations. In addition to being
published in the Federal Register, the
notice was posted on the NIST Web
pages. Information was provided about
the submission of electronic comments
and an electronic template for the
submission of comments was made
available.
Comments, responses, and questions
were received from 55 private sector
organizations, groups, or individuals, 33
Federal government organizations and
one Canadian government organization.
These comments have all been made
available by NIST at https://csrc.nist.gov/
piv-project/fips201-support-docs.html.
Many of the comments received
recommended editorial changes,
provided general comments, and asked
questions concerning the
implementation of the standard. Many
comments supported the goals of
personal identity verification. Some of
the comments recommended against
adoption of this or any similar standard.
The primary interests and issues that
were raised in the comments included:
Installed or competing technology;
emerging technology and standards;
technology neutrality; privacy; security;
timeliness; cost; interoperability; scope;
applicability; flexibility; simplicity;
consistency; and ease of use. Detailed
technical comments covered issues
including: Identity proofing and
registration; smart card topology; card
programming; biometrics; graduated
levels of assurance/protection; public
key infrastructure supporting digital
signatures for data security and
authentication.
The technical specifications were
modified based on the comments
received, while maintaining a complete,
PO 00000
Frm 00021
Fmt 4703
Sfmt 4703
coherent standard. The standard was
modified to strengthen the process for
assuring the secure and reliable
identification of Federal employees and
contractors to whom PIV cards are to be
issued. Applicants for PIV cards are to
appear in person, provide two original
documents showing identity, and
provide background information that
can be verified. Agencies are required to
photograph and fingerprint applicants,
to initiate background checks using the
National Agency Check with Inquiries
(NACI) or National Agency Check (NAC)
procedures, and to complete other steps
to assure security, privacy and proper
storage of information. NIST has also
revised the standard to provide for
specified graduated security levels of
protection features from the least secure
to the most secure, in accordance with
the requirements of HSPD–12. These
features are provided within the
standard with technical assurances and
for agency use in selecting the
appropriate level of security for each
application. Other technical questions
and issues including the specifications
for the PIV card interface and the
biometric algorithm interface are
addressed in technical publications that
accompany and support the
implementation of FIPS 201. Draft NIST
Special Publication 800–73, Integrated
Circuit Card for Personal Identity
Verification, and draft NIST Special
Publication 800–76, Biometric Data
Specification for Personal Identity
Verification, have been posted on
NIST’s Web pages for public review and
comment. These documents can be
found at https://csrc.nist.gov/
publications/drafts.html. Additional
Special Publications will be developed
as needed and made available for public
review.
Issues concerning agency budget
constraints and the schedule for
implementation of the standard have
been referred to the Office of
Management and Budget (OMB).
Comments noting ambiguities or asking
for clarification concerning the standard
have been incorporated into a
Frequently Asked Questions (FAQ)
document to be published and
maintained on NIST’s Web pages in the
PIV Project Web site. All of the editorial
suggestions were carefully reviewed and
changes were made to the standard
where appropriate.
A Federal Register notice [69 FR
78033] was published on December 29,
2004, announcing a public meeting that
was held on January 19, 2005, to discuss
the privacy, security, and policy issues
associated with HSPD–12. Many other
meetings and discussions with industry
and government representatives were
E:\FR\FM\08APN1.SGM
08APN1
Federal Register / Vol. 70, No. 67 / Friday, April 8, 2005 / Notices
held to balance the different,
conflicting, and often mutually
exclusive interests of the parties
providing comments. The approved
standard reflects these balanced
interests while meeting the overall
objectives of quality and timeliness of
the standard.
Following is an analysis of the
comments received, including the
interests, concerns, recommendations,
and issues considered in the
development of FIPS 201. More
information about the development of
FIPS 201 is available on NIST’s Web
pages at https://www.csrc.nist.gov.
Comment: Some Federal agencies
were concerned about the cost of
implementing the standard, their ability
to implement the standard within their
budget constraints and the tight
schedule specified in the standard for
implementation.
