Announcing Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, Request for Comments, and Public Workshop on Revised Draft FIPS 201-2, 40338-40341 [2012-16725]
Download as PDF
<![CDATA[
40338
Federal Register / Vol. 77, No. 131 / Monday, July 9, 2012 / Notices
chairperson, while away from their
homes or a regular place of business.
2. Members of the Committee shall
serve as Special Government Employees
(SGEs) and will be subject to the ethics
standards applicable to SGEs. As SGEs,
the members are required to file an
annual Executive Branch Confidential
Financial Disclosure Report.
3. Meetings of the VCAT usually take
place at the NIST headquarters in
Gaithersburg, Maryland, and may be
held periodically at the NIST site in
Boulder, Colorado. Meetings are usually
two days in duration and are held at
least twice each year.
4. Generally, Committee meetings are
open to the public.
sroberts on DSK5SPTVN1PROD with NOTICES
1. Nominations are sought from all
fields described above.
2. Nominees should have established
records of distinguished service and
shall be eminent in fields such as
business, research, new product
development, engineering, labor,
education, management consulting,
environment and international relations.
The category (field of eminence) for
which the candidate is qualified should
be specified in the nomination letter.
Nominations for a particular category
should come from organizations or
individuals within that category. A
summary of the candidate’s
qualifications should be included with
the nomination, including (where
applicable) current or former service on
federal advisory boards and federal
employment. In addition, each
nomination letter should state that the
candidate agrees to the nomination,
acknowledges the responsibilities of
serving on the VCAT, and will actively
participate in good faith in the tasks of
the VCAT. Besides participation in twoday meetings held at least twice each
year, it is desired that members be able
to devote the equivalent of two days
between meetings to either developing
or researching topics of potential
interest, and so forth in furtherance of
the Committee duties.
3. The Department of Commerce is
committed to equal opportunity in the
workplace and seeks a broad-based and
diverse VCAT membership.
Dated: July 2, 2012.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2012–16722 Filed 7–6–12; 8:45 am]
BILLING CODE 3510–13–P
16:20 Jul 06, 2012
National Institute of Standards and
Technology
[Docket No. 120608158–2158–01]
Announcing Revised Draft Federal
Information Processing Standard
(FIPS) 201–2, Personal Identity
Verification (PIV) of Federal Employees
and Contractors, Request for
Comments, and Public Workshop on
Revised Draft FIPS 201–2
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice and request for
comments.
AGENCY:
The National Institute of
Standards and Technology (NIST)
announces the Revised Draft Federal
Information Processing Standard (FIPS)
Publication 201–2, ‘‘Personal Identity
Verification of Federal Employees and
Contractors,’’ for public review and
comment. The draft standard,
designated ‘‘Revised Draft FIPS 201–2,’’
is proposed to supersede FIPS 201–1.
NIST will hold a public workshop at
NIST in Gaithersburg, Maryland, to
present the Revised Draft FIPS 201–2.
Please see admittance instructions in
the SUPPLEMENTARY INFORMATION section
below.
DATES: Comments must be received by
Friday, August 10, 2012. The public
workshop will be held on Wednesday,
July 25, 2012. Preregistration must be
completed by 5:00 p.m. Eastern Time on
Wednesday, July 18, 2012.
ADDRESSES: Written comments may be
sent to: Chief, Computer Security
Division, Information Technology
Laboratory, ATTN: Comments on
Revised Draft FIPS 201–2, National
Institute of Standards and Technology,
100 Bureau Drive, Mail Stop 8930,
Gaithersburg, MD 20899–8930.
Electronic comments may be sent to:
piv_comments@nist.gov. Anyone
wishing to attend the workshop in
person, must pre-register at https://
www.nist.gov/allevents.cfm. Additional
workshop details and webcast will be
available on the NIST Computer
Security Resource Center Web site at
https://csrc.nist.gov.
FOR FURTHER INFORMATION CONTACT:
Hildegard Ferraiolo, (301) 975–6972,
National Institute of Standards and
Technology, 100 Bureau Drive, Mail
Stop 8930, Gaithersburg, MD 20899–
8930, email:
hildegard.ferraiolo@nist.gov, or David
Cooper, (301) 975–3194, email:
david.cooper@nist.gov.
SUMMARY:
Nomination Information
VerDate Mar<15>2010
DEPARTMENT OF COMMERCE
Jkt 226001
PO 00000
Frm 00019
Fmt 4703
Sfmt 4703
FIPS 201
was issued on April 8, 2005 (70 FR
17975), and in accordance with NIST
policy was due for review in 2010. In
consideration of technological
advancement over the last five years and
specific requests for changes from
United States Government (USG)
stakeholders, NIST determined that a
revision of FIPS 201–1 (version in
effect) was warranted. NIST received
numerous change requests, some of
which, after analysis and coordination
with Office of Management and Budget
(OMB) and USG stakeholders, were
incorporated in the Draft FIPS 201–2.
Other change requests incorporated in
the Draft FIPS 201–2 resulted from the
2010 Business Requirements Meeting
held at NIST. The meeting focused on
business requirements of federal
departments and agencies. On March 8,
2011, a notice was published in the
Federal Register (76 FR 12712),
soliciting public comments on a
proposed revision of FIPS 201–1
(hereafter referred to as the ‘‘2011
Draft’’). During the public comment
period, a public workshop was held at
NIST on April 18–19, 2011, in order to
present the 2011 Draft. NIST developed
the Revised Draft FIPS 201–2 that is
announced in this notice using the
comments received in response to the
March 8, 2011, notice.
Comments and questions regarding
the 2011 Draft were submitted by 46
entities, composed of 25 U.S. federal
government organizations, two state
government organizations, one foreign
government organization, 16 private
sector organizations, and two private
individuals. These comments have all
been made available by NIST at https://
csrc.nist.gov. None of the commenters
opposed the approval of a revised
standard. Some commenters asked for
clarification of the text of the standard
and/or recommended editorial and/or
formatting changes. Other commenters
suggested modifying the requirements.
All of the suggestions, questions, and
recommendations within the scope of
this FIPS were carefully reviewed, and
changes were made to the standard,
where appropriate. Some commenters
submitted questions or raised issues that
were related but outside the scope of
this FIPS. Comments that were outside
the scope of this FIPS, but that were
within the scope of one of the related
Special Publications, were deferred for
later consideration in the context of the
revisions to the supporting Special
Publications. The disposition of each
comment that was received has been
provided along with the comments at
https://csrc.nist.gov.
SUPPLEMENTARY INFORMATION:
E:\FR\FM\09JYN1.SGM
09JYN1
sroberts on DSK5SPTVN1PROD with NOTICES
Federal Register / Vol. 77, No. 131 / Monday, July 9, 2012 / Notices
The following is a summary and
analysis of the comments received
during the public comment period and
NIST’s responses to them:
Comment: Seven commenters stated
that the document should be
reorganized since it includes logical
card characteristics in the section on
physical card characteristics and it does
not describe the requirements for the
collection of biometric data until long
after references to the biometric data are
first made.
Response: Requirements for the
collection of biometric data and
recommendations for the maintenance
of a chain-of-trust have been moved
from Section 4 to the beginning of
Section 2. Section 4 has also been
reorganized to separate the requirements
for the logical card characteristics from
the requirements for the physical card
characteristics.
Comment: The 2011 Draft proposed a
secure messaging capability. Six
commenters indicated that the proposed
secure messaging capability needs to be
enhanced in order to permit all
functionality of the PIV Card to be
accessible over the contactless interface
of the card.
Response: The Revised Draft FIPS
201–2 introduces the concept of a
virtual contact interface, over which all
functionality of the PIV Card is
accessible.
Comment: Seven commenters
indicated that the standard needs to
accommodate the Federal Government’s
movement towards mobile devices and
permit the issuance of PIV Cards that
have form factors other than the current
International Organization for
Standardization (ISO)/International
Electrotechnical Commission (IEC) 7810
(credit-card) form factor.
Response: The Revised Draft FIPS
201–2 continues to require every
cardholder to be issued an ISO/IEC 7810
form factor PIV Card, but it introduces
the ability to issue PIV derived
credentials, which may be provisioned
to devices other than an ISO/IEC 7810
form factor.
Comment: The 2011 Draft introduced
iris images as an alternative to
fingerprints for individuals from whom
fingerprints cannot be collected. Three
commenters suggested that the use of
iris as an alternative is an undue
burden. Six commenters noted that the
2011 Draft is unclear about how to
address applicants from whom neither
fingerprints nor iris images can be
obtained.
Response: The Revised Draft FIPS
201–2 makes collection of iris images
optional. During PIV Card issuance and
maintenance processes a one-to-one
VerDate Mar<15>2010
16:20 Jul 06, 2012
Jkt 226001
biometric match is required. However,
the Revised Draft FIPS 201–2 permits
the use of automated iris or facial image
matching when fingerprints are
unavailable. In cases where iris or facial
image data is not available or where the
issuer does not support automated
biometric comparison based on these
types of biometrics, identity source
documents may be used to verify the
identity of the applicant or cardholder.
Comment: Twelve comments
addressed the Lightweight Directory
Access Protocol (LDAP) as a means to
distribute certificates and Certificate
Revocation Lists (CRLs). These
comments indicated that LDAP is not
used and the Hypertext Transfer
Protocol (HTTP) is now considered the
preferred option to distribute certificates
and Certificate Revocation Lists (CRLs).
Response: The Revised Draft FIPS
201–2 removes the requirement to
distribute certificates and CRLs via
LDAP, but continues to require
conformance to the ‘‘X.509 Certificate
and Certificate Revocation List (CRL)
Extensions Profile for the Shared
Service Provider (SSP) Program,’’ which
can be updated as necessary to account
for changes in technology.
Comment: Ten comments indicated
that the requirements for issuing PIV
Cards to applicants during the grace
period are unclear and appear to
conflict with guidance from the Office
of Personnel Management (OPM) with
respect to requirements for background
re-investigations.
Response: The section describing the
grace period has been rewritten to
clarify the requirements and to make it
clear that background re-investigations
only need to be performed if required,
in accordance with OPM guidance.
Comment: Twelve commenters noted
that the difference between reissuance
and renewal of PIV Cards is unclear.
Response: The Revised Draft FIPS
201–2 indicates that PIV Card renewal
applies when a valid PIV Card is
replaced with a new card and that PIV
Card reissuance applies when a new PIV
Card is issued to replace a lost, stolen,
or damaged card. PIV Card reissuance
also applies when a card is replaced
because one or more of its logical
credentials have been compromised.
Comment: Four commenters indicated
that Federal agencies should be able to
perform Personal Identification Number
(PIN) resets without requiring
cardholders to appear in person before
a card issuer. It is unclear whether
remote resets are permitted in the 2011
Draft.
Response: The requirements for
resetting PINs have been rewritten in
the Revised Draft FIPS 201–2. The
PO 00000
Frm 00020
Fmt 4703
Sfmt 4703
40339
Revised Draft FIPS 201–2 specifies
different requirements for resetting a
PIN depending on whether the PIN is
reset in-person at an issuer’s facility, at
an unattended issuer-operated kiosk, or
remotely from a general computing
platform (e.g., desktop or laptop).
Comment: FIPS 201–1 and the 2011
Draft describe two very weak
authentication mechanisms as providing
some assurance in the identity of the
cardholder: Visual inspection of the PIV
Card by a human guard (VIS) and
reading the cardholder unique identifier
from the card (CHUID). Fifteen
comments were received about the
CHUID and VIS authentication
mechanisms indicating that the use of
these two authentication mechanisms
should be deprecated.
Response: The Revised Draft FIPS
201–2 states that the VIS and CHUID
authentication mechanisms provide
little or no assurance in the identity of
the cardholder. The Revised Draft FIPS
201–2 also deprecates the use of the
CHUID authentication mechanism.
Comment: The 2011 Draft defines
some authentication mechanisms that
may be difficult or impossible for
individuals with certain disabilities to
perform. Three commenters noted that
the 2011 Draft does not clearly indicate
what departments and agencies need to
do to accommodate individuals with
disabilities.
Response: The processes for issuing,
reissuing, renewing, and resetting PIV
Cards have been updated to include
new options for authenticating the
cardholder in the case that
authentication cannot be performed
using a match of either fingerprints or
iris images. While Revised Draft FIPS
201–2 describes authentication
mechanisms that can be implemented
using the PIV Card, which may be used
to authenticate individuals who are
attempting to gain physical access to
federally controlled facilities or logical
access to federally controlled
information systems, it is the
responsibility of departments and
agencies developing access control
systems to choose the authentication
mechanisms that are appropriate for
their systems. The Revised Draft FIPS
201–2 includes a reminder to
departments and agencies that when
implementing PIV systems they should
consider provisions to accommodate
employees and contractors with
disabilities in accordance with Section
508 of the Rehabilitation Act.
Comment: Information about card
topography is currently split between
the 2011 Draft and NIST Special
Publication 800–104, A Scheme for PIV
Visual Card Topography. Three
E:\FR\FM\09JYN1.SGM
09JYN1
sroberts on DSK5SPTVN1PROD with NOTICES
40340
Federal Register / Vol. 77, No. 131 / Monday, July 9, 2012 / Notices
commenters noted that it would be
clearer if all of this information is
consolidated in one document.
Response: All of the information from
Special Publication 800–104 has been
incorporated into the Revised Draft FIPS
201–2, and Special Publication 800–104
will be withdrawn after FIPS 201–2 has
been approved. As a result of
incorporating Special Publication 800–
104 into Revised Draft FIPS 201–2, the
employee affiliation color-coding and
the large expiration date in the upper
right-hand corner of the card are now
mandatory. Revised Draft FIPS 201–2
also now states that the ‘‘Federal
Emergency Response Official’’ indicator
or country of citizenship information,
when present, shall be indicated at the
bottom of the card.
Comment: Three commenters noted
that there is no information on
adoption/migration between versions of
FIPS 201 and that guidance is needed to
distinguish which version of FIPS 201
was used to issue a given card. Seven
commenters also pointed out that
guidance is needed on the adoption/
migration of new features.
Response: The version management
for PIV Cards and middleware will be
addressed in revisions to Special
Publication 800–73, Interfaces for
Personal Identity Verification. New
features of FIPS 201–2 that depend
upon the release of new or revised NIST
Special Publications are effective
immediately upon final publication of
the supporting Special Publication. A
timetable to achieve compliance with
FIPS 201–2 has been coordinated with
OMB and is included in the Revised
Draft FIPS 201–2.
Comment: One commenter noted that
the chain-of-trust introduces a new
requirement that is cost-prohibitive to
implement.
Response: The chain-of-trust is
optional in the Revised Draft FIPS 201–
2. The concept of chain-of-trust was
requested by federal agencies as a cost
savings measure that streamlines
current practices for issuance,
reissuance, and renewal procedures.
Agencies can use their internally
defined enrollment data records as the
means to implement the chain-of-trust.
The Revised Draft FIPS 201–2 only
requires specific formats and structures
for the import and export of chain-oftrust records for agencies choosing to
implement interagency transfer of
enrollment data records.
Comment: Six commenters noted that
it is unclear what type of data is part of
the chain-of-trust records.
Response: In the Revised Draft FIPS
201–2, the section describing the chainof-trust includes recommendations for
VerDate Mar<15>2010
16:20 Jul 06, 2012
Jkt 226001
the type of data to be collected and
included in the chain-of-trust.
Comment: Five commenters noted
that in addition to printing the facial
image on the card, most issuers today
also store the facial image electronically
in the chip on the card. FIPS 201–2
should make this mandatory in order to
provide a low cost alternative for
cardholder identification and
authentication.
Response: As requested by federal
agencies, Revised Draft FIPS 201–2
defines the facial image as part of
HSPD–12 ‘‘common identification’’
credential by including it as one of the
core mandatory logical credentials of
the PIV Card. The digital signature key
and key management key are also
included as core mandatory credentials
of the PIV card. These additional
changes were requested by OMB in
order to align the Revised Draft FIPS
201–2 with the Federal Identity,
Credential, and Access Management
(FICAM) Roadmap and Implementation
Guidance.
Comment: Seven commenters
requested that the Universally Unique
Identifier (UUID) be made mandatory
for interoperability between PIV and
PIV-Interoperable (PIV–I) ecosystems.
Response: In response to the many
similar comments, the Revised Draft
FIPS 201–2 specifies the UUID as a
mandatory unique identifier for the PIV
Card, in addition to the Federal Agency
Smart Credential Number (FASC–N).
Comment: Many federal employees
and contractors prefer to be known by
a professional name that is different
from the name used in personal lives.
Three commenters requested that FIPS
201–2 permit the cardholder’s
professional name to be printed on the
PIV Card rather than the name
appearing on the cardholder’s identity
source documents.
Response: NIST raised this issue with
OMB, which is responsible for making
decisions on this type of issue. Because
the PIV card is an official USG issued
card, OMB determined that the name
that appears on the PIV Card must be
the name that has been verified through
identity source documents.
Comment: One commenter requested
that the Revised Draft FIPS 201–2
should reaffirm that PIV Card Issuers’
self-accreditation as specified in SP
800–79, Guidelines for the Accreditation
of Personal Identity Verification Card
Issuers, remains in effect.
Response: The Revised Draft FIPS
201–2 clarifies that self-accreditation as
per SP 800–79 continues to be
acceptable, so long as it is
supplemented by a third-party
accreditation review.
PO 00000
Frm 00021
Fmt 4703
Sfmt 4703
Comment: Three commenters stated
that requiring a biometric match
between the full set of fingerprints
collected for law enforcement checks
and the two fingerprints collected for
placement on the PIV Card is an undue
burden since these two sets of
fingerprints are commonly collected on
two different systems that are not
integrated.
Response: The Revised Draft FIPS
201–2 makes it clear that a biometric
match is only required if the two sets of
fingerprints are collected on separate
occasions, and is not required if the two
sets are collected at the same time on
different systems. The Revised Draft
FIPS 201–2 also clarifies that a full set
of fingerprints does not need to be
collected from an applicant if a
completed and favorably adjudicated
National Agency Check with Written
Inquiries (NACI) (or equivalent or
higher) or Tier 1 or higher federal
background investigation can be located
and referenced for the individual.
Comment: Four commenters noted
that Federal agencies should be
permitted to register PIV-Interoperable
(PIV–I) credentials in lieu of issuing PIV
credentials provided that attributes such
as successful completion of a NACI can
be electronically validated.
Response: HSPD–12 specifies that
agencies shall use ‘‘secure and reliable
forms of identification issued by the
Federal Government to its employees
and contractors (including contractor
employees).’’ The use of an externally
issued credential, such as a PIV–I
credential, as an alternative to issuing a
PIV Card, would not be consistent with
HSPD–12.
FIPS 201–1 and Revised Draft FIPS
201–2 are available electronically from
the NIST Web site at: https://
csrc.nist.gov/publications/fips/index/
html.
Public Workshop: NIST will hold a
public workshop on Revised Draft FIPS
201–2 on Wednesday, July 25, 2012, at
NIST in Gaithersburg, Maryland. The
workshop may also be attended
remotely via webcast. The agenda,
webcast, and related information for the
public workshop will be available
before the workshop on the NIST
Computer Security Resource Center
Web site at https://csrc.nist.gov. This
workshop is not being held in
anticipation of a procurement activity.
Anyone wishing to attend the workshop
in person must pre-register at https://
www.nist.gov/allevents.cfm by 5:00 p.m.
Eastern Time on July 18, 2012, in order
to enter the NIST facility and attend the
workshop.
Authority: In accordance with the
Information Technology Management Reform
E:\FR\FM\09JYN1.SGM
09JYN1
Federal Register / Vol. 77, No. 131 / Monday, July 9, 2012 / Notices
Act of 1996 (Pub. L. 104–106) and the
Federal Information Security Management
Act of 2002 (FISMA) (Pub. L. 107–347), the
Secretary of Commerce is authorized to
approve Federal Information Processing
Standards (FIPS). Homeland Security
Presidential Directive (HSPD) 12, entitled
‘‘Policy for a Common Identification
Standard for Federal Employees and
Contractors,’’ dated August 27, 2004, directed
the Secretary of Commerce to promulgate, by
February 27, 2005, ‘‘* * * a Federal standard
for secure and reliable forms of identification
(the ‘Standard’) * * *,’’ and further directed
that the Secretary of Commerce ‘‘shall
periodically review the Standard and update
the Standard as appropriate in consultation
with the affected agencies.’’
E.O. 12866: This notice has been
determined to be not significant for
purposes of E.O. 12866.
Dated: July 2, 2012.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2012–16725 Filed 7–6–12; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
Proposed Information Collection;
Comment Request; Application for
Appointment in the NOAA
Commissioned Officer Corps
National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice.
AGENCY:
The Department of
Commerce, as part of its continuing
effort to reduce paperwork and
respondent burden, invites the general
public and other Federal agencies to
take this opportunity to comment on
proposed and/or continuing information
collections, as required by the
Paperwork Reduction Act of 1995.
DATES: Written comments must be
submitted on or before September 7,
2012.
SUMMARY:
Direct all written comments
to Jennifer Jessup, Departmental
Paperwork Clearance Officer,
Department of Commerce, Room 6616,
14th and Constitution Avenue NW.,
Washington, DC 20230 (or via the
Internet at JJessup@doc.gov).
FOR FURTHER INFORMATION CONTACT:
Requests for additional information or
copies of the information collection
instrument and instructions should be
directed to Eric Johnson, (301) 713–7727
or NOAACorps.recruiting@noaa.gov.
SUPPLEMENTARY INFORMATION:
sroberts on DSK5SPTVN1PROD with NOTICES
ADDRESSES:
VerDate Mar<15>2010
16:20 Jul 06, 2012
Jkt 226001
I. Abstract
This request is for extension of a
currently approved information
collection. The NOAA Commissioned
Corps is the uniformed component of
the National Oceanic and Atmospheric
Administration (NOAA), a bureau of the
Department of Commerce. Officers serve
under Senate-confirmed appointments
and Presidential commissions (33 U.S.C.
chapter 17, subchapter 1, sections 853
and 854). The NOAA Corps provides a
cadre of professionals trained in
engineering, earth sciences,
oceanography, meteorology, fisheries
science, and other related disciplines,
who are dedicated to the service of their
country and optimization of NOAA’s
missions to ensure the economic and
physical well-being of the Nation.
NOAA Corps officers serve in
assignments throughout NOAA, as well
as in each of NOAA’s Line Offices
(National Environmental Satellite, Data,
and Information Service, National
Marine Fisheries Service, National
Ocean Service, National Weather
Service, Office of Oceanic and
Atmospheric Research, and Office of
Program, Planning, and Integration).
Persons wishing to be considered for
a NOAA Corps Commission must
submit a complete application package,
including NOAA Form 56–42, at least
three letters of recommendation, and
official transcripts. A personal interview
must also be conducted. Eligibility
requirements include a bachelor’s
degree with at least 48 credit hours of
science, engineering, or other
disciplines related to NOAA’s missions
(including either calculus or physics),
excellent health, normal color vision
with uncorrected visual acuity no worse
than 20/400 in each eye (correctable to
20/20), and ability to complete 20 years
of active duty commissioned service
prior to their 62nd birthday.
II. Method of Collection
Applicants must utilize the E-recruit
electronic application process (https://
cpc.omao.noaa.gov/erecruit/login.jsp)
and then submit paper forms via mail.
An in-person interview is also required.
III. Data
OMB Control Number: 0648–0047.
Form Number: NOAA 56–42, 56–42A.
Type of Review: Regular submission
(extension of a currently approved
collection).
Affected Public: Individuals or
households.
Estimated Number of Respondents:
1,800.
Estimated Time per Response: written
applications, 2 hours; interviews, 5
hours; references, 15 minutes.
PO 00000
Frm 00022
Fmt 4703
Sfmt 4703
40341
Estimated Total Annual Burden
Hours: 2,475.
Estimated Total Annual Cost to
Public: $21,750 in recordkeeping/
reporting and travel costs.
IV. Request for Comments
Comments are invited on: (a) Whether
the proposed collection of information
is necessary for the proper performance
of the functions of the agency, including
whether the information shall have
practical utility; (b) the accuracy of the
agency’s estimate of the burden
(including hours and cost) of the
proposed collection of information; (c)
ways to enhance the quality, utility, and
clarity of the information to be
collected; and (d) ways to minimize the
burden of the collection of information
on respondents, including through the
use of automated collection techniques
or other forms of information
technology.
Comments submitted in response to
this notice will be summarized and/or
included in the request for OMB
approval of this information collection;
they also will become a matter of public
record.
Dated: July 2, 2012.
Gwellnar Banks,
Management Analyst, Office of the Chief
Information Officer.
[FR Doc. 2012–16608 Filed 7–6–12; 8:45 am]
BILLING CODE 3510–12–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
RIN 0648–XC084
Fisheries of the Exclusive Economic
Zone Off Alaska; Notice of Public
Workshop for Bering Sea and Aleutian
Islands Crab Economic Data Reports
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of public workshop.
AGENCY:
NMFS and the Alaska Fishery
Science Center (AFSC) will hold a
public workshop in Seattle, WA, to
review draft revisions to the Bering Sea
and Aleutian Islands (BSAI) Crab
Economic Data Reports (EDR) currently
required from catcher vessels, catcher/
processors, shoreside processors, and
stationary floating crab processors
participating in the BSAI Crab
Rationalization Program.
DATES: The workshop will be held on
Friday, July 20, 2012, from 9 a.m. to
5 p.m. Pacific Daylight Time.
SUMMARY:
E:\FR\FM\09JYN1.SGM
09JYN1
]]>Agencies
[Federal Register Volume 77, Number 131 (Monday, July 9, 2012)]
[Notices]
[Pages 40338-40341]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-16725]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 120608158-2158-01]
Announcing Revised Draft Federal Information Processing Standard
(FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees
and Contractors, Request for Comments, and Public Workshop on Revised
Draft FIPS 201-2
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice and request for comments.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
announces the Revised Draft Federal Information Processing Standard
(FIPS) Publication 201-2, ``Personal Identity Verification of Federal
Employees and Contractors,'' for public review and comment. The draft
standard, designated ``Revised Draft FIPS 201-2,'' is proposed to
supersede FIPS 201-1. NIST will hold a public workshop at NIST in
Gaithersburg, Maryland, to present the Revised Draft FIPS 201-2. Please
see admittance instructions in the SUPPLEMENTARY INFORMATION section
below.
DATES: Comments must be received by Friday, August 10, 2012. The public
workshop will be held on Wednesday, July 25, 2012. Preregistration must
be completed by 5:00 p.m. Eastern Time on Wednesday, July 18, 2012.
ADDRESSES: Written comments may be sent to: Chief, Computer Security
Division, Information Technology Laboratory, ATTN: Comments on Revised
Draft FIPS 201-2, National Institute of Standards and Technology, 100
Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930. Electronic
comments may be sent to: piv_comments@nist.gov. Anyone wishing to
attend the workshop in person, must pre-register at https://www.nist.gov/allevents.cfm. Additional workshop details and webcast
will be available on the NIST Computer Security Resource Center Web
site at https://csrc.nist.gov.
FOR FURTHER INFORMATION CONTACT: Hildegard Ferraiolo, (301) 975-6972,
National Institute of Standards and Technology, 100 Bureau Drive, Mail
Stop 8930, Gaithersburg, MD 20899-8930, email:
hildegard.ferraiolo@nist.gov, or David Cooper, (301) 975-3194, email:
david.cooper@nist.gov.
SUPPLEMENTARY INFORMATION: FIPS 201 was issued on April 8, 2005 (70 FR
17975), and in accordance with NIST policy was due for review in 2010.
In consideration of technological advancement over the last five years
and specific requests for changes from United States Government (USG)
stakeholders, NIST determined that a revision of FIPS 201-1 (version in
effect) was warranted. NIST received numerous change requests, some of
which, after analysis and coordination with Office of Management and
Budget (OMB) and USG stakeholders, were incorporated in the Draft FIPS
201-2. Other change requests incorporated in the Draft FIPS 201-2
resulted from the 2010 Business Requirements Meeting held at NIST. The
meeting focused on business requirements of federal departments and
agencies. On March 8, 2011, a notice was published in the Federal
Register (76 FR 12712), soliciting public comments on a proposed
revision of FIPS 201-1 (hereafter referred to as the ``2011 Draft'').
During the public comment period, a public workshop was held at NIST on
April 18-19, 2011, in order to present the 2011 Draft. NIST developed
the Revised Draft FIPS 201-2 that is announced in this notice using the
comments received in response to the March 8, 2011, notice.
Comments and questions regarding the 2011 Draft were submitted by
46 entities, composed of 25 U.S. federal government organizations, two
state government organizations, one foreign government organization, 16
private sector organizations, and two private individuals. These
comments have all been made available by NIST at https://csrc.nist.gov.
None of the commenters opposed the approval of a revised standard. Some
commenters asked for clarification of the text of the standard and/or
recommended editorial and/or formatting changes. Other commenters
suggested modifying the requirements. All of the suggestions,
questions, and recommendations within the scope of this FIPS were
carefully reviewed, and changes were made to the standard, where
appropriate. Some commenters submitted questions or raised issues that
were related but outside the scope of this FIPS. Comments that were
outside the scope of this FIPS, but that were within the scope of one
of the related Special Publications, were deferred for later
consideration in the context of the revisions to the supporting Special
Publications. The disposition of each comment that was received has
been provided along with the comments at https://csrc.nist.gov.
[[Page 40339]]
The following is a summary and analysis of the comments received
during the public comment period and NIST's responses to them:
Comment: Seven commenters stated that the document should be
reorganized since it includes logical card characteristics in the
section on physical card characteristics and it does not describe the
requirements for the collection of biometric data until long after
references to the biometric data are first made.
Response: Requirements for the collection of biometric data and
recommendations for the maintenance of a chain-of-trust have been moved
from Section 4 to the beginning of Section 2. Section 4 has also been
reorganized to separate the requirements for the logical card
characteristics from the requirements for the physical card
characteristics.
Comment: The 2011 Draft proposed a secure messaging capability. Six
commenters indicated that the proposed secure messaging capability
needs to be enhanced in order to permit all functionality of the PIV
Card to be accessible over the contactless interface of the card.
Response: The Revised Draft FIPS 201-2 introduces the concept of a
virtual contact interface, over which all functionality of the PIV Card
is accessible.
Comment: Seven commenters indicated that the standard needs to
accommodate the Federal Government's movement towards mobile devices
and permit the issuance of PIV Cards that have form factors other than
the current International Organization for Standardization (ISO)/
International Electrotechnical Commission (IEC) 7810 (credit-card) form
factor.
Response: The Revised Draft FIPS 201-2 continues to require every
cardholder to be issued an ISO/IEC 7810 form factor PIV Card, but it
introduces the ability to issue PIV derived credentials, which may be
provisioned to devices other than an ISO/IEC 7810 form factor.
Comment: The 2011 Draft introduced iris images as an alternative to
fingerprints for individuals from whom fingerprints cannot be
collected. Three commenters suggested that the use of iris as an
alternative is an undue burden. Six commenters noted that the 2011
Draft is unclear about how to address applicants from whom neither
fingerprints nor iris images can be obtained.
Response: The Revised Draft FIPS 201-2 makes collection of iris
images optional. During PIV Card issuance and maintenance processes a
one-to-one biometric match is required. However, the Revised Draft FIPS
201-2 permits the use of automated iris or facial image matching when
fingerprints are unavailable. In cases where iris or facial image data
is not available or where the issuer does not support automated
biometric comparison based on these types of biometrics, identity
source documents may be used to verify the identity of the applicant or
cardholder.
Comment: Twelve comments addressed the Lightweight Directory Access
Protocol (LDAP) as a means to distribute certificates and Certificate
Revocation Lists (CRLs). These comments indicated that LDAP is not used
and the Hypertext Transfer Protocol (HTTP) is now considered the
preferred option to distribute certificates and Certificate Revocation
Lists (CRLs).
Response: The Revised Draft FIPS 201-2 removes the requirement to
distribute certificates and CRLs via LDAP, but continues to require
conformance to the ``X.509 Certificate and Certificate Revocation List
(CRL) Extensions Profile for the Shared Service Provider (SSP)
Program,'' which can be updated as necessary to account for changes in
technology.
Comment: Ten comments indicated that the requirements for issuing
PIV Cards to applicants during the grace period are unclear and appear
to conflict with guidance from the Office of Personnel Management (OPM)
with respect to requirements for background re-investigations.
Response: The section describing the grace period has been
rewritten to clarify the requirements and to make it clear that
background re-investigations only need to be performed if required, in
accordance with OPM guidance.
Comment: Twelve commenters noted that the difference between
reissuance and renewal of PIV Cards is unclear.
Response: The Revised Draft FIPS 201-2 indicates that PIV Card
renewal applies when a valid PIV Card is replaced with a new card and
that PIV Card reissuance applies when a new PIV Card is issued to
replace a lost, stolen, or damaged card. PIV Card reissuance also
applies when a card is replaced because one or more of its logical
credentials have been compromised.
Comment: Four commenters indicated that Federal agencies should be
able to perform Personal Identification Number (PIN) resets without
requiring cardholders to appear in person before a card issuer. It is
unclear whether remote resets are permitted in the 2011 Draft.
Response: The requirements for resetting PINs have been rewritten
in the Revised Draft FIPS 201-2. The Revised Draft FIPS 201-2 specifies
different requirements for resetting a PIN depending on whether the PIN
is reset in-person at an issuer's facility, at an unattended issuer-
operated kiosk, or remotely from a general computing platform (e.g.,
desktop or laptop).
Comment: FIPS 201-1 and the 2011 Draft describe two very weak
authentication mechanisms as providing some assurance in the identity
of the cardholder: Visual inspection of the PIV Card by a human guard
(VIS) and reading the cardholder unique identifier from the card
(CHUID). Fifteen comments were received about the CHUID and VIS
authentication mechanisms indicating that the use of these two
authentication mechanisms should be deprecated.
Response: The Revised Draft FIPS 201-2 states that the VIS and
CHUID authentication mechanisms provide little or no assurance in the
identity of the cardholder. The Revised Draft FIPS 201-2 also
deprecates the use of the CHUID authentication mechanism.
Comment: The 2011 Draft defines some authentication mechanisms that
may be difficult or impossible for individuals with certain
disabilities to perform. Three commenters noted that the 2011 Draft
does not clearly indicate what departments and agencies need to do to
accommodate individuals with disabilities.
Response: The processes for issuing, reissuing, renewing, and
resetting PIV Cards have been updated to include new options for
authenticating the cardholder in the case that authentication cannot be
performed using a match of either fingerprints or iris images. While
Revised Draft FIPS 201-2 describes authentication mechanisms that can
be implemented using the PIV Card, which may be used to authenticate
individuals who are attempting to gain physical access to federally
controlled facilities or logical access to federally controlled
information systems, it is the responsibility of departments and
agencies developing access control systems to choose the authentication
mechanisms that are appropriate for their systems. The Revised Draft
FIPS 201-2 includes a reminder to departments and agencies that when
implementing PIV systems they should consider provisions to accommodate
employees and contractors with disabilities in accordance with Section
508 of the Rehabilitation Act.
Comment: Information about card topography is currently split
between the 2011 Draft and NIST Special Publication 800-104, A Scheme
for PIV Visual Card Topography. Three
[[Page 40340]]
commenters noted that it would be clearer if all of this information is
consolidated in one document.
Response: All of the information from Special Publication 800-104
has been incorporated into the Revised Draft FIPS 201-2, and Special
Publication 800-104 will be withdrawn after FIPS 201-2 has been
approved. As a result of incorporating Special Publication 800-104 into
Revised Draft FIPS 201-2, the employee affiliation color-coding and the
large expiration date in the upper right-hand corner of the card are
now mandatory. Revised Draft FIPS 201-2 also now states that the
``Federal Emergency Response Official'' indicator or country of
citizenship information, when present, shall be indicated at the bottom
of the card.
Comment: Three commenters noted that there is no information on
adoption/migration between versions of FIPS 201 and that guidance is
needed to distinguish which version of FIPS 201 was used to issue a
given card. Seven commenters also pointed out that guidance is needed
on the adoption/migration of new features.
Response: The version management for PIV Cards and middleware will
be addressed in revisions to Special Publication 800-73, Interfaces for
Personal Identity Verification. New features of FIPS 201-2 that depend
upon the release of new or revised NIST Special Publications are
effective immediately upon final publication of the supporting Special
Publication. A timetable to achieve compliance with FIPS 201-2 has been
coordinated with OMB and is included in the Revised Draft FIPS 201-2.
Comment: One commenter noted that the chain-of-trust introduces a
new requirement that is cost-prohibitive to implement.
Response: The chain-of-trust is optional in the Revised Draft FIPS
201-2. The concept of chain-of-trust was requested by federal agencies
as a cost savings measure that streamlines current practices for
issuance, reissuance, and renewal procedures. Agencies can use their
internally defined enrollment data records as the means to implement
the chain-of-trust. The Revised Draft FIPS 201-2 only requires specific
formats and structures for the import and export of chain-of-trust
records for agencies choosing to implement interagency transfer of
enrollment data records.
Comment: Six commenters noted that it is unclear what type of data
is part of the chain-of-trust records.
Response: In the Revised Draft FIPS 201-2, the section describing
the chain-of-trust includes recommendations for the type of data to be
collected and included in the chain-of-trust.
Comment: Five commenters noted that in addition to printing the
facial image on the card, most issuers today also store the facial
image electronically in the chip on the card. FIPS 201-2 should make
this mandatory in order to provide a low cost alternative for
cardholder identification and authentication.
Response: As requested by federal agencies, Revised Draft FIPS 201-
2 defines the facial image as part of HSPD-12 ``common identification''
credential by including it as one of the core mandatory logical
credentials of the PIV Card. The digital signature key and key
management key are also included as core mandatory credentials of the
PIV card. These additional changes were requested by OMB in order to
align the Revised Draft FIPS 201-2 with the Federal Identity,
Credential, and Access Management (FICAM) Roadmap and Implementation
Guidance.
Comment: Seven commenters requested that the Universally Unique
Identifier (UUID) be made mandatory for interoperability between PIV
and PIV-Interoperable (PIV-I) ecosystems.
Response: In response to the many similar comments, the Revised
Draft FIPS 201-2 specifies the UUID as a mandatory unique identifier
for the PIV Card, in addition to the Federal Agency Smart Credential
Number (FASC-N).
Comment: Many federal employees and contractors prefer to be known
by a professional name that is different from the name used in personal
lives. Three commenters requested that FIPS 201-2 permit the
cardholder's professional name to be printed on the PIV Card rather
than the name appearing on the cardholder's identity source documents.
Response: NIST raised this issue with OMB, which is responsible for
making decisions on this type of issue. Because the PIV card is an
official USG issued card, OMB determined that the name that appears on
the PIV Card must be the name that has been verified through identity
source documents.
Comment: One commenter requested that the Revised Draft FIPS 201-2
should reaffirm that PIV Card Issuers' self-accreditation as specified
in SP 800-79, Guidelines for the Accreditation of Personal Identity
Verification Card Issuers, remains in effect.
Response: The Revised Draft FIPS 201-2 clarifies that self-
accreditation as per SP 800-79 continues to be acceptable, so long as
it is supplemented by a third-party accreditation review.
Comment: Three commenters stated that requiring a biometric match
between the full set of fingerprints collected for law enforcement
checks and the two fingerprints collected for placement on the PIV Card
is an undue burden since these two sets of fingerprints are commonly
collected on two different systems that are not integrated.
Response: The Revised Draft FIPS 201-2 makes it clear that a
biometric match is only required if the two sets of fingerprints are
collected on separate occasions, and is not required if the two sets
are collected at the same time on different systems. The Revised Draft
FIPS 201-2 also clarifies that a full set of fingerprints does not need
to be collected from an applicant if a completed and favorably
adjudicated National Agency Check with Written Inquiries (NACI) (or
equivalent or higher) or Tier 1 or higher federal background
investigation can be located and referenced for the individual.
Comment: Four commenters noted that Federal agencies should be
permitted to register PIV-Interoperable (PIV-I) credentials in lieu of
issuing PIV credentials provided that attributes such as successful
completion of a NACI can be electronically validated.
Response: HSPD-12 specifies that agencies shall use ``secure and
reliable forms of identification issued by the Federal Government to
its employees and contractors (including contractor employees).'' The
use of an externally issued credential, such as a PIV-I credential, as
an alternative to issuing a PIV Card, would not be consistent with
HSPD-12.
FIPS 201-1 and Revised Draft FIPS 201-2 are available
electronically from the NIST Web site at: https://csrc.nist.gov/publications/fips/.
Public Workshop: NIST will hold a public workshop on Revised Draft
FIPS 201-2 on Wednesday, July 25, 2012, at NIST in Gaithersburg,
Maryland. The workshop may also be attended remotely via webcast. The
agenda, webcast, and related information for the public workshop will
be available before the workshop on the NIST Computer Security Resource
Center Web site at https://csrc.nist.gov. This workshop is not being
held in anticipation of a procurement activity. Anyone wishing to
attend the workshop in person must pre-register at https://www.nist.gov/allevents.cfm by 5:00 p.m. Eastern Time on July 18, 2012, in order to
enter the NIST facility and attend the workshop.
Authority: In accordance with the Information Technology
Management Reform
[[Page 40341]]
Act of 1996 (Pub. L. 104-106) and the Federal Information Security
Management Act of 2002 (FISMA) (Pub. L. 107-347), the Secretary of
Commerce is authorized to approve Federal Information Processing
Standards (FIPS). Homeland Security Presidential Directive (HSPD)
12, entitled ``Policy for a Common Identification Standard for
Federal Employees and Contractors,'' dated August 27, 2004, directed
the Secretary of Commerce to promulgate, by February 27, 2005, ``* *
* a Federal standard for secure and reliable forms of identification
(the `Standard') * * *,'' and further directed that the Secretary of
Commerce ``shall periodically review the Standard and update the
Standard as appropriate in consultation with the affected
agencies.''
E.O. 12866: This notice has been determined to be not significant
for purposes of E.O. 12866.
Dated: July 2, 2012.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2012-16725 Filed 7-6-12; 8:45 am]
BILLING CODE 3510-13-P
