PIV-I White Paper - FINAL - 022111 - Smart Card Alliance

Existing Programor PolicyDrug EnforcementAgency’s March 25,2010 Interim FinalRule forelectronicallyprescribingcontrolledsubstancesWHTI and REAL IDidentityauthenticationEstablishment of anindividual's digitalidentityMandatoryrequirements forgovernance andcompliance,including Sarbanes-Oxley, HIPAA,NERC-CIP, andPCI DSSState-run PKIsGapA user name and password combination foridentity verification is not strong enough toauthenticate prescribing physicians to therequired software applications.Neither the WHTI nor REAL ID credentialrequire use of biometrics for stronger twofactorauthentication and verification ofidentity. The use of biometric data (e.g.,fingerprints, facial or iris) provides afoundation for achieving three-factorauthentication for high risk transactions(physical or logical access). Lack ofbiometric data or another “what you are”factor prevents credentials from beingleveraged in the PIV-I trust framework.Not all programs in use or in process checkidentities against a centralized authority orallow for in-person identity proofing.Security, privacy, and auditability arefoundations of common governance andcompliance regulations. However,organizations may not currently implementcompliance programs in unison across theorganization.State-run PKIs may not leverage a commonpolicy for issuance and maintenance thatallows for trust to be established acrossorganization and state boundaries.Suggested StrategyPIV-I credentials meet the twofactorauthentication requirementsof this rule. An assessment of PIV-I and its acceptance should beincluded in any health informationexchange (HIE) and ePrescribingframework.Offer consumers the ability to opt-inand add biometrics to theircredentials during the identityverification and issuance process,for use in high assurance identityauthentication.Provide a mechanism forindividuals and business signingauthorities to opt-in and perform inpersonidentity proofing to movetowards a higher assurancecredential such as PIV-I.Leveraging a PIV-I framework andICAM-like processes can helporganizations meet theserequirements. Adopting a unifiedframework can help providestronger controls and decreaseinefficiencies and costs.For those states with more maturePKI infrastructures, assess thestate certificate policies and mapthem to the policies used by theFBCA and the 4BF. Considernecessary modifications and initiateprocedures to cross-certify.For those states with minimalreusable PKI infrastructures,leverage the FBCA and 4BFinfrastructures already in place forefficiency and cost savings.Consider leveraging the existingPIV-I policy 27 , technology andprocess to generate and carry thecertificates to achieve mediumassurance hardware-basedcredentials.27 "Citizen and Commerce Class Certificate Policy, Version 2.2, Federal Public Key Infrastructure Policy Authority,August 25, 2010, http://www.idmanagement.gov/fpkipa/documents/citizen_commerce_cp.pdfSmart Card Alliance © 201116