Response: Issues concerning the costs
of implementing the standard and the
schedule for implementation have been
referred to the Office of Management
and Budget (OMB).
Comment: Comments were received
about protecting the privacy of
individuals, and limiting the sharing of
information on personal identity
between organizations. Some comments
expressed concern about the
interoperability provisions of the PIV
card possibly leading to the linking of
databases with information about
individuals, and the issuance of a
national identity card.
Response: The privacy requirements
contained in FIPS 201 and guidance to
agencies to ensure the privacy of
applicants for PIV cards have been
strengthened in Section 2.3. The
requirements for agencies include: The
appointment of a PIV Privacy Official;
the assessment of systems for their
impact on privacy; identification of
information to be collected about
individuals and how the information
will be used; assurance that systems
containing personal information adhere
to fair information practices; and audits
of systems for compliance with privacy
policies and practices. OMB has
informed NIST that it intends to issue
privacy and implementation guidance to
agencies.
Comment: Comments were received
about ambiguities in the standard and
issues that needed to be clarified, both
in the text of the standard and in the
diagrams that accompany the text. Other
comments and questions pertained to
agency authority in determining those
individuals to whom PIV cards should
be issued.
Response: Comments noting technical
ambiguities and requests for
VerDate jul<14>2003
19:00 Apr 07, 2005
Jkt 205001
clarification concerning specific
provisions in the standard were
reviewed and changes to clarify the
intent were incorporated into the
standard where appropriate. Comments
requesting clarification on issues not
specifically addressed in the technical
specifications, such as costs, policies,
agency roles and responsibilities have
been addressed and answered in a
document of Frequently Asked
Questions (FAQ). This document will be
published when the standard is
approved and will be maintained on
NIST’s Web pages in the PIV Project
Web site. Other comments noting
ambiguities dealing with
implementation of the standard will be
addressed in the implementation
guidance currently under development.
Comment: Technical issues were
raised concerning identity validation or
‘‘proofing’’ to be performed when
initiating the issuance of a PIV Card,
and the graduated criteria from the least
secure to the most secure. These
protection features were required in
HSPD–12 to ensure flexibility in
selecting the appropriate level of
security for each application.
Response: The technical
specifications were modified based on
the comments received, while
maintaining a complete, coherent
standard, and including the required
graduated security levels of protection.
The specifications were modified to
allow for the use of a government-issued
document and a background check to
assure the identity of the individual to
whom a card would be issued. The
security features are provided within
the revised standard with technical
assurances, and are available for agency
use in selecting the appropriate level of
security, from some security to very
high security, for each form of identity
issued and for each application.
Comment: Technical issues were
raised concerning the PIV Card interface
and the biometric specifications. Some
comments pointed out that the
requirement for two fingerprint images
and a facial image would occupy most
of the storage capabilities of the chip on
the card. Other comments pertained to
the number of fingerprints that should
be included on a PIV card, and
recommended the use of additional
biometric information.
Response: Since the storage of a facial
image of the applicant on the chip
would consume much of the electronic
memory of a PIV card, the specifications
were modified to require only two
fingerprint storage. The use of
fingerprint data provides a reliable and
secure means of automated
identification, and agencies are required
PO 00000
Frm 00022
Fmt 4703
Sfmt 4703
17977
to put photographs of applicants on the
cards for a visual means of
identification. The use of a stored facial
image on the PIV card can be evaluated
in the future as card capacity increases.
Issues concerning the card interface and
the storage of personal information are
addressed in technical publications that
accompany FIPS 201, including draft
NIST Special Publication 800–73,
Integrated Circuit Card for Personal
Identity Verification, and other planned
Special Publications. Additionally, the
interface and formatting requirements
for biometric information are addressed
in draft NIST Special Publication 800–
76, Biometric Data Specification for
Personal Identity Verification. SP 800–
73 and SP 800–76 have been posted on
NIST’s web pages for public review and
comment [https://csrc.nist.gov/
publications/drafts.html]. The issuance
of recommendations for interfaces,
storage and formatting specifications in
Special Publications allows for
flexibility and adaptability as the
technology improves.
