The IT Law Wiki


Homeland Security Presidential Directive 12 (HSPD-12): Policy for a Common Identification Standard for Federal Employees and Contractors (Aug. 2004) (full-text).


This Directive establishes a mandatory, government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors to enhance security, increase governmental efficiency, reduce identity fraud, and protect personal privacy.

HSPD-12 applies to federal employees, contractors, and affiliates requiring long-term access to federal facilities and information systems in accordance with OMB Memorandum M-05-24. Applicability to affiliates, which may include foreign nationals and other parties, is an agency-level, risk-based decision.

HSPD-12 established control objectives for secure and reliable identification of Federal employees and contractors. These control objectives, provided in paragraph 3 of the directive, were:

(3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process.

HSPD-12 directed the Department of Commerce to develop a Federal Information Processing Standards (FIPS) publication to define such a common identification credential. In accordance with HSPD-12, this standard (FIPS 201) defines the technical requirements for the identity credential that —

This standard defines authentication mechanisms offering varying degrees of security. Federal departments and agencies will determine the level of security and authentication mechanisms appropriate for their applications. This standard does not specify access control policies or requirements for Federal departments and agencies. Therefore, the scope of this standard is limited to authentication of an individual’s identity.