CIV cards: Just like PIV cards, but for the commercial market

PRINCETON JUNCTION, N.J.—With the goal of spreading adoption of smart card technology for physical access control, the Smart Card Alliance has embarked on an effort to define in a white paper best practices and characteristics of a highly secure smart card (like the PIV or PIV-I credential) for the commercial market.

To differentiate this commercial credential from its public-sector siblings, the Smart Card Alliance has named it the CIV (commercial identification verification) credential.

The private sector wants a “commercial off-the-shelf product that's been developed and tested and used,” said Randy Vanderhoof, executive director of the Smart Card Alliance, which is based here. “If the technology that's used commercially is the same technology that's used by the federal government, which has issued tens of millions of these cards, [there's a comfort level],” he said.

So what's the main difference between a CIV and a PIV credential?

Where the CIV and PIV solutions differ is that “not everyone who issues an identity credential needs all the security and policy features of the PIV card,” said Vanderhoof.

The white paper will be developed by the Physical Access Council, one of five SCA councils.

The alliance is just at the beginning stages of putting this research together. “Our target is November, when we hold our smart card alliance government conference. We hope to have a preliminary draft available by that time,” he said.

A review of terms here: FIPS 201 is a federal document entitled “Personal Identity Verification (PIV) of Federal Employees and Contractors.” That document describes the characteristics and authentication of PIV smart card credentials. HSPD-12 is the 2004 presidential directive that initiated the mandate that said all federal employees and contractors should have a common, secure credential for access to federal buildings.

There is also a “PIV-I card,” which is issued by government contractors or state and local governments. It meets all of the security features of a PIV card and is cross-certified so the federal government can trust the digital certification on that credential.

The federal government still has work to do with the common secure credential, namely ensuring that the cards are read electronically in all federal buildings, but it has already issued tens of millions of these cards.

As an industry association, the alliance won't be defining a standard for CIV cards, like the standard that exists for PIV cards. Rather, it will provide “guidance about what the industry has developed and applied in the federal and state government market that will work very effectively in the commercial market as well,” Vanderhoof said.

The idea, said Vanderhoof, is to supply a report that will be useful for end users “so they can ask intelligent questions of their commercial supplier [and integrator].”

The white paper also will be a “good roadmap for integrators and suppliers of technology,” he said. “They'll be able to measure readers, controller software, cards or card issuance [procedures] to see how that product or service matches up to the current level of sophistication [and to] what's considered to be the best practices in the industry.”

Lars Suneborn, chair of the Smart Card Alliance Physical Access Council, and Hirsh Electronics director, government program, said it's a “groundbreaking development for an enterprise to create a trust framework for an identity/access credential that may be authenticated in a similar way the federal government's PIV and PIV-I card are, but without the policy requirements inherent in inter-agency cross certification to the federal bridge.”

He envisions the CIV credential as filling a void between the traditional identity and access cards “that are often produced in repetitive, stove- piped operations at a local branch level of an enterprise.”

With few variations, traditional access cards have “little more than a printed name, photo and an identifier [magnetic stripe, or proximity technology] and are used for physical access at the local branch. Even within the enterprise, there is no implicit trust in these credentials outside the local branch where the card was created and issued.”

The CIV credential, on the other hand, can be “resistant to forgery, duplication and be authenticated and validated by a local access control system at any local branch office of the enterprise,” he said.

Gilles Lisimaque, a partner at Identification Technology Partners and a member of the SCA Physical Access Council, said there are a number of reasons why the private sector is looking at PIV-style solutions.

“Proprietary solutions are getting less and less secure. It is quite easy to find on the web kits to clone/generate simple unprotected access control cards. Security by obscurity is not acceptable anymore by many companies,” he said

He said that many companies, particularly international or multi-site, are looking for a secure credential that allows employees to log on to their site/computers as well as to access facilities. And many of the same companies are looking for interoperable solutions between their multiple sites allowing employees to carry only one badge.

“With the adoption of a unified standard by the federal government as well as the government contractors there is no more need to re-invent the wheel. Adopting some of the federal standard can save money and guarantee a multi-source of PACS-compatible elements (such as readers and cards).”

Suneborn said the main benefits of the CIV credential will be: “Reduction in redundant operations resulting in enhanced privacy of the credential holders and cost savings, and the resistance to forgery and duplication resulting in increased IT and physical security. An individual who separates from the corporation will have the CIV credential revoked and invalid at all branch offices in one operation.”

�“The need for strong authentication of identity credential is consistent across most enterprises,” Suneborn said. “A centralized identity assurance and validation infrastructure is today gaining acceptance in the commercial market. Corporate provisioning and access management are only some examples of streamlined functions that may be enhanced by using the authentication and validation mechanisms offered by the CIV and related infrastructure.”