Comment: Issues were raised about
the card specifications, including the
use of certain authentication protocols.
Other issues concerned the topology, or
physical layout, of the card, and the
authority of agencies to select formats,
appearances of the card and special
security threats.
Response: Clarifications were made to
the text of the standard to make the
requirements for authentication
protocols more specific. The
authentication mechanisms that are
provided in the standard enable
agencies to implement methods
including visual identification, use of
biometric data, and use of asymmetric
keys, which help to establish the
agency’s confidence in the identity of a
cardholder presenting a PIV card. The
text was clarified to identify those areas
where agencies can have flexibility in
determining the format and appearance
of the card. The inclusion of a
photograph of a PIV cardholder is
mandatory. The use of an agency seal is
optional. Because of certain heightened
overseas threats an agency may issue
credentials that do not contain (or
otherwise do not fully support) the
wireless and/or biometric capabilities.
Comment: Issues were raised
concerning the secure administration of
the card-issuing system, including
processes for renewal of cards, for
making changes to the cards, for
protecting against fraud, counterfeiting,
and modification of cards, and for
including agency and personal
information on cards.
Response: These topics will be
addressed in the Frequently Asked
E:\FR\FM\08APN1.SGM
08APN1
17978
Federal Register / Vol. 70, No. 67 / Friday, April 8, 2005 / Notices
Questions document that will be
available on NIST’s web pages when the
standard is issued, and in currently
available draft Special Publications, as
well as future NIST Special
Publications.
This action has been determined to be
significant under E.O. 12866.
Authority: In accordance with the
Information Technology Management Reform
Act of 1996 (Pub. L. 104–106) and the
Federal Information Security Management
Act (FISMA) of 2002 (Pub. L. 107–347), the
Secretary of Commerce is authorized to
approve Federal Information Processing
Standards (FIPS). Homeland Security
Presidential Directive (HSPD) 12 entitled
‘‘Policy for a Common Identification
Standard for Federal Employees and
Contractors’’, dated August 27, 2004, directed
the Secretary of Commerce to promulgate, by
February 27, 2005, a Government-wide
standard for secure and reliable forms of
identification to be issued by the Federal
Government to its employees and
contractors.
Dated: March 30, 2005.
Hratch G. Semerjian,
Acting Director, NIST.
[FR Doc. 05–7038 Filed 4–7–05; 8:45 am]
BILLING CODE 3510–CN–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[I.D. 040505C]
Western Pacific Fishery Management
Council; Public Meetings
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of public meeting.
AGENCY:
SUMMARY: The Western Pacific Fishery
Management Council (Council) will
hold its Bottomfish Plan Team (BPT)
meeting in Honolulu, HI. See
SUPPLEMENTARY INFORMATION for specific
times, dates, and agenda items.
DATES: The meeting of the PCPT will be
held on April 27 to 28, 2005, from 8:30
a.m. to 5 p.m.
ADDRESSES: The BPT meeting will be
held at the Western Pacific Fishery
Management Council Office, 1164
Bishop St., Suite 1400, Honolulu, HI
96813.
FOR FURTHER INFORMATION CONTACT:
Kitty M. Simonds, Executive Director;
telephone: (808)522–8220.
SUPPLEMENTARY INFORMATION: The BPT
will meet on April 27–28, 2005 to
discuss the following agenda items:
Wednesday, 27 April, 8:30 a.m.
1. Introduction and assign rapporteurs
2. 2004 Annual Report
a. Review 2004 Annual Report
modules and recommendations
d. 2004 Annual Report region-wide
recommendations
3. Overfishing/Overfished control
rules
a. Status of the Stock Report
b. Review recommendations from
Stock Assessment Workshop and report
on status
c. Overfishing control rule as applied
to Guam and Hawaii fisheries
d. Discussion and recommendations
Thursday, 28 April, 8:30 a.m.
