View this document as: a single page | multiple pages.

Appendix C. Glossary of Terms, Acronyms, and Notations

This appendix is informative. It describes the vocabulary and textual representations used in the document.

C.1 Glossary of Terms

The following terms are used throughout this Standard.

Access Control
The process of granting or denying specific requests to 1) obtain and use information and related information processing services and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
Adjudicative Entity
An agency authorized by law, Executive Order, designation by the Security Executive Agent, or delegation by the Suitability & Credentialing Executive Agent to make an adjudication. Adjudication has the meaning provided in [Executive Order 13764], “(a) ‘Adjudication’ means the evaluation of pertinent data in a background investigation, as well as any other available information that is relevant and reliable, to determine whether a covered individual is: (i) suitable for Government employment; (ii) eligible for logical and physical access; (iii) eligible for access to classified information; (iv) eligible to hold a sensitive position; or (v) fit to perform work for or on behalf of the Government as a Federal employee, contractor, or non-appropriated fund employee.”
Applicant
An individual applying for a PIV Card or derived PIV credential. The applicant may be a current or prospective federal hire, a federal employee, or a contractor.
Application
A hardware/software system implemented to satisfy a particular set of requirements. In this context, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.
Architecture
A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability).
Assertion
A verifiable statement from an IdP to an RP that contains information about an end user. Assertions may also contain information about the end user’s authentication event at the IdP.
Asymmetric Keys
Two related keys—a public key and a private key—that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
Authentication
The process of establishing confidence of authenticity; in this case, the validity of a person’s identity and an authenticator (e.g., PIV Card or derived PIV credential).
Authenticator
Something the cardholder possesses and controls (e.g., PIV Card or derived PIV credential) that is used to authenticate the cardholder’s identity.
Authenticator Assurance Level (AAL)
A measure of the strength of an authentication mechanism and, therefore, the confidence in it, as defined in [SP 800-63] in terms of three levels:
AAL1
Some confidence
AAL2
High confidence
AAL3
Very high confidence
Biometric Authentication (BIO, BIO-A)
A form of authentication in which authenticity is established by biometric verification of a new biometric sample from a cardholder to a biometric data record read from the cardholder’s activated PIV Card. In BIO, the biometric sample may be captured from the cardholder in isolation, while in BIO-A, an attendant must oversee the process of biometric capture.
Biometric Capture Device
Device that collects a signal from a biometric characteristic and converts it to a captured biometric sample. SOURCE: [ISO 2382-37]
\clearpage
Biometric Characteristic
Biological attribute of an individual from which distinctive and repeatable values can be extracted for the purpose of automated recognition. Fingerprint ridge structure and face topography are examples of biometric characteristics. SOURCE: [ISO 2382-37, adapted]
Biometric Data
Biometric sample or aggregation of biometric samples at any stage of processing. SOURCE: [ISO 2382-37]
Biometric Data Record
Electronic data record containing biometric data. This information can be in terms of raw or compressed pixels or in terms of some biometric characteristic (e.g., patterns). SOURCE: [ISO 2382-37, adapted]
Biometric On-Card Comparison (OCC)
A one-to-one comparison of fingerprint biometric data records transmitted to the PIV Card with a biometric reference previously stored on the PIV Card. In this Standard, OCC is used as a means of performing card activation and as part of Biometric On-Card Comparison Authentication (OCC-AUTH).
Biometric On-Card Comparison Authentication (OCC-AUTH)
An authentication mechanism where biometric on-card comparison (OCC) is used instead of a PIN to activate a PIV Card for authentication.
Biometric Verification
Automated process of confirming a biometric claim through biometric comparison. SOURCE: [ISO 2382-37, adapted]
Biometric Verification Decision
A determination of whether biometric probe(s) and biometric reference(s) have the same biometric source based on comparison score(s) during a biometric verification transaction. SOURCE: [ISO 2382-37, adapted]
Capture
Series of actions undertaken to obtain and record, in a retrievable form, signals of biometric characteristics directly from individuals. SOURCE: [ISO 2382-37, adapted]
Cardholder
An individual who possesses an issued PIV Card.
Card Management System
The system that manages the lifecycle of a PIV Card application.
\clearpage
Card Verifiable Certificate
A certificate stored on the PIV Card that includes a public key, the signature of a certification authority, and further information needed to verify the certificate.
Central Verification System
A system operated by the Office of Personnel Management that contains information on security clearances, investigations, suitability, fitness determinations, [HSPD-12] decisions, PIV credentials, and polygraph data.
Certificate Revocation List
A list of revoked public key certificates created and digitally signed by a certification authority. SOURCES: [RFC 5280, adapted] [RFC 6818, adapted]
