NIST SP800-79-1：联邦身份验证卡发行商认证指南

需积分: 6 129 浏览量更新于2024-07-16 收藏 825KB PDF 举报

"NIST SP800-79-1.pdf" 是一份由美国国家标准与技术研究所（NIST）发布的特殊出版物，旨在提供个人身份验证（PIV）卡发行商的认证指南。这份文档是针对国土安全总统指令12（HSPD-12）的回应，该指令要求联邦政府创建并使用一种跨机构的安全可靠的身份识别形式，以增强安全性、提高政府效率、减少身份欺诈并保护个人隐私。 HSPD-12的核心目标是建立一个联邦政策，确保身份证明： 1. 基于严格的身份验证标准发行。 2. 具有高度的防欺诈、防篡改和反假冒能力，防止恐怖主义利用。 3. 能够快速进行电子验证。 4. 只有经过官方认可的认证过程验证的提供商才能发行。 NIST响应此指令，发布了联邦信息处理标准（FIPS）201-1，即联邦员工和承包商的个人身份验证（PIV）。FIPS 201-1规定了政府个人身份验证、验证和访问控制系统的基础。此外，NIST还发布了一系列特殊出版物，提供了额外的规格和辅助信息，以支持HSPD-12的实施。 NIST SP800-79-1专注于PIV卡发行商的认证过程，确保这些卡片符合上述安全要求。它可能涵盖了认证流程、安全标准、数据保护措施、电子验证技术和发卡机构的评估准则。这份指南对于确保政府及其承包商的身份管理系统的安全性和可靠性至关重要，同时也对其他需要高安全身份验证的领域具有参考价值。该文档的作者包括Ramaswamy Chandramouli、Dennis Bailey、Nabil Ghadiali和Dennis Branstad，他们都是NIST信息安全计算机安全分部的专家，致力于通过技术领导和合作研究来促进美国经济的增长和工业竞争力，特别是在关键基础设施技术、测试方法、参考数据和前瞻性标准等领域，以推动信息科技的发展和有效使用。他们的工作旨在克服信息系统的可用性、可扩展性、互操作性和安全性方面的障碍。

2. THE FUNDAMENTALS

This chapter presents the fundamentals of Personal Identity Verification (PIV) Card Issuer (PCI)

accreditation including: (i) definitions of a PCI and a PCI Facility; (ii) outsourcing PCI services

or functions; (iii) the differences between assessment and accreditation; (iv) accreditation

boundaries of a PCI; (v) roles and responsibilities; (vi) the relationship between accreditation

under Special Publication (SP) 800-37 and SP 800-79-1; (vii) preparing for the assessment; (viii)

types of accreditation decisions; (ix) use of risk in the accreditation decision; and (x) the contents

of the accreditation package.

2.1 PCI

At the highest level, a PCI includes all functions required to produce, issue, and maintain PIV

Cards for an organization. A PCI is considered operational if all relevant roles and

responsibilities have been defined and appointed; suitable policies and compliant procedures

have been implemented for processes, including sponsorship, enrollment/identity proofing,

adjudication, card production, card activation/issuance, and maintenance; and information

system components that are utilized for performing the above-mentioned functions (processes)

have been assessed and shown to meet all technical and operational requirements prescribed in

FIPS 201-1 and related documents.

In order to comply with Homeland Security Presidential Directive 12 (HSPD-12), an

organization must first establish a PCI that conforms to and satisfies the requirements of FIPS

201-1 and related documents. The PCI must then be accredited (i.e., using the guidelines

specified in SP 800-79-1). An organization has certain flexibility in establishing a PCI. It may

outsource some of the required processes within its PCI. Large organizations with widely

varying missions for its operating units may even establish multiple PCIs. Regardless of how a

PCI is structured, the organization (e.g., Federal agency, Federal contractor) is responsible for

the management and oversight of the PCI and maintains full responsibility for the accreditation

of the PCI as required in HSPD-12.

