PIA - Identity Management System (IDMS)
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Privacy Impact Assessment
Identity Management System (IDMS) &
Personal Identity Verification Cards (PIV Cards)
February 22, 2008
PIV Program PIA Reference Sheet
Unique Project Identifier Number (UPI): TBD
(If no UPI, please explain why.):
System of Records (SOR) Numbers: DOT/ALL 9 Identification Media Record Systems; DOT/ALL 13 Internet/Intranet Activity and Access Records; DOT/FAA 815 Investigative Tracking System; DOT/OST 035 Personnel Security Record System To see these system of records notices, visit http://www.dot.gov/privacy/privacyactnotices/faa.htm.
Legal Authorities: Privacy Act of 1974, E-Government Act of 2002, Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standard 201: Policy for a Common Identification Standard for Federal Employees and Contractors
IT Security Plan Number(s): IDMS
IT Security Plan Title: FAA ASH Identity Management System C&A
Accreditation and Certification Date: December 4, 2007.
OMB Exhibit 300 Number: N/A
OMB Exhibit 300 Title: N/A
Identity Proofing and Registration Process Approval Date: October 27, 2006
PIV Implementation Plan Approval Date: February 1, 2008
Contact Name, Title: Carla Mauney, FAA Privacy Officer
Organization/Department: Office of the Chief Information Officer, Federal Aviation Administration, U.S. Department of Transportation
Phone Number: 202-267-9895
Activity/Purpose of Program: To store, manage, and maintain information related to the issuance and maintenance of personal identity verification (PIV) cards for FAA employees, contractors who are employed by FAA for six (6) months or longer, and affiliates (such car poolers, day care workers etc) authorized to received ID cards per DOT policy. Temporary employees (less than 6 months), short-term guests, and occasional visitors to FAA facilities will not receive PIV cards.
HSPD-12, issued on August 27, 2004, directed the promulgation of a new Federal standard for a secure and reliable form of identification issued by all Federal Agencies to their employees and contractors. In response to this directive, the National Institute of Standards and Technology (NIST) published a Federal Information Processing Standard (FIPS) entitled FIPS 201-1, “Personal Identity Verification (PIV) for Federal Employees and Contractors” [FIPS 201-1]. This Standard along with its set of supporting technical publications provides the details required to create, issue and maintain these common identity-credentials (also referred as PIV cards).
In response to HSPD-12, FAA Office of Security & Hazardous Materials [ASH] is responsible for the identity management and all aspects of the FAA HSPD-12 implementation including serving as the main internal and external point of contact with respect to program planning, operations, business management, communications and technical strategy. FAA is currently expecting to issue more than 80,000 PIV cards that will eventually be used for building and computer access at all FAA facilities nationwide.
To comply with HSPD-12, the Federal Aviation Administration (FAA) has implemented an identity management system (IDMS) to issue PIV Cards to their employees and contractors and has revised processes for badge enrollment, registration and issuance to conform to the requirements of [FIPS 201-1]. Additionally, the PIV system implemented by the FAA is in accordance with the spirit and letter of all privacy controls specified in [FIPS 201-1], as well as those specified in Federal privacy laws and policies.
IDMS is a collection of systems, processes, procedures, applications, database management systems, and interfaces that work together to perform the various functions of an integrated and automated Identity Management System (IDMS). The IDMS provides services for the PIV Card request, identity proofing, verification, background investigation and validation of an Applicant prior to PIV Card issuance. In its end state, the IDMS will include the following subsystem components:
- Investigations Tracking System (ITS)
- Human Resource Module (HRM)
- Vendors Module (VM)
- Biometrics Module (BM)
- Identification Media System (IMS)
- Card Management System (CMS)
- PIV Authoritative Directory (PAD)
- PKI Shared Service Provider (SSP)
- PIV Production Services (PPS)
- PIV Card
PIA Scope for FAA IDMS and PIV Cards
This PIA provides detail about FAA’s role in the collection and management of personally identifiable information for the purpose of issuing credentials (ID badges or PIV cards) to meet the requirements of HSPD-12 and comply with the standards outlined in FIPS 201 and its accompanying special publications. HSPD-12 requires standardized and secure processes for personal identity verification through the use of advanced and interoperable technology. This resulted in a need to collect biographic and biometric information. This PIA covers the information collected, used, and maintained for these processes, specifically the: (i) background investigation; (ii) identity proofing and registration; (iii) Identity Management System (IDMS), the database used for identity management and access control; and (iv) the PIV card.
PIV-I requires the implementation of registration, identity proofing, and issuance procedures compliant with the standards of FIPS 201. However, the collection of information for background investigations has been a long-standing requirement for Federal employment. This process and the elements used are not new. The forms and information collection for the background investigation process will continue to occur. Additionally, PIV-I may not require the implementation of any new systems or technology. FAA will continue to issue existing ID badges under PIV-I, but the process for credential application and issuance will conform to requirements of HSPD-12 and FIPS 201.
This PIA covers both the PIV-I and PIV-II processes. These processes will be referred to throughout this PIA as the FAA PIV program, the identity management system will be referred to as IDMS, and the credentials issued will be referred to as PIV cards.
Basic PIV Program Control Elements
The four control objectives of the FAA PIV program are as defined in the Presidential Directive (HSPD-12): “Secure and reliable forms of identification for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee’s identity; (b) is strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation: (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process.”
Per FIPS 201 requirements, FAA’s PIV program must meet the four control objects to ensure that:
Credentials are issued (1) to individuals whose true identity has been verified and (2) after a proper authority has authorized issuance of the credential.
Only an individual with a completed background investigation on record is issued a credential.
An individual is issued a credential only after presenting two identity source documents, at least one of which is a valid Federal or State government issued picture ID.
Fraudulent or altered identity source documents are not accepted as genuine.
A person suspected or known to the government as a terrorist is not issued a credential.
No substitution occurs in the identity-proofing process (i.e., that the individual who appears for identity proofing, and whose fingerprints are checked, is the person to whom the credential is issued).
No credential is issued unless requested by a proper sponsor.