Certification
The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.
Certification Authority
A trusted entity that issues and revokes public key certificates.
Chain of trust
An interoperable data format for PIV enrollment records that facilitates the import and export of records between PIV Card issuers.
Comparison
Estimation, calculation, or measurement of similarity or dissimilarity between biometric probe(s) and biometric reference(s). See also Identification. SOURCE: [ISO 2382-37]
Component
An element of a large system—such as an identity card, issuer, card reader, or identity verification support—within the PIV system.
Conformance Testing
A process established by NIST within its responsibilities of developing, promulgating, and supporting a FIPS for testing specific characteristics of components, products, services, people, and organizations for compliance with the FIPS.
Credential
Evidence attesting to one’s right to credit or authority. In this Standard, it is the PIV Card or derived PIV credential associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.
\clearpage
Cryptographic Key (Key)
A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.
Derived PIV Credential
A credential issued based on proof of possession and control of a PIV Card. Derived PIV credentials are typically used in situations that do not easily accommodate a PIV Card, such as in conjunction with mobile devices.
Enrollment
See Identity Registration.
Enrollment Data Set
A record that includes information about a biometric enrollment (i.e., name and role of the acquiring agent, office and organization, time, place, and acquisition method).
Federal Agency Smart Credential Number (FASC-N)
One of the primary identifiers on the PIV Card for physical access control, as required by FIPS 201. The FASC-N is a fixed length (25 byte) data object that is specified in [SP 800-73] and included in several data objects on a PIV Card.
Federal Information Processing Standards (FIPS)
A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology to achieve a common level of quality or some level of interoperability.
Federation
A process that allows for the conveyance of identity and authentication information across a set of networked systems.
Federation Assurance Level (FAL)
A category that describes the federation protocol used to communicate an assertion containing authentication and attribute information (if applicable) to an RP, as defined in [SP 800-63] in terms of three levels:
FAL1
Some confidence
FAL2
High confidence
FAL3
Very high confidence
Identification
The process of discovering the identity (i.e., origin or initial history) of a person or item from the entire collection of similar persons or items.
Identifier
Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers.
Identity
The set of physical and behavioral characteristics by which an individual is uniquely recognizable.
Identity Assurance Level (IAL)
A category that conveys the degree of confidence that a person’s claimed identity is their real identity, as defined in [SP 800-63] in terms of three levels:
IAL1
Some confidence
IAL2
High confidence
IAL3
Very high confidence
Identity Proofing
The process of providing sufficient information (e.g., identity history, credentials, documents) to establish an identity.
Identity Management System (IDMS)
One or more systems or applications that manage the identity proofing, registration, and issuance processes.
Identity Registration
The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. In some other NIST documents, such as [SP 800-63A], identity registration is referred to as enrollment.
Identity Verification
The process of confirming or denying that a claimed identity is correct by comparing the credentials of a person requesting access with those previously proven and associated with the PIV Card or a derived PIV credential associated with the identity being claimed.
Invalidate
To render a credential or authenticator incapable of being used for authentication by causing its authenticator output to no longer be accepted by relying parties.
Issuer
The organization that is issuing the PIV Card to an applicant. Typically, this is an organization for which the applicant is working.
Issuing Facility
A physical site or location—including all equipment, staff, and documentation—that is responsible for carrying out one or more of the following PIV functions:
  • identity proofing and registration;
  • card and token production;
  • activation and issuance;
  • post-issuance binding of derived PIV credentials; and
  • maintenance.
Key
See Cryptographic Key.
Match
Comparison decision stating that the biometric probe(s) and the biometric reference are from the same source. Match is a possible result of a Comparison. The opposite of a match is a non-match. SOURCE: [ISO 2382-37, adapted]
Model
A detailed description or scaled representation of one component of a larger system that can be created, operated, and analyzed to predict actual operational characteristics of the final produced component.
Off-Card
Refers to data that is not stored within the PIV Card or to a computation that is not performed by the integrated circuit chip (ICC) of the PIV Card.
On-Card
Refers to data that is stored within the PIV Card or to a computation that is performed by the integrated circuit chip (ICC) of the PIV Card.
Online Certificate Status Protocol (OCSP)
An online protocol used to determine the status of a public key certificate. SOURCE: [RFC 6960, adapted]
\clearpage
Path Validation