A PCI must be completely described in its PCI operations plan. This comprehensive document

incorporates all the information about the PCI that is needed for any independent party to review

it and assess the capability and reliability of the PCI’s operations. A PCI operations plan includes

a description of the structure of the PCI, its facilities, any external service providers, the roles

and responsibilities within the PCI, policies and procedures which govern its operations, and a

description of how requirements of FIPS 201-1 are being met. A template for a PCI operations

plan is provided in Appendix D.

2.2 PCI Facilities

A PCI Facility (PCIF) is a physical site or location–including all equipment, staff, and

documentation–that is responsible for carrying out one or more of the following PIV functions:

(i) enrollment/identity proofing; (ii) card production; (iii) card activation/issuance; or (iv)

maintenance. A PCIF operates under the auspices of a PCI, and implements the policies and

executes procedures prescribed by the PCI for those functions sanctioned for the facility (e.g. an

enrollment/identity proofing facility).

Based on certain characteristics (e.g. size, geographic locations, the organization(s) that it

supports), a PCI may have its services and functions provided centrally or distributed across

multiple locations. Independent of how or where a PCI implements these functions, at least one

PCIF is required. For example, a geographically dispersed organization may decide to have

enrollment/identity proofing and card activation/issuance functions performed in different

facilities in different parts of the country so that applicants can minimize travel. In this example,

the different PCIFs fall under the purview (policy, management) of a single PCI which

encompasses all the functions necessary to issue PIV Cards. Within that PCI, the geographically

dispersed PCIFs have specific responsibilities and are under the direct management control of

the PCI.

2.3 Outsourcing of PCI Functions

An organization may out-source its PCI functions to one or more organizations. As the

complexity and cost of new technology increase, the organization may decide that the most

efficient and cost-effective solution for implementing HSPD-12 is to seek the services of an

external service provider. An external service provider may be a Government agency, a private

entity, or some other organization that offers services or functions necessary to issue PIV Cards.

Figure 1 provides an illustration of the functions that can be outsourced. Only the organization

which “owns” (i.e., manages, controls, or privately owns) the PCI can decide which of its

employees and contractors are required to apply for a PIV Card (Sponsorship – a responsible

official of the organization providing the biographic and organizational affiliation of the PIV

card applicant) and under what conditions the application will be approved (Adjudication – the

kind of background information that will form the basis for authorization for PIV Card Issuance).

Therefore, these two functions cannot be outsourced.

Figure 1 - Outsourcing of PCI Functions

A PCI which out-sources services to an external provider must make sure that all privacy-related

requirements are satisfied. The PCI is responsible for ensuring that privacy requirements are

being met both internally and by every external service provider.

If an organization’s management is considering using the services of a PCI set up by another

organization, the operations plan and associated documents, the accreditation decision and

evidence of implementation of FIPS 201-1 requirements of that PCI (service provider PCI) must

be reviewed. Similarly, if a PCI is using the services of an external service provider selectively

for one or more of its PCI processes, the provider’s capability to meet FIPS 201-1 requirements

for those processes must be reviewed as well. In both cases, the information gathered as part of

this review activity must be included as part of the PCI’s assessment leading to accreditation.

Outsourced functions must be assessed prior to accreditation of the PCI.

2.4 Assessment and Accreditation

HSPD-12 mandates that PIV Cards be “issued only by providers whose reliability has been

established by an official accreditation process.” This document contains guidelines for

satisfying the requirements for an official accreditation and provides a methodology that any

organization can utilize to formally accredit a PCI. This methodology consists of two major

elements–assessment and accreditation. While assessment and accreditation are very closely

related, they are two very distinct activities.

Assessment, which occurs before accreditation, is the process of gathering evidence regarding a

PCI’s satisfaction of the requirements of FIPS 201-1, both at the organization and facility level.

Assessment activities include interviews with PCI and PCIF personnel, a review of

documentation, observation of processes, and execution of tests to determine reliability of the

PCI. The result of the assessment is a report that serves as the basis for an appropriate

accreditation decision. The report is also the basis for developing corrective actions for removing

or mitigating discovered deficiencies.

