Use of PIV credentials continues to expand in government sectors

June 9, 2016
Government leaders report rising use of PIV credentials and movement towards mobile credentials at Smart Card Alliance Securing Federal Identity 2016 Conference

PRINCETON JUNCTION, N.J., -- June 9, 2016 -- The issuance and use of Personal Identity Verification (PIV) credentials for access to secure government systems and buildings are on a hot streak, while efforts to include the use of mobile credentials are gaining strength, government leaders reported this week at the Smart Card Alliance’s Securing Federal Identity 2016 conference in Washington, D.C.

Cybersecurity Sprint Led to Significant Gains in Agency Use of Two-factor Authentication 

Trevor Rudolph, chief of the eGov Cyber Unit for the Executive Office of the President (EOP) and the Office of Management and Budget (OMB), reported on the success of OMB’s push to use PIV cards to authenticate users on federal IT systems since the Cybersecurity Sprint initiative last summer. Rudolph cited that civilian worker PIV usage rose from 42 percent to 72 percent as a result of the initiative, and is now over 80 percent. Incidents relating to authentication decreased by 16 percent in the last two-quarters of FY15, Rudolph noted.

Director of the Federal Identity, Credential, and Access Management (FICAM) Program at the General Services Administration (GSA), Jim Sheire also shared successes from the increased agency adoption of PIV credentials, reporting a 20 percent increase in PIV issuance from GSA USAccess since the OMB initiative launched.

Attendees also heard from two of the federal agencies who have been leaders in driving their government workers’ and contractors’ usage of PIV. Within the U.S. Department of the Treasury, the use of PIV credentials is required for 100 percent of privileged users and 94 percent of unprivileged users, and PIV authentication is required for remote access solutions. Within the Department of Homeland Security (DHS), the use of PIV credentials is required for 98 percent of privileged users and 97 percent of unprivileged users.

Jim Quinn, lead system engineer for the DHS Continuous Diagnostics and Mitigation (CDM) program, also expanded on what DHS is doing to improve data security. The CDM program is being implemented by federal agencies to measure and report on all traffic and programs running on government systems. The program is providing agencies with more critical information about what devices are connected to the network and who is on the network, allowing agencies to spot unauthorized activity quickly before data is lost or damage is done.

These successes, according to Smart Card Alliance Executive Director Randy Vanderhoof, highlight the strong alignment across government around PIV usage.

“The policies and guidance to lead the cybersecurity strategy coming from the White House, led by the OMB, are in sync with the architectural framework, testing and procurement programs under the GSA Office of Government-wide Policy, which are closely following the National Institute of Standards and Technology (NIST) specifications and implementation guidelines for standards-based security,” said Vanderhoof. “When everything is working together like this, real progress happens. The result has been an uptick in the number of PIV credentials issued, an increase in the percentage of government users using PIV for accessing networks securely, and a sharp decline in the number of cyber incidents being reported.”

Mobile Credentialing Moving Forward

During another panel session, three federal program leads outlined the efforts to draft specifications and test mobile devices and mobile identity applications for the use of derived PIV credentials stored on mobile devices:

  • Hildegard Ferraiolo of NIST discussed NIST’s recently released specifications, outlining requirements, and an associated architecture to PIV-enable mobile devices for multi-factor authentication
  • Bill Newhouse of NIST’s National Cybersecurity Center of Excellence (NCCoE) updated attendees on NCCoE’s testing labs for evaluating proof-of-concept implementations and their work on an upcoming practice guide to describe how to turn on and use derived credentials
  • Chi Hickey from GSA’s Identity Assurance and Trusted Access Division shared that GSA is developing the testing program for derived credential solutions and will be adding two categories to the Approved Product List 

For more information on the Smart Card Alliance and government identity resources, visit the Government Identity/Credentialing Resources on the Smart Card Alliance website. 

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information, please visit http://www.smartcardalliance.org.