The process of verifying the binding between the subject identifier and subject public key in a certificate, based on the public key of a trust anchor, through the validation of a chain of certificates that begins with a certificate issued by the trust anchor and ends with the target certificate. Successful path validation provides strong evidence that the information in the target certificate is trustworthy.
Personally Identifiable Information (PII)
Information that can be used to distinguish or trace an individual’s identity—such as name, social security number, biometric data records—either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). SOURCE: [M-17-12, adapted]
Personal Identification Number (PIN)
A numeric secret that a cardholder memorizes and uses as part of authenticating their identity.
Personal Identity Verification (PIV) Identity Account
The logical record containing credentialing information for a given PIV cardholder. This is stored within the issuer’s identity management system and includes PIV enrollment data, cardholder identity attributes, and information regarding the cardholder’s PIV Card and any derived PIV credentials bound to the account.
Personal Identity Verification (PIV) Card
A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains a PIV Card application that stores identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials.
PIV Credential
A credential that authoritatively binds an identity (and, optionally, additional attributes) to the authenticated cardholder that is issued, managed, and used in accordance with the PIV standards. These credentials include public key certificates stored on a PIV Card as well as other authenticators bound to a PIV identity account as derived PIV credentials.
PIV Enrollment Record
A sequence of related enrollment data sets that is created and maintained by PIV Card issuers. The PIV enrollment record typically contains data collected at each step of the PIV identity proofing, registration, and issuance processes.
\clearpage
PIV Visual Credential Authentication (VIS)
An authentication mechanism where a human guard inspects the PIV Card and the person presenting it and makes an access control decision based on validity of the card and its correspondence with the presenter. This mechanism is deprecated.
Private Key
The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.
Pseudonym
A name assigned through a formal process by a federal department or agency to a federal employee for the purpose of the employee’s protection (i.e., the employee might be placed at risk if their actual name were known) or for other purposes.
Public Key
The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data.
Public Key Certificate
A digital document issued and digitally signed by the private key of a certification authority that binds an identifier to a cardholder through a public key. The certificate indicates that the cardholder identified in the certificate has sole control and access to the private key. SOURCE: [RFC 5280, adapted]
Public Key Infrastructure (PKI)
A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and the storage of sensitive verification system data within identity cards and the verification system.
PKI-Card Authentication (PKI-CAK)
A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the card authentication key of the PIV Card and a contact or contactless reader.
PKI-PIV Authentication (PKI-AUTH)
A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV authentication key of the PIV Card and a contact reader or a contactless card reader that supports the virtual contact interface.
Recommendation
A special publication of the ITL that stipulates specific characteristics of the technology to use or the procedures to follow to achieve a common level of quality or level of interoperability.
Registration
See Identity Registration.
Symmetric Key
A cryptographic key that is used to perform both the cryptographic operation and its inverse (e.g., to encrypt, decrypt, create a message authentication code, or verify a message authentication code).
Secure Messaging Key Authentication (SM-AUTH)
An authentication mechanism where the secure messaging key and associated certificate are used for authentication.
Security Executive Agent
Individual responsible for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures that govern the conduct of investigations and adjudications for eligibility to access classified information and eligibility to hold a sensitive position in the Federal Government. In accordance with Executive Order 13467 (as amended), this individual is the Director of National Intelligence (DNI).
Symmetric Card Authentication Key Authentication (SYM-CAK)
An authentication mechanism where the PIV Card is identified using the CHUID or another data element, and then the card responds to a challenge by signing the challenge value with the symmetric card authentication key. This mechanism is deprecated.
Suitability and Credentialing Executive Agent
Individual responsible for prescribing suitability standards and minimum standards of fitness for employment. With the issuance of Executive Order 13467, as amended, the Suitability and Credentialing Executive Agent is responsible for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures governing the conduct of investigations and adjudications for Suitability, Fitness, and Credentialing determinations in the Federal Government. Pursuant to Sections 1103 and 1104 of Title 5, United States Code, and the Civil Service Rules, the director of the Office of Personnel Management (OPM) is the Suitability and Credentialing Executive Agent.

