PIV (Personal Identity Verification)

What is PIV (Personal Identity Verification)?

Personal Identity Verification (PIV) refers to the process of verifying an individual's identity using a government-issued credential. This credential, also commonly referred to as a PIV card, acts as a secure form of identification and authentication for access to federal facilities and information systems. Government contractors are often required to adhere to PIV requirements to maintain security and regulatory compliance.

Definition

PIV cards are smart cards issued by the U.S. Federal Government to employees and contractors, as mandated by Homeland Security Presidential Directive 12 (HSPD-12). They contain cryptographic keys and digital certificates that enable secure access to government facilities, networks, and applications. PIV authentication typically involves presenting the card and entering a PIN, thus ensuring two-factor authentication. Contractors must understand and comply with PIV requirements outlined in their contracts and relevant federal regulations, such as those issued by NIST. Failing to meet these requirements can result in denial of access, contract penalties, or even termination of the contract.

Key Points

• HSPD-12 Compliance: Adherence to Homeland Security Presidential Directive 12 (HSPD-12) is mandatory for government contractors requiring physical or logical access to federal facilities or systems.
• Secure Access: PIV cards facilitate secure access by employing multi-factor authentication. Contractors must integrate PIV authentication into their IT systems and access control mechanisms.
• Identity Proofing: Contractors must follow established identity proofing procedures during the PIV card issuance process. This includes verifying the individual's identity and background information to ensure the card is issued to the correct person.
• Credential Management: Contractors are responsible for managing the lifecycle of PIV cards issued to their employees. This involves activation, maintenance, renewal, and revocation of PIV credentials as needed.

Practical Examples

1. Facility Access: A contractor employee needs access to a secure government building to perform maintenance on equipment. The employee uses their PIV card to authenticate at the building's entrance, verifying their identity and authorization to enter.
2. System Access: A contractor needs to access a secure government network to upload deliverables. The contractor uses their PIV card to log in to the network, providing a strong form of authentication and ensuring only authorized personnel can access sensitive data.
3. Email Encryption: A contractor needs to send an encrypted email containing Controlled Unclassified Information (CUI) to a government employee. The contractor uses the digital certificate on their PIV card to encrypt the email, ensuring only the intended recipient with a valid PIV card can decrypt and read the message.