Frequently Asked Questions

The FAQs on this page are related to the information in the About USAccess section of this website including specific information about the USAccess service, PKI, and how to participate in the USAccess program. FAQs relating to Customer Agencies or the Credential Holders reside in those sections.

About USAccess

FIPS 201 is the technical standard that HSPD-12 required the National Institute of Standards and Technology (NIST) to develop. FIPS 201 is entitled _Personal Identity Verification (PIV) for Federal Employees and Contractors.? The standard requires the collection of fingerprint and facial information for inclusion on the credential. (Government agencies already use such information to differing degrees depending on the agency.) The PIV credential will contain both a "contact" smart chip and a "contactless" chip. Containing both a "contact" and "contactless" chip will allow the credential to be read by devices that need direct contact with the credential and devices that can read the credential remotely. FIPS 201 was issued on February 27, 2005. The first revision of FIPS 201-1 was finalized in June 2006. The second revision of FIPS 201-2 was finalized in August 2013.

The Homeland Security Presidential Directive 12 (HSPD-12) is the directive that was issued for "Policy for a Common Identification Standard for Federal Employees and Contractors". HSPD-12 calls for all federal employees and contractors to use a standard smart credential to verify their identity for secure access to federal buildings and information systems.

HSPD-12 called upon the National Institute of Standards and Technology (NIST) to develop the actual technical standard, and the Office of Management and Budget (OMB) to manage implementation of the credentials. The uses of the credentials are left to the agencies themselves to decide.

The purpose of HSPD-12 is to provide a common reliable identification verification for government employees and contractors. It will help to protect against a variety of threats including: 

  • Unauthorized access to physical facilities or logical assets
  • Improper issuance of valid credential to malicious holder
  • Counterfeiting of credentials
  • Intercept or probing to access stored information
  • Successful cryptanalytic attacks against stored protected information
  • Use of stolen or borrowed credential to gain access to physical or logical systems
  • Intercept/technical surveillance to capture PIN(s)
  • Use of credential issued for access to lower sensitivity/criticality assets to achieve access to more sensitive/critical assets

 

GSA is offering the USAccess Program to help reduce the costs for participating agencies associated with procuring FIPS 201-compliant equipment, software, and services.
GSA expects to reduce costs by leveraging the collective buying power of the government through a shared-services approach. Using this approach, the program spreads infrastructure costs among all USAccess Program shareholders, which in turn reduces the overall price for each individual participant. For the price list and more information on costs associated with the USAccess Program, please contact the GSA Managed Service Office.

For agencies, the USAccess Program simplifies the process of sponsoring, enrolling, adjudicating, and credentialing applicants while maintaining the lifecycle of these credentials for each participant. For more benefits, visit Program Benefits. Employees and contractors (i.e. applicants) can trust that PIV credentials issued under the USAccess Program are secure, reliable, and comply with the government-established HSPD-12 standard.

The General Services Administration Managed Services Office offering, USAccess, delivers an end-to-end solution as a shared service to participating federal agencies. By enrolling in the USAccess Program, participants gain access to a standard, end-to-end contractor managed service.

Service components included in the USAccess Program:
Credential production, issuance, activation, and management;
Role holder administration and management;
Reporting, and
Public Key Infrastructure (PKI)

In addition to these components, the USAccess Program offers a suite of support services including deployment, training and customer support.GSA selected Electronic Data Systems (EDS) in 2007 (since renamed to Hewlett Packard Enterprise (HPE)) as the prime contractor to provide technology and services in support of the USAccess Program. Through EDS, GSA acquired innovative, yet standardized, end-to-end contractor managed services.

As outlined in the Homeland Security Presidential Directive 12 (HSPD-12), each government agency must issue PIV compliant credentials to its employees. In response to HSPD-12 the GSA MSO established the USAccess Program. The USAccess Program aims to ease participants from the burden of acquiring services, coordinating integration with governments systems, and managing contracted vendors. The GSA MSO serves as the executive agent for the program and will oversee all of these functions.
Agencies participating in the USAccess Program gain economies of scale from the shared services model. Leveraging the volume and program management requirements allows participants to concentrate on usage of the credential for physical and logical access controls and leads to cost reductions across the government.

The PIV requirements are based on the Homeland Security Presidential Directive-12 (HSPD-12) that requires federal agencies to issue secure and reliable forms of personal identification:

  • Based on sound criteria to verify an individual employee identity
  • That are strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
  • That can provide rapid electronic verification of personal identity
  • That contain identity tokens issued only by providers whose reliability has been established by an official accreditation process
  • Applicable to all government organizations and contractors
  • To be used to grant access to federally-controlled facilities and logical access to federally-controlled information systems
  • Not applicable to identification associated with national security systems
  • To be implemented in a manner that protects individual privacy
Email This Link