NIST adds mobile flavor to revised draft HSPD-12 guidance

Monday - 7/9/2012, 3:09pm EDT

The National Institute of Standards and Technology wants to give agencies the option to issue derived credentials for use with mobile devices under Homeland Security Presidential Directive-12.

Agencies would create a secure representation of the HSPD-12 credential on a smartphone or tablet computer, which would then communicate with the back end systems giving the employee safe access to the network.

The option for derived credentials along with traditional identity-card security data is one of several changes NIST is proposing under the draft revised Federal Information Processing Standard 201-2. The agency released the first draft of the updated Personal Identity Verification (PIV) guidance in March 2011 and reviewed more than 91 comments to develop the draft update FIPS.

"The revised draft FIPS 201-2 continues to require every cardholder to be issued an ISO/IEC 7810 form factor PIV card, but it introduces the ability to issue PIV derived credentials, which may be provisioned to devices other than an ISO/IEC 7810 form factor," NIST wrote in the response to the comments on derived credentials.

NIST will hold a public workshop July 25 in Gaithersburg, Md., to discuss this and the other revisions.

In addition to the mobile change, NIST is recommending the use of a virtual contact interface for the secure messaging capability. NIST said the use of VCI would let user access all the functionality of the PIV Card.

Comments on draft called for clarification

A dozen commenters asked NIST to clarify the difference between reissuance and renewal of PIV Cards.

NIST said "renewal applies when a valid PIV Card is replaced with a new card and that PIV Card reissuance applies when a new PIV Card is issued to replace a lost, stolen, or damaged card. PIV Card reissuance also applies when a card is replaced because one or more of its logical credentials have been compromised."

The revised FIPS 201-2 comes as agencies are under pressure from the Office of Management and Budget for employees to use the smart identity cards to log onto their computer networks. OMB and the Homeland Security Department issued a memo in February 2011 requiring agencies to use their HSPD-12 cards for logical access for all current systems by fiscal 2012.

The Government Accountability Office reported in September that the agencies they reviewed made limited progress in using the secure ID cards for computer access.

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.

RELATED STORIES:

NIST's new standard to bring HSPD-12 to smartphones

Agencies struggle to grasp mobile cybersecurity

Agencies using HSPD-12 as 'glorified ID cards'

Exclusive: DHS mandates HSPD-12 card use