The Federal Aviation Administration (FAA) is an agency of the United States Department of Transportation and has the authority to regulate and oversee all aspects of civil aviation in the US.
With over 47,000 permanent employees in many different locations distributed over a wide area, its aim is to provide “the safest, most efficient aerospace system in the world”.
As a US federal agency, the FAA was mandated to use PIV cards for secure identity management in order to meet the requirements of HSPD-12. As well as adhering to the FIPS 201 standard, any solution would also have to align with FAA’s current business practices, be flexible enough to adapt to evolving business and security policy requirements, and have the ability to facilitate physical access control (PACS) and logical access control (LACS).
Key project requirements included:
- Issuance of PIV cards that comply with HSPD-12 and FIPS 201 standards
- Self-service capability
- Integration with card production bureau
- Flexible activation model to align with FAA business environment
MyID® was implemented to act as a single management system for all card and credential issuance and post-issuance activities.
As a very flexible product with a wide range of capabilities, MyID from Intercede was able to interface seamlessly with FAA systems straight out of the box. The implementation was designed to utilise extensive self-service capabilities to reduce cost and minimise help desk overheads; features available to users include self-activation, biometric PIN reset, card health check and on-card certificate updates.
Utilising MyID’s web services the FAA was able to import pre-existing sponsorship information, allowing them to leverage existing data. By using the enrolment capability of MyID, the FAA fulfils its need to securely capture all required data elements: fingerprints, facial biometrics and photographs of applicants. In addition to meeting FAA’s requirements for PIV, the system is also capable of issuing cards at lower assurance levels (such as PIV-I and CIV cards) to individuals not eligible for PIV cards.
Once a card request has been made, MyID passes this to a central card personalisation bureau that prints cards off-site. These cards are then shipped to the FAA for secure activation using MyID. Post issuance management in MyID also allows the operator to issue temporary cards to staff whose card has been lost, forgotten or stolen, which saves time and money and minimises end user frustration.
MyID has allowed the FAA to successfully comply with the latest updates to NIST standards and cryptographic key algorithms as well as integrating with back-end systems to enable PACS and LACS access. The project has been so successful that the FAA’s parent agency now uses the FAA system for their own PIV card issuance and other US federal agencies are looking to FAA as an example.