A credential remains serviceable only up to its expiration date (i.e., that a revocation process exists such that expired or invalidated credentials are swiftly revoked).
No single official in the process can issue a credential with an incorrect identity or to a person not entitled to the credential.
An issued credential is not modified, duplicated, or forged.
Section 1.0 Information collected and used WITHIN FAA IDMS AND PIV CARDS
1.1 What information is collected and from whom?
The information is collected from PIV Applicants, the individuals to whom a PIV card is issued. The PIV Applicant may be a current or prospective Federal hire, a Federal employee or a contractor who will be employed by FAA for six months or longer, and authorized affiliates. As required by FIPS 201, FAA will collect biographic and biometric information from the PIV Applicant in order to: (i) conduct the background investigation or other national security investigation; (ii) complete the identity proofing and registration process; (iii) create a data record in the PIV Identity Management System (IDMS); and (iv) issue a PIV card. Figure 1 below depicts what information is collected from the PIV Applicant in relation to each of these processes.
Figure 1: The Collection, Storage and Use of Information [not all from the PIV Applicant]
|Background Investigation||Identity Proofing and Registration|
|PIV Card (Physically Displayed)||PIV Card (Electronically Stored)|
|Date of Birth||X||X||X|
|Place of birth||X|
|Social Security Number (SSN)||X||X||X|
|Other names used||X|
|Citizenship||X||X||Stripe for foreign national|
|Other identifying information (height, weight, hair color, eye color)||X|
|Organizational affiliation (e.g. Agency name)||X||X||X||X||X|
|Employee affiliation (e.g. Contractor, Active Duty Military, Civilian)||X||X||X||X||X|
|Biometric identifiers (2 fingerprints)||X||X||X|
|Digital color photograph||X||X||X||X|
|Spouse (current or former), relatives and associates, information regarding their citizenship||X|
|Illegal drug history||X|
|Foreign countries visited||X|
|Background investigations history||X|
|Signed PIV Request||X||X|
|Signed SF 85 or equivalent||X||X|
|Copies of identity source documents||X||X|
1.2 How is the information used?
The types of information identified above are used in the five PIV processes as described below:
1. PIV Request & Sponsorship - The first step in the process of obtaining a PIV Card is sponsorship. The PIV Sponsor begins the “chain of trust” and substantiates the need for a PIV Card to be issued to the PIV Applicant. The PIV Applicant is requested to complete the Identification Card / Credential Application Form (currently DOT Form 1681) after which the PIV Sponsor completes the sponsor section (“Information below to be filled out by the Sponsor” section) to validate the PIV Applicant’s need for the PIV Card. The PIV Sponsor signs ‘block #27’ of the application form to commence the “chain of trust”. The PIV Sponsor instructs the PIV Applicant to take two (2) identity-source documents that come from the list of acceptable documents for registration. Additionally, at least one document needs to be a valid State or Federal government-issued picture identification (ID).
2. Complete the identity proofing and registration process. Once Identification Card/Credential Application Form (DOT Form 1681) is completed by the PIV Applicant and signed by the PIV Sponsor, the PIV Applicant is notified by the PIV Sponsor to appear at a Registration Center. During registration, the PIV Registrar verifies the identity of the PIV Applicant by reviewing the two (2) forms of identification and determining their authenticity. The PIV Registrar takes a photograph of the PIV Applicant and captures the two (2) biometric fingerprints (in miniature) for placement on their PIV Card. At this time, the PIV Applicant may also have their fingerprints captured for transmission to Office of Personnel Management (OPM) and the Federal Bureau of Investigation (FBI) in order to conduct a fingerprint check as well as a National Agency Check with Inquiries (NACI) or higher based on the position of the employee and their responsibilities within the FAA.
3. Conduct a background investigation and Adjudication.
- Background Investigations - The PIV background investigation as required by FIPS 201 is a condition of Federal employment (now extended to contractors) and matches PIV Applicants’ information against FBI and FAA databases (Investigations Tracking System or ITS) to prevent the hiring of applicants with a criminal record or possible ties to terrorism. If a person declines to provide this information, that person cannot be hired as a permanent employee, nor work at the agency as a contractor long-term (over 6 months). The forms used to initiate the background investigation, are the Questionnaire for Non-Sensitive Positions Standard Form 85 (SF-85) or the Questionnaire for National Security Positions Standard Form 86 (SF-86). This process entails conducting a full National Agency Check (NAC) or National Agency Check with Inquires (NACI).
- In the event that an employee or contractor already has a favorable security investigation on file, another investigation does not have to be performed. If a valid security investigation does not exist on record, the PIV Applicant will be provided instructions on accessing the OPM e-QIP Website (if they have internet access) or to contact the Servicing Security Element (SSE) to fill in the appropriate security form (e.g. SF 85P - Questionnaire for Public Trust Positions). The background information collected as part of this process and its results are kept in the background investigation files and the FAA Investigations Tracking System, but is not stored on the PIV card.
- Adjudication - A Personnel Security Specialist (PSS) at the FAA adjudicates the results of the background investigation according to the adjudication criteria in Executive Order 12968 and the Code of Federal Regulations (CFR) - Title 5 C.F.R. Part 731. Adjudication is based on recency as well as the nature and relationship of any unfavorable result as it applies to the job description of the PIV Applicant.
- If the adjudication confirms the individual’s true identity but reveals unfavorable information that involves criteria under Executive Order 12968 or Title 5, C.F.R. Part 731, a PIV Card may be denied. In the event that a PIV Card has been denied, the PIV Applicant may initiate an appeals process to provide information to clarify or explain any derogatory information.
4. Create a data record in the PIV Identity Management System (IDMS). The IDMS is used during the registration process to create the PIV Applicant’s pre-enrollment and enrollment record, manage and maintain the information throughout the PIV card lifecycle, and, verify, authenticate and revoke PIV cardholder access to Federal resources. A unique identifier is assigned during registration and used to represent the individual’s identity and associated attributes stored in the system.
