What’s the difference between PIV, PIV-I, CIV?
Casey West • November 5, 2012
Most understand that the PIV card was created out of the Homeland Security Presidential Directive 12 (HSPD-12) during the Bush’s presidency. With PIV being successfully deployed to all U.S. Federal Agencies, PIV-I was created to provide more downstream interoperable cards for non Federal Agencies (ie government contractors). CIV was created as a viable commercial card option with the same standards that the Fed Government chose to deploy with the PIV and PIV-I.
Comparison chart courtesy of Smart Card Alliance: http://www.smartcardalliance.org/
| PIV | PIV-I | CIV | |
|---|---|---|---|
| Technology | |||
| Card data model | Must follow SP 800-73 | Must follow SP 800-73 | “Follows” SP 800-73 (recommended) |
| Current primary credential number | FASC-N (requires Federal agency code) [2] | UUID (no Federal agency code required) | UUID (recommended) (no Federal agency code required) |
| Object identifiers | Federal Bridge | Federal Bridge | Organization Internet Assigned Number Authority (IANA) (if exists) |
| Types of Federation and Levels of Assurance | |||
| Trustworthiness | Trusted identity, credential and suitability | Trusted basic identity and credential but not suitability | Trusted credential only within the issuing organization. |
| Trust among organizations | Federal Bridge | Clustered through Federal Bridge | Clustered alone |
| Origin | |||
| Organization | NIST | Federal CIO Council | Smart Card Alliance Access Control Council [3] |
| Defining documents | FIPS 201, SP 800-73 and other related NIST publications | Personal Identity Verification Interoperability for Non-Federal Issuers [4] FICAM PIV-I FAQ [5] | The Commercial Identity Verification (CIV) Credential–Leveraging FIPS 201 and the PIV Specifications [6] |
| Motivation | HSPD-12 | Interoperable credential for organizations doing business with the government and for first responders | Commercial credential that could take advantage of the PIV infrastructure |
| Markets | |||
| Organizations that may issue and/or use the credential | Federal agencies | Federal agencies Federal contractors Commercial organizations doing business with the Federal government State and local governments Critical infrastructure providers First responder organizations Commercial organizations who are part of an industry initiative and require an interoperable, trusted credential |
Commercial organizations seeking a credential for use for their employees, subcontractors, non-employee visitors and customers Federal agencies who accept credentials with medium hardware assurance [7] |
Updates to HID's Credential Management System
FIDO2 with ENTRA ID
A Strong Dosage of RFID Protects Healthcare Organizations