Distinct from assessment, accreditation is the decision to authorize the operation of a PCI once it

has been established that the requirements of FIPS 201-1 have been met and the risks regarding

security and privacy are acceptable. The individual making the accreditation decision must be

knowledgeable of HSPD-12 and aware of the potential risks to the organization’s operations,

assets, and personnel (e.g., applicants, PCI Facility staff).

The assessment and the accreditation are both carried out by the organization that owns the PCI.

In order to make an informed, risk-based accreditation decision, the assessment process should

seek to answer the following questions:

• Has the PCI implemented the requirements of FIPS 201-1 in the manner consistent with

the standard?

• Do personnel understand the responsibilities of their roles and/or positions, and reliably

perform all required activities as described in the PCI’s documentation?

• Are services and functions throughout the PCI and its facilities (e.g., enrollment/identity

proofing, card activation/issuance) carried out in a consistent, reliable, and repeatable

manner?

• Have deficiencies identified during the assessment been documented, current and

potential impact on security and privacy been highlighted, and the recommendations and

timelines for correction or mediation been included in the assessment report?

2.5 Accreditation Boundary for the PCI

An organization preparing to accredit a PCI must first identify the appropriate accreditation

boundary. The accreditation boundary defines the specific PCI operations that are to be the target

of the assessment and accreditation. A PCI comprises the complete set of functions required for

the issuance and maintenance of PIV Cards. In determining the accreditation boundary, the

organization may consider if the functions are being performed identically in all PCI facilities,

are using identical information technology components, and are under the same direct

management control. For instance, an organization may have two sub-organizations, each of

which has distinct processes and management structures. The organization may decide to

establish two separate PCIs, each with its own accreditation boundary. In this example, two

separate PCI assessments would be undertaken. Each assessment would result in an independent

accreditation decision.

In drawing an accreditation boundary, an organization may want to include only a subset of PCI

facilities. For example, if a PCI has several facilities, some of which are ready for operation and

some that are still in the development stage, the organization may choose to define the

accreditation boundary to include the PCI and only those facilities that are ready to be assessed.

If the accreditation is successful, the PCI and a subset of its facilities will be authorized to

operate and begin issuing cards. The remaining PCIFs can continue with implementation and be

included in the accreditation boundary at a later date.

In the case of outsourcing PCI services that are not under direct management control of the

organization nor physically located within its facilities, the organization must include the

functions provided by external service providers within the accreditation boundary to make

certain that they are included within the scope of accreditation. This assures that no matter how

and where the functions are performed, the organization maintains complete accountability for

the reliability of its PIV program.

Care should be used in defining the accreditation boundary for a PCI. A boundary that is

unnecessarily expansive (i.e., including too many dissimilar processes and business functions or

geographically dispersed facilities) makes the assessment and accreditation process extremely

unwieldy and complex. On the other hand, a boundary that is unnecessarily limited increases the

number of needed assessments and accreditations and thus drives up the total cost for an

organization. Establishing a boundary for a PCI and its subsequent accreditation are

organization-level activities that should include participation of all key personnel. An

organization should strive to define the accreditation boundary for a PCI that strikes a balance

between the costs and benefits of assessment and accreditation.

While the above considerations should be useful to an organization in determining the boundary

for its PCI for purposes of accreditation, they should not limit the organization’s flexibility in

establishing a practical boundary that promotes an effective HSPD-12 compliant

implementation. The scope of an accreditation is a PCI (whose boundaries are formed by

included facilities) and not individual facilities (PCIFs).

剩余84页未读，继续阅读

艾米的爸爸

粉丝: 784
资源: 314

NIST SP800-79-1：联邦身份验证卡发行商认证指南

NIST SP800-177r1.pdf

NIST SP800-88_rev1.pdf

NIST SP800-88r1.pdf

NIST SP800-79-2.pdf

NIST SP800-85A-1.pdf

NIST SP800-38Gr1-draft.pdf

NIST SP800-133r1-draft.pdf

NIST SP800-175Br1-draft.pdf

NIST SP800-66-Revision1.pdf

NIST SP800-66 Rev1.pdf

最新资源