C.2 Acronyms and Abbreviations

The following acronyms and abbreviations are used throughout this Standard:

AAL
Authenticator Assurance Level
AAMVA
American Association of Motor Vehicle Administrators
ACL
Access Control List
AID
Application Identifier
AIM
Association for Automatic Identification and Mobility
ANSI
American National Standards Institute
ASN.1
Abstract Syntax Notation One
ASTM
American Society for Testing and Materials
CA
Certification Authority
CAK
Card Authentication Key
CBEFF
Common Biometric Exchange Formats Framework
CDS
Card Design Standard
CHUID
Cardholder Unique Identifier
cm
Centimeter
CMS
Cryptographic Message Syntax
CMTC
Card Management System to Card
CMVP
Cryptographic Module Validation Program
CMYK
Cyan, Magenta, Yellow, and Key (or blacK)
COTS
Commercial Off-the-Shelf
CRL
Certificate Revocation List
CSE
Communications Security Establishment
CTC
Cardholder to Card
CTE
Cardholder to External System
CVC
Card Verifiable Certificate
DHS
Department of Homeland Security
DN
Distinguished Name
DOB
Date of Birth
DPCI
Derived PIV Credential Issuer
dpi
Dots Per Inch
ERT
Emergency Response Team
FAL
Federation Assurance Level
FASC-N
Federal Agency Smart Credential Number
FBI
Federal Bureau of Investigation
FICAM
Federal Identity, Credential, and Access Management
FIPS
Federal Information Processing Standards
FIPS
PUB FIPS Publication
GSA
U.S. General Services Administration
GUID
Global Unique Identification number
HR
Human Resources
HSPD
Homeland Security Presidential Directive
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
IAL
Identity Assurance Level
ICC
Integrated Circuit Chip
ID
Identification
IDMS
Identity Management System
IdP
Identity Provider
IEC
International Electrotechnical Commission
IETF
Internet Engineering Task Force
INCITS
International Committee for Information Technology Standards
IR
Infrared
ISO
International Organization for Standardization
IT
Information Technology
ITL
Information Technology Laboratory
mil
Thousandth of an inch
mm
Millimeter
MWR
Morale, Welfare, and Recreation
NACI
National Agency Check with Written Inquiries
NCHC
National Criminal History Check
NIST
National Institute of Standards and Technology
NISTIR
National Institute of Standards and Technology Interagency or Internal Report
NPIVP
NIST Personal Identity Verification Program
NVLAP
National Voluntary Laboratory Accreditation Program
OCC
On-Card Biometric One-to-One Comparison
OCSP
Online Certificate Status Protocol
OID
Object Identifier
OMB
Office of Management and Budget
OPM
Office of Personnel Management
PCI
PIV Card Issuer
PC/SC
Personal Computer/Smart Card
PDF
Portable Data File
PIA
Privacy Impact Assessment
PII
Personally Identifiable Information
PIN
Personal Identification Number
PIV
Personal Identity Verification
PKI
Public Key Infrastructure
pt
Point (unit of measurement)
RFC
Request for Comments
RP
Relying Party
SAML
Security Assertion Markup Language
SAN
Subject Alternative Name
SP
Special Publication
sRGB
Standard Red Green Blue
SSP
Shared Service Provider
URN
Uniform Resource Name
U.S.C.
United States Code
UUID
Universally Unique Identifier
UV
Ultraviolet
\clearpage

C.3 Notations

This Standard uses the following typographical conventions in text: