Title: PIV%201
1PIV 1
- Ketan Mehta
- Ketan.mehta_at_nist.gov
- May 5, 2005
2PIV 1
- What does it mean to agencies
- Role-based vs System-based Models
- Moving forward
3What does PIV I mean to agencies?
PIV I requires
PIV I does not specify
- Credentials may be issued by authorized entity
only to individuals whose true identity has been
verified - Only an individual with a background
investigation on record may be issued a
credential - Fraudulent identity source documents are not
accepted as genuine and unaltered - A person suspected or known to the government as
being a terrorist is not issued a credential - No substitution occurs in the identity proofing
process - No credential is issued unless requested by
proper authority - A credential remains serviceable only up to its
expiration date - A single corrupt official in the process may not
issue a credential with an incorrect identity or
to a person not entitled to the credential - An issued credential is not modified, duplicated,
or forged. Separation of roles
- A particular card technology
- Requirements for fingerprint biometrics
- Composition of the Identity Credentials
- Roles within an agency
- Identity proofing process or implementation
models - Integration of Physical and Logical access
security
4Role-based Model
ApplicantThe individual to whom a PIV credential
needs to be issued. PIV SponsorThe individual
who substantiates the need for a PIV credential
to be issued to the Applicant, and provides
sponsorship to the Applicant. The PIV Sponsor
requests the issuance of a PIV credential to the
Applicant. PIV RegistrarThe entity responsible
for identity proofing of the Applicant and
ensuring the successful completion of the
background checks. The PIV Registrar provides
the final approval for the issuance of a PIV
credential to the Applicant. PIV IssuerThe
entity that performs credential personalization
operations and issues the identity credential to
the Applicant after all identity proofing,
background checks, and related approvals have
been completed. The PIV Issuer is also
responsible for maintaining records and controls
for PIV credential stock to ensure that stock is
only used to issue valid credentials.
5System-based Model
Approval Authority / Registrar
2
1
3
Employer/ Sponsorship / Sponsor
5
Employee Application
Employee Enrolls
6
7
4
8
Issuer -Card Activation / Issuer
Numbers Indicate Functional Areas of
Responsibility Green functions manageChain of
Trust for Identity Verification
6Understand your current environment
Employees
Employees
Partners
Partners
Administrator
Customers
Customers
User information fragmented, duplicated and
obsolete Redundant processes Little to no
visibility or auditability
Administrator
Administrator
Administrator
Email
Timesheets
Engineering
HR
Expense
Customers
Applications and Data
Information
Systems Resources
7Agencies should look to bring coherence to user
identities, roles, privileges, and policies
User Management Sets up and maintainsuser
accounts and privileges (Digital Identities)
Credentialing Assigns and manages attributes
used to validate a users identity (Credentials)
Storage Stores user credentials,privileges, and
other attributes
Authentication Validates identities basedon
their credentials (Who you are)
Authorization Grants user access to resources
based on a secondary set of attributes (What you
can access)
Users
Resources
8Only 20 of the planning involves technology
9Agencies that adopt a strategy based approach to
their PIV investments will achieve the best
return on their investment
Strategy Based Approach Produces Maximum ROI
Define The Need
Architect the Solution
Manage Construction
What is your current environment?
What form will your solution take?
How will you implement?
- What is your current baseline?
- Who are responsible for identity management in
your agency? - What are the current processes?
- What FIPS 201 objectives are not met in the
current environment? - What are the gap areas?
- What are your architecture choices?
- Insource / Outsource
- Federation vs. Not Fed
- Trust Path
- What is your migration strategy?
- What stages will your implementation follow?
- How will you leverage prototypes and pilots?
How will you manage?
- How will you mange the change program?
- How will you communicate changes to the
organization? - How will you mitigate program risks?