4. Archepelagic Ecosystem-based
management plan
a. NMI Pilot Project
b. Report on ecosystem workshop
c. Discussion and recommendations
5. Hawaii Bottomfish management
a. National Ocean Service NWHI
Sanctuary Designation Process
b. Council Draft Regulations
c. Discussion and recommendations
6. Plan Team Recommendations
7. Other Business
The order in which agenda items are
addressed may change. Public comment
periods will be provided throughout the
agenda. The Plan Team will meet as late
as necessary to complete scheduled
business.
Although non-emergency issues not
contained in this agenda may come
before the Plan Team for discussion,
those issues may not be the subject of
formal action during these meetings.
Plan Team action will be restricted to
those issues specifically listed in this
document and any issue arising after
publication of this document that
requires emergency action under section
305(c) of the Magnuson-Stevens Fishery
Conservation and Management Act,
provided the public has been notified of
the Council’s intent to take final action
to address the emergency.
Special Accommodations
These meetings are physically
accessible to people with disabilities.
Requests for sign language
interpretation or other auxiliary aids
should be directed to Kitty M. Simonds,
(808)522–8220 (voice) or (808)522–8226
(fax), at least 5 days prior to the meeting
date.
April 5, 2005.
Emily Menashes,
Acting Director, Office of Sustainable
Fisheries, National Marine Fisheries Service.
[FR Doc. E5–1639 Filed 4–7–05; 8:45 am]
BILLING CODE 3510–22–S
VerDate jul<14>2003
19:00 Apr 07, 2005
Jkt 205001
PO 00000
Frm 00023
Fmt 4703
Sfmt 4703
COMMITTEE FOR THE
IMPLEMENTATION OF TEXTILE
AGREEMENTS
Solicitation of Public Comments
Regarding Possible Safeguard Action
on Imports from China of Cotton Knit
shirts and Blouses
April 6, 2005.
The Committee for the
Implementation of Textile Agreements
(the Committee)
ACTION: Solicitation of public comments
regarding possible safeguard action on
imports from China of cotton knit shirts
and blouses, Category 338/339.
AGENCY:
SUMMARY: The Committee has decided,
on its own initiative, to consider
whether imports of Chinese origin
cotton knit shirts and blouses, Category
338/339 are, due to market disruption,
threatening to impede the orderly
development of trade in these products.
The Committee is soliciting public
comments to assist it in considering this
issue and in determining whether
safeguard action is appropriate.
Comments may be submitted by any
interested person. Comments must be
received no later than May 9, 2005.
FOR FURTHER INFORMATION CONTACT: Jay
Dowling, Office of Textiles and Apparel,
U.S. Department of Commerce, (202)
482-4058.
SUPPLEMENTARY INFORMATION:
Authority: Section 204 of the Agriculture
Act of 1956, as amended; Executive Order
11651, as amended.
BACKGROUND:
The Report of the Working Party on
the Accession of China to the World
Trade Organization (Accession
Agreement) provides that, if a WTO
Member, such as the United States,
believes that imports of Chinese origin
textile and apparel products are, ‘‘due to
market disruption, threatening to
impede the orderly development of
trade in these products’’, it may request
consultations with China with a view to
easing or avoiding the disruption.
Pursuant to this provision, if the United
States requests consultations with
China, it must, in the context of this
request, provide China with a detailed
factual statement showing (1) the
existence of market disruption; and (2)
the role of products of Chinese origin in
that disruption. Beginning on the date
that it receives such a request, China
must restrict its shipments to the United
States to a level no greater than 7.5
percent (6 percent for wool product
categories) above the amount entered
during the first 12 months of the most
recent 14 months preceding the request.
E:\FR\FM\08APN1.SGM
08APN1
]]>Agencies
[Federal Register Volume 70, Number 67 (Friday, April 8, 2005)]
[Notices]
[Pages 17975-17978]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-7038]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 041103306-5014-02]
RIN 0693-AB54
Announcing Approval of Federal Information Processing Standard
(FIPS) Publication 201, Standard for Personal Identity Verification of
Federal Employees and Contractors
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Commerce has approved Federal Information
[[Page 17976]]
Processing Standard (FIPS) Publication 201, Standard for Personal
Identity Verification of Federal Employees and Contractors, and has
made it compulsory and binding on Federal agencies for use in issuing a
secure and reliable form of personal identification to employees and
contractors. The standard does not apply to personal identification
associated with national security systems as defined by 44 U.S.C.
