Issue Date: 7/1/2018

Effective Date: 7/1/2019

PURPOSE

This standard specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical[PA1]  and logical access to state controlled facilities and information systems.

SCOPE, AUTHORITY, ENFORCEMENT, EXCEPTIONS

Enterprise Information Security Charter PS-08-005

STANDARDS

Georgia shall implement physical and logical access control measures to appropriate assurance levels that limit access to information, processing systems and facilities to only authorized individuals, except where designated for general public access.

Agencies that choose to issue PIV cards as a form of multi-factor authentication shall adhere to the standards as detailed by the Federal Information Processing Standards (FIPS PUB 201-2 or as amended).

The specifications of all PIV cards issued by state agencies shall be such that they are compatible with the building access systems managed by the Georgia Building Authority.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Access Control Policy (PS-08-009)

Authorization and Access Management Standard (SS-08-010.02)

REFERENCES

Federal Information Processing Standards 201 https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.201-2.pdf

NIST Computer Security Resource Center

http//csrc.nist.gov/

SP 800-116 A Recommendation for the use of PIV Credentials in Physical Access Control Systems (PACS)

TERMS and DEFINITIONS

Credential is the PIV Card and data element associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.

Identity is the set of physical and behavioral characteristics by which an individual is uniquely recognizable.

Personal Identity Verification (PIV) Card is a physical artifact issued to an individual that contains a PIV Card Application which stores identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).