5. Issue a PIV card. Generally, completion of a NACI can take anywhere from a few days to a few months. [FIPS 201-1] permits issuance of PIV Cards once the FBI National Criminal History Fingerprint Check (NCHFC) returns a favorable result. Therefore, once a successful fingerprint check result has been obtained, a PSS at the FAA authorizes issuance of the PIV Card. Detailed steps in issuance process are as follows:
- Card Printing - At this time, the information that needs to be printed on the PIV Card for the PIV Applicant is sent to the PIV Production Service (PPS) that has been contracted to graphically personalize PIV Cards for the FAA.
- Card Issuance - Once the PIV Card has been graphically personalized, it is sent back to the FAA. The PIV Issuer notifies the PIV Applicant that their PIV Card is ready for pickup. When the PIV Applicant arrives to pickup their PIV Card, the PIV Issuer verifies the identity of the individual claiming to be the PIV Applicant by reviewing their Federal or State issued photo-identification. This identification needs to be the same one that was presented at the time of registration. Once the identity of the PIV Applicant is confirmed, the PIV Issuer authorizes issuance of the PIV Card to the PIV Applicant.
- Card Activation - Activation is a two-step process within the FAA wherein the electronic information is loaded on to the PIV Applicant’s PIV Card i.e. the PIV Card is electronically personalized.
The first step is performed at the Activation Kiosk within the badging office in the presence of the PIV Issuer where the Applicant inserts their newly-obtained PIV Card and provides their biometric fingerprint sample which is matched to their biometric record in the FAA PIV System. On a successful 1:1 biometric match, the PIV Applicant is requested to select a 6-8 digit numeric Personal Identification Number (PIN) that will be used to operate the PIV Card. Once their PIN has been set, the PIV Applicant’s personalized electronic information is downloaded to their PIV Card.
The second step in the activation process is carried out by the PIV Applicant (now a PIV Cardholder) at any workstation within the FAA (e.g. user’s personal workstation) that has a card reader attached. At this time, the Applicant logs into the FAA PIV portal and after presenting their PIN, requests the remaining electronic data to be loaded on the PIV Card as well.
Once the two-step activation process is completed, the PIV Card is now ready and can be used a physical and logical access throughout the FAA.
6. Usage of PIV Card for physical and logical access: FAA organizations responsible for controlling access to physical facilities and logical access to networks and information systems are responsible for determining the appropriate level of identity assurance required for access, based on the harm and impact to individuals and organizations as a result of potential risk due to errors in the authentication of the identity of someone requesting access as specified in [FIPS 201-1].
In the context of the PIV Card, identity authentication is defined as the process of establishing confidence in the identity of the cardholder presenting a PIV Card. The authenticated identity can then be used to determine the permissions or authorizations that are granted to that identity to access various physical and logical resources. Based on the various data objects present on a PIV Card, the PIV Card is capable of supporting a set of authentication mechanisms that can be used to implement graduated assurance levels for identity authentication.
1.3 What other information is stored, collected, or used?
All data which are necessary to issue PIV cards, but which will not be collected from the PIV Applicant, are shown in Figure 2. Figure 2 describes the purpose for which each type of data will be used, and indicates whether the data will be (i) electronically stored in IDMS; (ii) electronically stored on the PIV card; or (iii) physically displayed on the card.
Figure 2: Other PIV Information Stored, Collected or Used
|Card expiration date||X||X||X||To verify card is valid and allow access to facilities and computer systems|
|Personal Identification Number (PIN)||X||For optional/ selected use either to obtainr physical access to highly secured buildings/ space or to log-on to sensitive computer systems (“level 3”) that require multi-factor authentication, beyond the typical user ID/ password.|
|Agency card serial number||X||X||To identify and maintain agency cards|
|Issuer identification number||X||To verify issuer’s authority|
|Contact Integrated Circuit Chip (ICC)||X||Used to authenticate a PIV cardholder’s identity with card readers that require card to be inserted or “swiped”. Can be used for physical access to buildings/office space and logical access to computer systems.|
|Contactless ICC||X||Used to authenticate a PIV cardholder’s identity with low-frequency radio signal “proximity loop” card readers that allow card to pass by the card reader. Primary use is for physical access to buildings and office space.|
|PIV authentication key||X||To authenticate the PIV card to the host computer system in relation to validating a PIV cardholder’s identity.|
|Digital Signature Key||X||To ensure identity of the author or sender for signing data, such as email messages and electronic documents, and for purposes of non-repudiation.|
|Key Management Key||X||To support key establishment or key transport; and is also used for managing the encryption process, for purposes of confidentiality.|
|Card Authentication Key||X||To authenticate cardholder to physical access systems (in future).|
|Cardholder Unique Identifier [Federal Agency Smart Card Credential Number (FASC-N) also known as the CHUID||X||To authenticate the cardholder to the host computer system; it is composed of the agency code plus a sequential number for the employee, and creates a unique number for each Federal employee and long-term contractor. This allows interoperability of the PIV card throughout the Federal Government.|
|PIV Registrar Approval (digital signature)||X||To verify the authenticity of the individual sending the message and to verify that the content has not been altered.|
1.4 Does the PIV program utilize or depend on the use of commercial databases or commercially available data?
No commercial databases or data will be used in the PIV process. As explained previously in 1.2, FAA will obtain data from OPM and FBI databases; but those databases constitute government-controlled information rather than commercial information.
1.5 Will new or previously unavailable information about an individual be obtained or generated with respect to IDMS and PIV cards?
The only new information about individuals that will result from this new credentialing process consists of the following items on the PIV card -- a password/PIN, a CHUID, two fingerprint biometric (in miniature), and four digital certificates or keys on PIV card (PIV authentication key, digital signature key, key management key, and card authentication key).
All other information provided by the applicant to request a PIV card is already provided when they complete forms SF 85p or SF86 for background investigation during employment eligibility process for new hires for employees and contractors. The FAA Investigations Tracking System (ITS) contains the personally identifiable information (PII) and non-PII pertaining to current and former employees and contractors of the FAA based on the information collected on the form SF-85, SF-85p, or SF-86. Information from these forms is manually entered into ITS and a copy is then downloaded from ITS into IDMS.
1.6. What privacy risks did FAA identify regarding the amount and type of information to be collected? Describe how FAA mitigates those risks.
The FAA collects only the type and amount of personally identifiable information required of all Federal agencies in the Executive Branch. The background investigation information (primarily collected on the SF-85, SF-85P, or SF-86) is dictated by OPM policy and regulations. The new PIV credentialing process is dictated by FIPS 201. Rather than creating new requirements, FIPS 201 basically standardizes the procedures long-existent throughout the Federal Government for identity proofing and ID badging. For example, the FAA PIV program included the requirements that at least two officials approve and issue ID badges and that the FBI National Criminal History Check be favorable before the ID badge could be issued, before FIPS 200 made them government-wide requirements.
Because much of the PIV process has already been in place Government-wide, the privacy risks are not new, nor are the ways that agencies mitigate those risks. Specifically, these are the privacy risks and how FAA mitigates those risks:
- Risk: Information from the SF-85, SF-85P, or SF-86 forms downloaded into IDMS from ITS could potentially get into the wrong hands, and “identity theft” could occur.
- Mitigation: Only those who hold “positions of trust” (such as human resources specialists, personnel security specialists, PIV Registrars) are authorized to handle these forms. Restricting access to IDMS to persons who are authorized to handle these forms greatly reduces the risk of potential identity theft of such information as full name, Social Security number, date of birth, place of birth, and home address.
- Risk: Personally identifiable information downloaded into IDMS from personnel security databases (ITS) could potentially get into the wrong hands, and “identity theft” could occur.
- Mitigation: Access to information in the personnel security databases is restricted to those in positions of trust and is password protected and secured from unauthorized access. The information in IDMS is similarly restricted from access and secured against unauthorized users. IDMS system completed a C&A per FISMA requirements and was authorized for operation by the Authorizing Official in December 2007. Similarly, the PCI organization completed a C&A per NIST 800-79 requirements for its PIV-I processes in October 2006 and is for the PIV-II processes in February 2008.
- Risk: PIV card will be lost, misplaced, or stolen from FAA cardholder.
- Mitigation: A PIV Cardholder applies for re-issuance of a new PIV Card if the old PIV Card has been compromised, lost, stolen, or damaged. In this event, the following procedures apply:
1. Employees who have lost, misplaced, or have had their PIV Card stolen, need to report the loss immediately to the Servicing Security Element (SSE) and their current PIV Sponsor;
2. They will be required to file an incident report to the SSE;
3. The PIV Card will be suspended or revoked;
4. A waiting period may be required before re-issuance. In the meantime, a temporary badge may be issued to the individual and/or visitor badging and escort procedures may apply;
5. PIV Cards found within this time-frame need to be reported immediately back to the SSE who will undo the suspension;
6. Those cards not found will be replaced.
For contractors who have lost, misplaced or have had their PIV Card stolen, penalties as per FAA policy may apply.
Section 2.0 Internal Sharing and Disclosure
2.1 What information is shared with which internal organizations and for what purposes?
The information is shared with the appropriate FAA employees and contractors involved in the design, development, implementation and execution of the FAA PIV program who, by law and contract, are bound by the Privacy Act. Specific information about a PIV Applicant or Cardholder will be shared with FAA employees and its contractors who have a “need to know” for implementation of the FAA PIV card issuance, physical access control system (PACS), and logical access control systems (LAACS). FAA contractors are contractually obligated to comply with the Privacy Act in the handling, use and dissemination of all personal information.
Various roles are needed to be designated and responsibilities assigned in order to execute processes and utilize available technology to produce a [FIPS 201-1] compliant PIV Card. As per [FIPS 201-1], PIV personnel roles for card issuance and their separation of duties are a necessity to ensure the true identity of all PIV Applicants throughout the FAA Enterprise.
The FAA PIV System roles required in support of the [HSPD-12] directive and [FIPS 201-1] are described below:
- PIV Applicant: A PIV Applicant is an individual (employee or contractor – 6 months or longer) that applies for an FAA PIV Card. The PIV Applicant may be a prospective hire, current employee, or contractor. A PIV Applicant can also be an existing FAA employee who is applying for a PIV Card due to expiration or loss of their previous credential. Upon being issued a PIV Card the PIV Applicant becomes a PIV Cardholder.
- PIV Sponsor: A PIV Sponsor is an individual who requests a PIV Card for a PIV Applicant. This is the individual that substantiates the need for a PIV Card and signs the request for a PIV Applicant to receive a PIV Card.
This role may be filled by Human Resources personnel for new employees, supervisor or managers for existing employees, and Contracting Officer or Contracting Officer Technical Representative (COTR) for contractors.
- PIV Registrar: The PIV Registrar is an individual who is responsible for verifying the PIV Applicant’s identity by making sure their identity-source documents are authentic (i.e., Government-issued IDs, birth certificates, etc.) The PIV Registrar is also responsible entering the PIV Applicant into the FAA PIV System - by collecting and recording the PIV Applicant’s relevant information.
This role is filled by ASH Personnel Security Specialists (PSS). However, at regional offices and remote facilities, the duties of the Registrar are performed by the Trusted Agents of the Registrar. The PIV Trusted Agent of the Registrar can perform all the same functions as a Registrar with the exception of initiation or verification of a background investigation, tracking of the investigation and approving issuance of the PIV Card. These Agents may be individuals outside of the ASH organization or may be contractors.
- PIV Issuer: The PIV Issuer is the individual that is responsible for issuing the PIV Card to a PIV Applicant. The PIV Issuer verifies the identity of the PIV Applicant prior to handing over their PIV Card.
This role is filled by ASH Personnel Security Specialists. However, at regional offices and remote facilities, the duties of the PIV Issuer are performed by the Trusted Agents of the Issuer. The PIV Trusted Agent of the Issuer can perform all the same functions as a PIV Issuer. These Agents may be individuals outside of the ASH organization or may be contractors
- PIV Digital Signatory: The PIV Digital Signatory is a system role; a PIV Applicant does not interact with a person fulfilling this role during the PIV Card issuance process. The PIV Digital Signatory is responsible for ensuring that a proper background check has been completed prior to authorizing printing/issuance of an FAA PIV Card, i.e. the PIV Digital Signatory authorizes printing/issuance of the PIV Card once all the appropriate paperwork has been completed and the background check results have been received.
This role is filled by ASH Personnel Security Specialists.
- PIV Approval Authority (AA): The PIV Approval Authority is the individual at the center of the PIV process who assigns, authorizes and delegates authority for all FAA PIV roles. The AA manages the authorized list of registrars, issuers, sponsors and trusted agents. The AA may institute the use of multiple Trusted Agent roles to facilitate PIV Card issuance at various FAA facilities or locations. The AA is typically a Personnel Security Manager, AIN-400 at FAA headquarters.
- PIV Trusted Agent: A PIV Trusted Agent is an individual designated by the AA to perform certain duties of either the PIV Issuer or the PIV Registrar. Use of PIV Trusted Agents facilitates implementation of the PIV Card at FAA field facilities and remote locations. The PIV Trusted Agent of Registrar performs duties such as examining I-9 documentation, photographing and fingerprinting applicants, and forwarding required security forms to the appropriate PIV Registrar; but can perform adjudication functions. The PIV Trusted Agent of Issuer may perform all duties performed by Issuer.
PIV Privacy Official: The PIV Privacy Official oversees privacy-related matters in the PIV system and is responsible for implementing the privacy requirements associated with FIPS 201-1, OMB322, and The Privacy Act. The FAA Privacy Officer will serve in this role.
PCI Manager: The PCI Manager ensures that all the services specified in FIPS 201 are provided reliably and that PIV credentials are produced and issued in accordance with its requirements. The PCI Manager is the Information Resources Manager, AIN-500 at FAA.
Section 3.0 External Sharing and Disclosure
3.1 What information is shared with which external organizations and for what purposes?
During the up-front background investigation process and identity proofing, relevant personal data will be:
1. Shared with the Office of Personnel Management (OPM) which is responsible for conducting the NACI and other higher-level investigations for [FAA]; and
2. Matched against databases at the Federal Bureau of Investigations (FBI) and [FAA] to prevent the hiring of applicants with a criminal record or possible ties to terrorism.
Additionally, information about individuals that is stored for purposes of issuing a PIV card and to run the FAA PIV program may be given without the individuals’ consent as permitted by the, Privacy Act of 1974 (5 U.S.C. § 552a(b)), including to:
an appropriate government law enforcement entity if records show a violation or potential violation of law;
the Department of Justice, a court, or other adjudicative body when the records are relevant and necessary to a lawsuit;
a Federal, state, local, tribal, or foreign agency whose records could facilitate a decision whether to retain an employee, continue a security clearance, or agree to a contract;
a Member of Congress or Congressional staff at a constituent’s written request;
to the Office of Management and Budget to evaluate private relief legislation;
agency contractors, grantees, or volunteers, who need access to the records to do agency work and who have agreed to comply with the Privacy Act;
the National Archives and Records Administration for records management inspections; and
other Federal agencies to notify them when a PIV card is no longer valid.
System of records notices that pertain to IDMS and PIV cards are DOT/ALL 9 Identification Media Record Systems; DOT/ALL 13 Internet/Intranet Activity and Access Records; DOT/FAA 815 Investigative Tracking System; DOT/OST 035 Personnel Security Record System. To see these system of records notices, visit http://www.dot.gov/privacy/privacyactnotices/faa.htm.
3.2 Is FAA either providing or receiving card issuance services pursuant to a servicing agreement?
The PIV Card personalization and printing will be outsourced to a PIV Production Service (PPS) by FAA. The PCI Manager will have the complete authority and responsibility for interfacing with the PPS for PIV Card production, printing and delivery of the PIV Card to the PIV Issuer or a Trusted Agent of the Issuer. Once received, the PIV Issuer, or the Trusted Agent, will actually “deliver” the card to the PIV Applicant (employee or contractor).
Section 4.0 Agency Policy Requirements
DOT Policy Memorandum, “DOT Implementation of HSPD-12”, dated January 28, 2005.
DOT Policy Memorandum, “Initial Implementation of HSPD-12”, dated October 28, 2005.
Department of Transportation (DOT) Order 1680.3, DOT Identification Media Program.
Departmental Information Resource Management Manual (DIRMM), January 2006.
DOT memorandum on card topology (multiple)
FAA Order 1600.25
Section 5.0 PRIVACY Act Requirements
5.1 Is notice provided to the individual at the time information is collected? If yes, provide or attach the Privacy Act Statement.
As stated previously in1.5, the information used for PIV card issuance will consist almost entirely of information collected from the Applicant when the Applicant submits to a background investigation for employment eligibility. The Applicant will be provided a Privacy Act Statement as required by the Privacy Act, 5 USC 552(a)(e)(3), at that time. The notice will explain the reasons for collecting information, the consequences of failing to provide the requested information, how the information will be used (including for PIV card issuance), and that the information will be used and disclosed only in accordance with the Privacy Act and applicable Privacy Act System of Records Notices (SORNS). The SORNS applicable to IDMS and PIV cards are identified in 3.1 above.
The FAA organizations responsible for the PACS system and the LAACS system will provide a privacy act statement to cardholders explaining information practices pertaining to card usage.
5.2 What are the procedures for individuals to gain access to their own information?
5.2.1 Information about submitting a request to gain access to records under the Privacy Act can be found on FAA’s public Web site at http://www.faa.gov/privacy/ . A request may be submitted online, by mail, by facsimile, or in person and should comply with these instructions:
Include the name, address and telephone number (and e-mail address, if any), of the requestor.
Specify that it is a Privacy Act request.
Describe what information the requestor is looking for.
Indicate whether the requestor is requesting the information in a form or format other than paper.
State the requestor’s willingness to pay any fees, and how much he or she is willing to pay as advance authorization.
Within a few days after receiving the request, FAA will send an acknowledgment letter. This letter will include the tracking number for the request. For FAA to follow up on the request, the requestor must provide the tracking number.
5.2.2 Information compiled solely for the purpose of determining suitability, eligibility, or qualification for Federal civilian employment or access to classified information may be exempted from the access provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1) and/or (5). Other portions of records may be exempted from the access provisions under 5 U.S.C. 552a (j)(2) and 5 U.S.C. 552a(k)(2).
5.3 What are the procedures for correcting information?
5.3.1 Discuss the procedures and provide contact information for the appropriate person to whom such issues should be addressed.
If a requestor believes his or her personal information is incorrect and needs to be updated, the requestor should contact The FAA Privacy Officer, Carla Mauney at 202-267-9895 or Carla.Mauneyr@FAA.gov.
5.3.2 Describe how information collected from individuals or derived from the system is checked for accuracy.
The accuracy of the data in IDMS and on the PIV cards depends on the accuracy of the data IDMS derives from the ITS system. As outlined in the PIA for Investigations Tracking System, the FAA ASH organization is also the system owner of ITS. The FAA personnel security specialists are responsible for the accuracy of data within ITS system which is manually entered from the SF 85, SF 85p or SF 86 and identification source documents completed by the FAA employee or contractor during the employment eligibility determination. Inaccurate, incomplete or inconsistent data provided by the person completing these source forms may result in denial of employment and/or issuance of PIV card.
5.3.3 Describe any processes or procedures in place to reduce inaccuracies in data collected.
IDMS uses a combination of the following to verify the integrity of data and look for evidence of data tampering, errors, and omissions:
Training of involved personnel in critical roles during PIV sponsorship, identity proofing, registration and issuance.
Training of involved personnel security specialists on the IDMS system.
Automatic data field validations between the ITS and IDMS system.
Validation of data sent in batch files to and received from PIV PPS prior to final issuance of PIV card to the applicant.
Biometric (fingerprint) matching of requestor and person being issued the PIV card during final issuance process
Built-in auditing functionality.
Using required fields to prevent critical data from being omitted.
5.4 How are individuals notified of the procedures for correcting their information?
A description of procedures to follow to correct personal information is provided in the Privacy Notices distributed both at the time application forms are submitted for processing and approval and when the card is received and used. These notices will also be posted online on FAA’s intranet.
5.5 Do individuals have the right to decline to provide information?
While providing the information is voluntary, if individuals do not provide the requested information in whole or in part, FAA will not be able to complete their Federal background investigation and the identity proofing and registration process. If an individual does not have a PIV card, he or she will be treated as a visitor when entering an FAA building and will not have access to certain resources. If holding a PIV card is a condition of the individual’s employment at FAA as an employee or a contractor, failure to provide the requested information will adversely affect the individual’s placement or employment prospects.
5.6 Do individuals have the right to consent to particular uses of the information?
No. Providing the information on the SF85, SF85p or SF86 for the Federal background investigation check is a condition of working for the FAA as an employee or a contractor. None of the information is optional. By signing and submitting these forms, the employee or contractor consents to FAA’s use of the information to conduct the Federal background investigation. The individual cannot “opt-out” of the use of this information.
5.7 What deficiencies in your agency procedures did you identify and remedy after performing this analysis in Section 5?
FAA developed and implemented a corrective action plan to remedy deficiencies identified in the certification and accreditation (C&A) performed on the PCI organization per NIST 800-79 requirements. In addition, FAA will remediate any risks identified in the C&A of the IDMS system per FISMA requirements based on an established plan of actions and milestones.
Section 6.0 DATA Protection Controls
6.1 General Program Controls
General program controls developed and implemented by FAA to protect data collected from PIV applicant and stored within the IDMS system and/or the PIV card are summarized below:
FAA has an approved identity proofing and registration process.
The Applicant appears in-person at least once before the issuance of a PIV credential.
The PIV identity proofing, registration, and issuance process adheres to the principle of separation of duties to ensure that no single individual has the capability to issue a PIV credential without the cooperation of another authorized person.
The identity proofing and registration process is accredited by FAA as satisfying the requirements and approved in writing by the Authoring Official.
FAA has an approved PIV credential issuance and maintenance process.
FAA issues PIV credentials only through systems and providers whose reliability has been established by the agency and so documented and approved in writing (i.e., accredited).
A comprehensive PIA is conducted on systems containing personal information in identifiable (IIF) form for implementing PIV, consistent with the E-Government Act.
FAA has generated a SORN identifying the type of information collected, the purpose of the collection, how the information is protected, and the complete set of uses of the credential and related information during the life of the credential.
FAA assures that systems containing IIF for the purpose of enabling the implementation of PIV are handled in full compliance with the Privacy Act.
FAA ensures that only personnel with a legitimate need for access to IIF are authorized to access the IIF, including but not limited to information and databases maintained for registration and credential issuance.
FAA coordinates with appropriate department or agency officials to define consequences for violating privacy policies of the PIV program.
FAA assures that the technologies used in FAA’s implementation of the PIV allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use and distribution of information in the operation of the program.
FAA has categorized the system risk level (as specified in FIPS 199) and utilizes security controls described in NIST SP800-53, Recommended Security Controls for Federal Information Systems, to accomplish privacy goals, where applicable.
FAA ensures that the technologies used to implement PIV sustain and do not unnecessarily erode privacy protections relating to the use, collection, and disclosure of information in identifiable form. Specifically, they employ an electromagnetically opaque sleeve or other technology to protect against any unauthorized contact less access to information stored on a PIV credential.
6.2 Specific program controls used to secure information.
What are the controls on data exchange and integrity of the credential?
FAA protects all records from unauthorized access through appropriate administrative, physical, and technical safeguards. The agency follows all applicable government-wide standards for controlling and protecting information systems (see NIST SP800-53). Specific controls are described below.
System security: The controls include network security and limited access to system and physical facilities. These risks are addressed by the SSP and Risk Assessment established for this PIV Program. More specific program controls include protecting data through the use of FIPS validated cryptographic algorithms in transit, processing, and at rest.
Networks: The IT infrastructure that supports the PIV program is described in detail in the System Security Plan (SSP) developed as part of the C&A for the IDMS system. All data exchange takes place over encrypted data communication networks that are designed and managed specifically to meet the needs of the PIV Program. Private networks and/or encryption technologies are used during the electronic transfer of information to ensure that “eavesdropping” is not allowed and that data is sent only to its intended destination and to an authorized user, by an authorized user. Enrollment data may be temporarily stored at enrollment centers for encrypted batch transmission to the IDMS. Access is PIN protected.
Data Transmission: All biographic and biometric data collected by the enrollment workstation is transmitted to the IDMS over a private network in an encrypted format. In the condition that the enrollment center supports offline enrollments, all data files will be stored on the enrollment workstation in an encrypted format and will be automatically deleted from the workstation upon confirmation of a successful transmission. Auditable records are created for the transmission and successful deletion of enrollment records captured while working in an offline mode.
Data Storage Facilities: Facilities and equipment are secured by limiting physical access to the workspace and system, and by requiring an appropriate verification of identity for logical access to the system.
The IDMS sends confirmed enrollment information to the card production facility via a secure connection. Cards that are not active cannot be used for access to Federal facilities or networks. Certifications are revoked when they are reported lost, stolen, or damaged beyond use, or when a cardholder has failed to meet the terms and conditions of enrollment. Cards will be deactivated upon collection of damaged cards or if the employee or contractor no longer requires a PIV card.
Equipment: User Identification: PIV cardholders are authenticated to access DOT/FAA facilities and information systems using, at a minimum, two-factor authentication based on their role and responsibility. A required component (first factor) of this authentication is the PIV card itself. In combination with the PIV, the second factor of this authentication requires a personal ID number (PIN), and/or biometric (e.g., fingerprint).
User Groups: System/application users have varying levels of responsibility and are allowed to access information and features of the system only appropriate for their level of job responsibility and security clearance. These rights are determined by the identification provided when authenticating (i.e., user identification) to the system as described above.
Network Firewall: Equipment and software are deployed to prevent intrusion into sensitive networks and computers.
Encryption: Sensitive data is protected by rendering it unreadable to anyone other than those with the correct keys to reverse the encrypted data.
Access Control: Access to data is PIN protected.
Audit Trails: Attempts to access sensitive data are recorded for forensic purposes if an unauthorized individual attempts to access the information contained within the system.
Recoverability: The system is designed to continue to function in the event that a disaster or disruption of service should occur.
Physical Security: Measures are employed to protect enrollment equipment, facilities, material, and information systems that are part of the PIV program. These measures include: locks, ID badges, fire protection, redundant power and climate control to protect IT equipment that are part of the PIV program.
An Information Assurance and Security plan containing all technical measures and operational procedures consistent with Federal law, FIPS 201, related Special Publications and agency policy is used.
A periodic assessment of technical, administrative, and managerial controls to enhance data integrity and accountability is performed.
System users/operators are officially designated as agents of FAA and complete a training process associated with their specific role in the PIV process.
Separation of Duties Controls: The system will be accessed by permissions to ensure separation of roles. For example, someone who logs on as a sponsor would not be able to log on and perform any of the other functions of the system.
Security of ID credential issued to an employee or contractor is achieved by full compliance with the mandatory requirements of the Federal Information Processing Standard Publication 201 (FIPS Pub 201), Personal Identity Verification of Federal Employees and Contractors. Specific safeguards include:
Card issuing authority is limited to providers with official accreditation pursuant to NIST Special Publication 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations.
Cards use at least one visual tamper-proof feature (such as holograms, watermarks, etc).
Card data is encrypted and stored on the card.
Card is sheathed in electromagnetically opaque sleeve to protect against unauthorized contact less access to stored information.
Employees are alerted to importance of protecting card.
Cards expire within 5 years from issuance.
Cards are returned to FAA when no longer needed (or upon employee/contractor separation from the agency).
Cards are deactivated upon employee/contractor separation, loss of card, or expiration.
Specialized role-based training is undergone for all persons involved in the PIV process.
6.3 Who will have access to the information in IDMS?
Access to the data in IDMS is strictly controlled, and is limited to those with an operational need to access it. There will be three sets of IDMS users:
Authorized information technology (IT) personnel or contractors (pursuant to an appropriate routine use) who handle the operations and maintenance of the system will have limited access to the system to support the credentialing activity as well as trouble shoot technical system issues encountered on a day-to-day basis.
FAA human resources personnel, managers, contracting officers, and contracting officer technical representatives who perform the PIV sponsor role and functions.
FAA/ASH personnel security specialists who are provided access to the system and to PIV card request data in order to perform relevant PIV role for registrar and issuer functions.
Personnel from other FAA organizations and/or contractors who may perform the trusted agent role and functions for the registrar or issuer.
Security guards at FAA and DOT facilities who will use the system to verify if a person is valid card holder or visitor.
A card holder who may access their own record to reset numeric PIN if locked.
Users who perform registrar, issuer, or administrative support have unlimited system access and are subject to rigorous background checks before they are allowed access to the system.
6.4 Are written procedures in place identifying who may access the system?
The IDMS Final Requirements Document describes in detail the roles, responsibilities, and procedures for PIV processing. All FAA employees and assigned contractor staff receive appropriate privacy and security training. Only those with adequate level background investigations are granted access to sensitive information – and this requirement is enforced on the contractors through clauses incorporated in the contracts issued by FAA. Additionally, standard operating procedures and system user manuals describe in detail user roles, responsibilities, and access privileges.