3542(b)(2).
Homeland Security Presidential Directive (HSPD) 12, Policy for a
Common Identification Standard for Federal Employees and Contractors,
dated August 27, 2004, directed the Secretary of Commerce to
promulgate, by February 27, 2005, a Government-wide standard for secure
and reliable forms of identification to be issued by the Federal
Government to its employees and contractors (including contractor
employees). HSPD-12 specified that the secure and reliable forms of
identification to be issued to employees and contractors should be
based on: sound criteria for verifying an individual employee's
identity; strong resistance to identity fraud, tampering, and terrorist
exploitation; capability of being rapidly authenticated electronically;
and issuance by providers whose reliability has been established by an
official accreditation process.
FIPS 201 was developed to satisfy the technical, administrative,
and timeliness requirements of HSPD 12. The standard was developed in a
``manner consistent with the Constitution and applicable laws,
including the Privacy Act (5 U.S.C. 552a) and other statutes protecting
the rights of Americans'' as required in HSPD 12. In developing the
standard, NIST used technical input solicited from industry and
government participants in workshops and public meetings, and from a
Federal Register notice (69 FR 68128) of November 23, 2004, inviting
comments from industry and government on the draft standard.
DATES: This standard is effective February 24, 2005.
ADDRESSES: A copy of FIPS Publication 201 is available electronically
from the NIST Web site at: https://csrc.nist.gov/publications/.
FOR FURTHER INFORMATION CONTACT: W. Curtis Barker, (301) 975-8443,
National Institute of Standards and Technology, 100 Bureau Drive, STOP
8930, Gaithersburg, MD 20899-8930, e-mail: wbarker@nist.gov.
SUPPLEMENTARY INFORMATION: A notice was published in the Federal
Register (69 FR 55586) on September 15, 2004, announcing a Public
Workshop on Personal Identity Verification (PIV) of Federal Employees/
Contractors. The primary goal of the workshop was to obtain information
on secure and reliable methods of verifying the identity of Federal
employees and contractors who are given authorized access to Federal
facilities and information systems. Workshop participants included
representatives from government and industry organizations. An overview
of the requirements of HSPD 12 and the schedule established by NIST for
developing and promulgating the required standard were discussed.
A Federal Register notice [69 FR 68128] was published on November
23, 2004, announcing draft FIPS 201 and soliciting comments on the
draft standard from the public, research communities, manufacturers,
voluntary standards organizations, and Federal, State, and local
government organizations. In addition to being published in the Federal
Register, the notice was posted on the NIST Web pages. Information was
provided about the submission of electronic comments and an electronic
template for the submission of comments was made available.
Comments, responses, and questions were received from 55 private
sector organizations, groups, or individuals, 33 Federal government
organizations and one Canadian government organization.
These comments have all been made available by NIST at https://
csrc.nist.gov/piv-project/fips201-support-docs.html. Many of the
comments received recommended editorial changes, provided general
comments, and asked questions concerning the implementation of the
standard. Many comments supported the goals of personal identity
verification. Some of the comments recommended against adoption of this
or any similar standard.
The primary interests and issues that were raised in the comments
included: Installed or competing technology; emerging technology and
standards; technology neutrality; privacy; security; timeliness; cost;
interoperability; scope; applicability; flexibility; simplicity;
consistency; and ease of use. Detailed technical comments covered
issues including: Identity proofing and registration; smart card
topology; card programming; biometrics; graduated levels of assurance/
protection; public key infrastructure supporting digital signatures for
data security and authentication.
