Personal Identification Verification (PIV) Cards (SS-19-001)
Issue Date: 7/1/2018
Effective Date: 7/1/2019
This standard specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical[PA1] and logical access to state controlled facilities and information systems.
SCOPE, AUTHORITY, ENFORCEMENT, EXCEPTIONS
Enterprise Information Security Charter PS-08-005
Georgia shall implement physical and logical access control measures to appropriate assurance levels that limit access to information, processing systems and facilities to only authorized individuals, except where designated for general public access.
Agencies that choose to issue PIV cards as a form of multi-factor authentication shall adhere to the standards as detailed by the Federal Information Processing Standards (FIPS PUB 201-2 or as amended).
The specifications of all PIV cards issued by state agencies shall be such that they are compatible with the building access systems managed by the Georgia Building Authority.
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
Access Control Policy (PS-08-009)
Authorization and Access Management Standard (SS-08-010.02)
Federal Information Processing Standards 201 https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.201-2.pdf
NIST Computer Security Resource Center
SP 800-116 A Recommendation for the use of PIV Credentials in Physical Access Control Systems (PACS)
TERMS and DEFINITIONS
Credential is the PIV Card and data element associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.
Identity is the set of physical and behavioral characteristics by which an individual is uniquely recognizable.
Personal Identity Verification (PIV) Card is a physical artifact issued to an individual that contains a PIV Card Application which stores identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).