6.5 What technical and/or operational controls are in place to prevent misuse of data by those having access?
All access will include role-based restrictions, and individuals given access privileges will first undergo vetting and suitability screening. All data exchange will take place over encrypted data communication networks. Private networks and/or encryption technologies will be used during the transfer of information to ensure that Internet “eavesdropping” does not take place and that data is sent only to its intended destination and to an authorized user, by an authorized user. Biometric image and template data is encrypted at rest and never issued in the clear. The FAA maintains an audit trail and performs random periodic reviews to identify unauthorized access. Persons given roles in the PIV process must be approved by the government and complete training specific to their roles to ensure they are knowledgeable about how to protect personally identifiable information.
Furthermore, the system is fully compliant with FIPS 201, Part I (PIV-I), which describes the minimum requirements for a Federal personal identification system that meets the control and security objectives of HSPD-12. Ten requirements are listed in PIV-I stating how and to what extent “each agency’s PIV implementation shall meet the four control objectives.” FIPS 201 then specifies requirements for 1) PIV Identity Proofing and Registration; 2) PIV Issuance and Maintenance; and 3) PIV Privacy. The PIV Identity Proofing and Registration Requirements (FIPS 201 section 2.2) state, “The identity proofing and registration processes used when verifying the identity of the applicant shall be accredited by the department or agency as satisfying the requirements above and approved in writing by the head of the Federal department or agency.”
6.6 Given the access and security controls you evaluated, what privacy risks were identified and describe how you mitigated them?
Section 1.6 and Section 5.7 above identify the privacy risks identified by FAA and steps taken to mitigate them
Section 7.0 Data Storage and Retention
7.1 What are the retention periods for the data in the system?
Paper records generated by IDMS will be retained in accordance with the current version of FAA Order 1350.15, Records Organization, Transfer and Destruction Standards. https://employees.faa.gov/tools_resources/orders_notices. The electronic records generated by IDMS are currently unscheduled with the National Archives and Records Administration (NARA). For employees and contractors currently working at FAA, data in IDMS will be kept in the active databases for the duration of their employment with FAA. Until the electronic records are scheduled for disposition, they will be maintained indefinitely, as required by 36 CFR 1228.26(a)(1) and (2), even when the PIV card for FAA employee or contractor is revoked.
Section 8.0 Results of FISMA review
8.1 Have the systems completed a Certification & Accreditation (C&A) as required by FISMA?
A C&A for the FAA IDMS system was completed on December 4, 2007.
8.2 If not, at what stage in the C&A process are the system(s) and what is the anticipated date of the C&A?
A C&A for the FAA IDMS system was completed on December 4, 2007.
8.3 Has the agency conducted a risk assessment, and identified and implemented appropriate technical, administrative, and operational security controls?
A C&A for the FAA IDMS system was completed on December 4, 2007. A Risk Assessment is being performed as part of this system C&A.
Section 9.0 Analysis and Assessment
9.1. Whether or not competing technologies were evaluated, describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system(s).
The data integrity, privacy, and security for the IDMS system were reviewed as part of the C&A being performed for the system. In addition, these requirements were also reviewed as part of the C&A performed on the PCI organization in accordance with NIST 800-79 requirements. A Privacy Impact Assessment (PIA) has been completed for the IDMS system. A similar PIA and the SORN have been generated and published for the Investigations Tracking System that is the source for the PII data being used by the IDMS system.
9.2 Did you evaluate competing technologies to assess and compare their ability to effectively achieve the program’s goals?
Yes, the program team researched and reviewed a number of products from the GSA approved products list for the PKI/SSP services, card management systems, middleware, PIV-II cards, card sleeves, card printers, card readers, and fingerprint capture devices. These products were reviewed, and some tested in detail, to determine their use as the credentialing solution for FAA.
9.3 If applicable, describe the competing technologies.
See response above.
9.4 Describe the changes made to the PIV program due to the assessment.
The assessment enabled the PIV credentialing program to change some of the assumptions made early in the process. It identified changes needed to the current business processes, identified needed policy changes, assisted in development of the technical solution for FAA, facilitated initial assessment of workload changes in future on personnel security specialists, and identified preliminary resource requirements.
9.5 What unique issues does this program present?
Per FIPS 201 requirements, the Applicant appears in-person at least once before the issuance of a PIV credential – which is a change from the current process. The deployment strategy has to be refined to cater to the FAA employees who are not located in close proximity to FAA enrollment service centers to minimize the impact on the PIV Applicants.
9.6 What specific strategies are used to address these issues?
To minimize the necessity for PIV card applicants to appear in person, the FAA ASH organization is planning to utilize trusted agents from other FAA organizations – based in the local area as the card applicant -- to perform the enrollment or issuance functions. Additionally, FAA ASH organization has developed a number of automation features within the IDMS system that will enable the card applicant to self-activate and issuance of the PIV card under the supervision of the trusted agent (their manager).
9.7 What unique issues are not mitigated completely? What are the potential impacts of these issues on privacy?
ASH is currently engaging in discussions with other lines of businesses and staff offices within FAA to determine the total number of trusted agents that will be utilized. Once finalized, these trusted agents will be trained in their PIV roles before they perform any trusted agent functions.
Section 10.0 CONCLUSIONS
In the meantime, it should be noted that:
Consequences for violating privacy policies for the IDMS system are governed by the FAA Privacy Order 1280.1B (draft).
The C&A of the PCI organization for PIV-1 processes was completed in October 2006 and for PIV-II processes was completed on February 13, 2008 prior to system deployment; and thereafter, once every three years or upon major changes.
A system security plan as well as a certification and accreditation (C&A) of the identity management system (IDMS) was completed on December 4, 2007. These documents will cover the areas required by NIST Special Publication 800-53. The C&A of the IDMS system will be completed once every three years or upon major changes.
Section 11.0 DETERMINATIONS of Officials
The sensitivity of this system requires that FAA ensure that it meets the following requirements:
Achieve an IT Security accreditation and certification every three years;
Review associated System of Record Notices every other year;
Review and update as necessary applicable PIAs every year.
Contingent on the three elements listed above and the satisfaction of all applicable Directives, OMB guidance, and NIST standards and requirements, the privacy controls related to the system this PIA covers are considered adequate.
 SF 85 and SF 86 can be downloaded at: http://www.opm.gov/forms/html/sf.asp