The technical specifications were modified based on the comments
received, while maintaining a complete, coherent standard. The standard
was modified to strengthen the process for assuring the secure and
reliable identification of Federal employees and contractors to whom
PIV cards are to be issued. Applicants for PIV cards are to appear in
person, provide two original documents showing identity, and provide
background information that can be verified. Agencies are required to
photograph and fingerprint applicants, to initiate background checks
using the National Agency Check with Inquiries (NACI) or National
Agency Check (NAC) procedures, and to complete other steps to assure
security, privacy and proper storage of information. NIST has also
revised the standard to provide for specified graduated security levels
of protection features from the least secure to the most secure, in
accordance with the requirements of HSPD-12. These features are
provided within the standard with technical assurances and for agency
use in selecting the appropriate level of security for each
application. Other technical questions and issues including the
specifications for the PIV card interface and the biometric algorithm
interface are addressed in technical publications that accompany and
support the implementation of FIPS 201. Draft NIST Special Publication
800-73, Integrated Circuit Card for Personal Identity Verification, and
draft NIST Special Publication 800-76, Biometric Data Specification for
Personal Identity Verification, have been posted on NIST's Web pages
for public review and comment. These documents can be found at https://
csrc.nist.gov/publications/drafts.html. Additional Special Publications
will be developed as needed and made available for public review.
Issues concerning agency budget constraints and the schedule for
implementation of the standard have been referred to the Office of
Management and Budget (OMB). Comments noting ambiguities or asking for
clarification concerning the standard have been incorporated into a
Frequently Asked Questions (FAQ) document to be published and
maintained on NIST's Web pages in the PIV Project Web site. All of the
editorial suggestions were carefully reviewed and changes were made to
the standard where appropriate.
A Federal Register notice [69 FR 78033] was published on December
29, 2004, announcing a public meeting that was held on January 19,
2005, to discuss the privacy, security, and policy issues associated
with HSPD-12. Many other meetings and discussions with industry and
government representatives were
[[Page 17977]]
held to balance the different, conflicting, and often mutually
exclusive interests of the parties providing comments. The approved
standard reflects these balanced interests while meeting the overall
objectives of quality and timeliness of the standard.
Following is an analysis of the comments received, including the
interests, concerns, recommendations, and issues considered in the
development of FIPS 201. More information about the development of FIPS
201 is available on NIST's Web pages at https://www.csrc.nist.gov.
Comment: Some Federal agencies were concerned about the cost of
implementing the standard, their ability to implement the standard
within their budget constraints and the tight schedule specified in the
standard for implementation.
Response: Issues concerning the costs of implementing the standard
and the schedule for implementation have been referred to the Office of
Management and Budget (OMB).
Comment: Comments were received about protecting the privacy of
individuals, and limiting the sharing of information on personal
identity between organizations. Some comments expressed concern about
the interoperability provisions of the PIV card possibly leading to the
linking of databases with information about individuals, and the
issuance of a national identity card.
Response: The privacy requirements contained in FIPS 201 and
guidance to agencies to ensure the privacy of applicants for PIV cards
have been strengthened in Section 2.3. The requirements for agencies
include: The appointment of a PIV Privacy Official; the assessment of
systems for their impact on privacy; identification of information to
be collected about individuals and how the information will be used;
assurance that systems containing personal information adhere to fair
information practices; and audits of systems for compliance with
privacy policies and practices. OMB has informed NIST that it intends
to issue privacy and implementation guidance to agencies.
Comment: Comments were received about ambiguities in the standard
and issues that needed to be clarified, both in the text of the
standard and in the diagrams that accompany the text. Other comments
and questions pertained to agency authority in determining those
individuals to whom PIV cards should be issued.
Response: Comments noting technical ambiguities and requests for
clarification concerning specific provisions in the standard were
reviewed and changes to clarify the intent were incorporated into the
standard where appropriate. Comments requesting clarification on issues
not specifically addressed in the technical specifications, such as
costs, policies, agency roles and responsibilities have been addressed
and answered in a document of Frequently Asked Questions (FAQ). This
document will be published when the standard is approved and will be
maintained on NIST's Web pages in the PIV Project Web site. Other
comments noting ambiguities dealing with implementation of the standard
will be addressed in the implementation guidance currently under
development.
Comment: Technical issues were raised concerning identity
validation or ``proofing'' to be performed when initiating the issuance
of a PIV Card, and the graduated criteria from the least secure to the
most secure. These protection features were required in HSPD-12 to
ensure flexibility in selecting the appropriate level of security for
each application.
Response: The technical specifications were modified based on the
comments received, while maintaining a complete, coherent standard, and
including the required graduated security levels of protection. The
specifications were modified to allow for the use of a government-
issued document and a background check to assure the identity of the
individual to whom a card would be issued. The security features are
provided within the revised standard with technical assurances, and are
available for agency use in selecting the appropriate level of
security, from some security to very high security, for each form of
identity issued and for each application.
Comment: Technical issues were raised concerning the PIV Card
interface and the biometric specifications. Some comments pointed out
that the requirement for two fingerprint images and a facial image
would occupy most of the storage capabilities of the chip on the card.
Other comments pertained to the number of fingerprints that should be
included on a PIV card, and recommended the use of additional biometric
information.
Response: Since the storage of a facial image of the applicant on
the chip would consume much of the electronic memory of a PIV card, the
specifications were modified to require only two fingerprint storage.
The use of fingerprint data provides a reliable and secure means of
automated identification, and agencies are required to put photographs
of applicants on the cards for a visual means of identification. The
use of a stored facial image on the PIV card can be evaluated in the
future as card capacity increases. Issues concerning the card interface
and the storage of personal information are addressed in technical
publications that accompany FIPS 201, including draft NIST Special
Publication 800-73, Integrated Circuit Card for Personal Identity
Verification, and other planned Special Publications. Additionally, the
interface and formatting requirements for biometric information are
addressed in draft NIST Special Publication 800-76, Biometric Data
Specification for Personal Identity Verification. SP 800-73 and SP 800-
76 have been posted on NIST's web pages for public review and comment
[https://csrc.nist.gov/publications/drafts.html]. The issuance of
recommendations for interfaces, storage and formatting specifications
in Special Publications allows for flexibility and adaptability as the
technology improves.
Comment: Issues were raised about the card specifications,
including the use of certain authentication protocols. Other issues
concerned the topology, or physical layout, of the card, and the
authority of agencies to select formats, appearances of the card and
special security threats.
Response: Clarifications were made to the text of the standard to
make the requirements for authentication protocols more specific. The
authentication mechanisms that are provided in the standard enable
agencies to implement methods including visual identification, use of
biometric data, and use of asymmetric keys, which help to establish the
agency's confidence in the identity of a cardholder presenting a PIV
card. The text was clarified to identify those areas where agencies can
have flexibility in determining the format and appearance of the card.
The inclusion of a photograph of a PIV cardholder is mandatory. The use
of an agency seal is optional. Because of certain heightened overseas
threats an agency may issue credentials that do not contain (or
otherwise do not fully support) the wireless and/or biometric
capabilities.
Comment: Issues were raised concerning the secure administration of
the card-issuing system, including processes for renewal of cards, for
making changes to the cards, for protecting against fraud,
counterfeiting, and modification of cards, and for including agency and
personal information on cards.
Response: These topics will be addressed in the Frequently Asked
[[Page 17978]]
Questions document that will be available on NIST's web pages when the
standard is issued, and in currently available draft Special
Publications, as well as future NIST Special Publications.
This action has been determined to be significant under E.O. 12866.
Authority: In accordance with the Information Technology
Management Reform Act of 1996 (Pub. L. 104-106) and the Federal
Information Security Management Act (FISMA) of 2002 (Pub. L. 107-
347), the Secretary of Commerce is authorized to approve Federal
Information Processing Standards (FIPS). Homeland Security
Presidential Directive (HSPD) 12 entitled ``Policy for a Common
Identification Standard for Federal Employees and Contractors'',
dated August 27, 2004, directed the Secretary of Commerce to
promulgate, by February 27, 2005, a Government-wide standard for
secure and reliable forms of identification to be issued by the
Federal Government to its employees and contractors.
Dated: March 30, 2005.
Hratch G. Semerjian,
Acting Director, NIST.
[FR Doc. 05-7038 Filed 4-7-05; 8:45 am]
BILLING CODE 3510-CN-P
