PIV was initially introduced by HSPD-12 (Homeland Security Presidential Directive 12), in August of 2004. However, it is just now that agencies are being mandated to comply with this directive. The first required delivery date that we know of for this functionality is March 31, 2018, by DOL. However, CMS, VA, Treasury BFS, IRS, OPM and DOI have told us that they will also need the functionality sometime in 2018.
â€¢ The concept of PIV Cards was initially introduced to establish a "common identification standard" for Federal Employees and Contractors. See reference at the following link: http://www.dhs.gov/homeland-security-presidential-directive-12
â€¢ The following link contains references and links to all of the current HSPD-12 documents and requirements, which have apparently been changed over the years: http://www.idmanagement.gov/homeland-security-presidential-directive-12
â€¢ The PIV Card requirement is specifically referenced by the FIPS 201-2 standard from March of 2006 and last updated in August of 2013. The latest version is referenced at the following link: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf
â€¢ FIPS 201-2 requires Federal agencies to comply within 12 months of the last change date, which was 8/2013. However, that did not happen as we first started to hear about it from our Federal customers in 2015. In speaking with the DOI Team in 2015, they shared that PIV Cards are based on the Microsoft Smart Card Authentication Architecture, which is documented at the following link and includes a relationship diagram of the parts associated with the architecture: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
â€¢ The Microsoft Smart Card Authentication Architecture is based on the following PC/SC Workgroup standard: http://www.pcscworkgroup.com/specifications/overview.php
DOI explained that the PIV Card contains a userid and a certificate that are unique to each user. Here is the PIV Card workflow as it was explained to me:
1. The user inserts the PIV Card into a card reader that is attached to the workstation
2. The user presses the CTRL+ALT+DEL keys at the same time
3. Windows reads card and asks for a PIN
4. Once the correct PIN is entered, all of the information is validated. Validation is probably against AD/LDAP. However, the DOI folks on the call were not quite sure.
5. Once the user has been validated/authenticated and logs onto their workstation, they can access any applications that are enabled to use PIV Cards/AD/LDAP, without having to enter logon information because the logon information is apparently passed to the application from the initial logon to the workstation.
Since the PIV Card requirement is a DHS directive, this is something that we really need to incorporate into SEAS as quickly as possible, in order to handle the demand for this functionality, that is just starting and likely to increase in the near future.