2.2 Non-Federal adoption of PIV cards

While PIV cards are designed for Federal agencies, there are variants of the PIV technology that are used by non-Federal organizations: PIV-I and CIV.

2.2.1 PIV Interoperable (PIV-I)

The Personal Identity Verification (PIV) initiative is garnering a great deal of interest from parties external to the Federal government. These non-federal organizations want to issue identity cards that are technically interoperable with Federal government PIV systems, and issued in a manner that allows Federal government relying parties to trust the cards.

The Federal CIO Council has defined a set of minimum requirements that will enable trust of non-federally issued identity cards (PIV Interoperable, or PIV-I).

Note: Please refer to the document “Personal Identity Verification Interoperability For Non-Federal Issuers”, issued by the Federal CIO Council for full details of the requirements of PIV-I.

Use of the standardized PIV Card technology in private enterprises (Commercial Identity Verification, or CIV) is becoming commonplace. They do not need to comply with the strict policy controls placed on PIV or PIV-I, but the cards and credentials issued do not provide any of the trust within Federal government.

MyID can support issuance of cards for PIV, PIV-I and CIV from within the same installation, while still complying with the strict issuance polices required for PIV and PIV-I.

Non-Federal Issuers of PIV Interoperable cards must undertake identity proofing of each applicant for an identity card, which incorporates In-person appearance and verification of two independent ID documents or accounts and a current biometric (for example,. photograph, fingerprints) in accordance with NIST SP 800-63, Assurance Level 4. The ‘National Agency Check with Written Inquiries (NACI)’ which is required prior to issuance of a PIV Card issuance by a Federal Agency, is not needed.

A PIV Interoperable identity card:

• Will use a smart card platform that is technically compatible with National Institute of Standards and Technology (NIST) technical requirements.

• Is visually distinguishable from PIV Card and contains distinctive markings indicating the identity of the issuing entity, including:

  • Organizational Affiliation (if exists; otherwise the issuer of the card)

  • Card holder Facial Image

  • Card holder Full Name

  • Card Expiration Date.

• Is electronically personalized, as defined by Federal Bridge Certification Authority (FBCA) policy, and will include:

  • Fingerprints

  • Card Holder Unique Identifier (CHUID) including the Universally Unique Identifier (UUID)

  • Authentication PKI Certificate (see note below), including the Universally Unique Identifier (UUID) in the subject-alt-name

  • Card Authentication PKI Certificate

  • Facial Image

  • Security Object

  • Card Capability Container.

Note: The PIV Authentication Certificate is where “trust” in the PIV Card resides. However, the policy object identifier (OID) for the PIV Authentication Certificate is available only to Federal government organizations. Therefore, a comparable Identity PKI Authentication Certificate that can be trusted by Federal government relying parties must be identified and used by NFIs. It must also be issued by a Certificate Authority (CA) that is cross-certified with the Federal Bridge Certification Authority (FBCA).

2.2.2 Commercial Identity Verification (CIV)

A CIV card is effectively the same as a PIV Interoperable (PIV-I) card but does not require certificates that are issued by a CA cross-certified with the Federal Bridge Certification Authority (FBCA), or enrollment using an identity verification process that meets NIST SP 800-63, Assurance Level 4.

MyID can issue CIV cards with certificates only (therefore no personalization of the PIV applet within the card) or if required personalize the PIV applet – while all supported features of the PIV Applet are available, certain data elements such as the FASCN are not permitted to be used. See section 5.4, Setting up the credential profile for details of configuring a credential profile in MyID to issue a CIV card.