View this document as: a single page | multiple pages.

Appendix D. References

This appendix is informative. It lists the specifications and standards referred to in this document.

[A-130] Office of Management and Budget (2016) Managing Information as a Strategic Resource. (The White House, Washington, DC), OMB Circular A-130, July 28, 2016. Available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf

[ANSI 322] InterNational Committee for Information Technology Standards (2008) ANSI INCITS 322-2008 — Information Technology — Card Durability Test Methods. (ANSI, New York, NY) [or as amended]. Available at https://webstore.ansi.org/standards/incits/ansiincits3222008

[CDS] American Association of Motor Vehicle Administrators (2016) AAMVA DL/ID Card Design Standard: Personal Identification — AAMVA North American Standard. (American Association of Motor Vehicle Administrators, Arlington, VA), Version 1.0. Available at https://www.aamva.org/DL-ID-Card-Design-Standard/

[6 CFR § 37.5] Validity periods and deadlines for REAL ID driver’s licenses and identification cards, 6 C.F.R. § 37.5 (2021). https://ecfr.federalregister.gov/current/title-6/chapter-I/part-37/subpart-A/section-37.5

[COMMON] Federal Public Key Infrastructure Policy Authority (2020) X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework. (Federal CIO Council), Version 1.32 [or as amended]. Available at https://www.idmanagement.gov/docs/fpki-x509-cert-policy-common.pdf

[CSP] U.S. Office of Personnel Management (2020) Credentialing Standards Procedures for Issuing Personal Identity Verification Cards under HSPD-12 and New Requirement for Suspension or Revocation of Eligibility for Personal Identity Verification Credentials (U.S. Office of Personnel Management, Washington, DC), December 15, 2020. Available at https://www.opm.gov/suitability/suitability-executive-agent/policy/cred-standards.pdf

[E-Gov] E-Government Act of 2002, Pub. L. 107-347, 116 Stat 2899. https://www.govinfo.gov/app/details/PLAW-107publ347

[EO-13764] Executive Order 13764 (2017) Amending the Civil Service Rules, Executive Order 13488, and Executive Order 13467 To Modernize the Executive Branch-Wide Governance Structure and Processes for Security Clearances, Suitability and Fitness for Employment, and Credentialing, and Related Matters. (Executive Office of the President), January 17, 2017 [or as amended]. https://www.federalregister.gov/executive-order/13764

\clearpage

[FCS] U.S. Office of Personnel Management (2008) Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12. (U.S. Office of Personnel Management, Washington, DC), July 31, 2008. Available at https://www.opm.gov/suitability/suitability-executive-agent/policy/final-credentialing-standards.pdf

[FIPS 140] National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, DC), Federal Information Processing Standards Publication (FIPS) 140-3 [or as amended]. https://doi.org/10.6028/NIST.FIPS.140-3

[FICAM-Roadmap] Federal CIO Council, Federal Enterprise Architecture (2011) Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance. (Federal CIO Council), Version 2.0 [or as amended]. Available at https://www.idmanagement.gov/docs/roadmap-ficam.pdf

[G155-2013] ASTM International (2013) ASTM G155-13 — Standard Practice for Operating Xenon Arc Light Apparatus for Exposure of Non-metallic Materials. (ASTM International, West Conshohocken, PA) [or as amended]. Available at https://compass.astm.org/EDIT/html_annot.cgi?G155+13

[G90-17] ASTM International (2017) ASTM G90-17—Standard Practice for Performing Accelerated Outdoor Weathering of Materials Using Concentrated Natural Sunlight. (ASTM International, West Conshohocken, PA) [or as amended]. Available at https://compass.astm.org/EDIT/html_annot.cgi?G90+17

[HSPD-12] Bush, GW (2004) Policy for a Common Identification Standard for Federal Employees and Contractors. (The White House, Washington, DC), Homeland Security Presidential Directive HSPD-12. Available at https://www.dhs.gov/homeland-security-presidential-directive-12

[IEC61966] International Electrotechnical Commission (1999) IEC 61966-2-1:1999 — Multimedia systems and equipment — Colour measurement and management—Part 2-1: Colour management—Default RGB colour space — sRGB. (International Electrotechnical Commission, Geneva, Switzerland) [or as amended]. Available at https://webstore.iec.ch/publication/6169

[ISC-RISK] Interagency Security Committee (2016) The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard. (U.S. Department of Homeland Security, Washington, DC), 2nd edition [or as amended]. Available at https://www.cisa.gov/sites/default/files/publications/isc-risk-management-process-2016-508.pdf

\clearpage

[ISO 2382-37] International Organization for Standardization/International Electrotechnical Commission (2017) ISO/IEC 2382-37:2017 — Information technology — Vocabulary — Part 37: Biometrics. (International Organization for Standardization, Geneva, Switzerland) [or as amended]. Available at https://www.iso.org/standard/66693.html

[ISO 3166] International Organization for Standardization (2013) ISO 3166-1:2013 Codes for the representation of names of countries and their subdivisions — Part 1: Country codes. (International Organization for Standardization, Geneva, Switzerland) [or as amended]. Available at https://www.iso.org/standard/63545.html

[ISO 7810] International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 7810:2019 — Identification Cards — Physical Characteristics. (International Organization for Standardization, Geneva, Switzerland) [or as amended]. Available at https://www.iso.org/standard/70483.html

[ISO 7811] International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 7811 — Identification cards — Recording technique. (multiple parts):

[ISO 7816] International Organization for Standardization/International Electrotechnical Commission (2004-2020) ISO/IEC 7816 — Identification cards — Integrated circuit cards. (multiple parts):

[ISO 10373] International Organization for Standardization/International Electrotechnical Commission (2006-2018) ISO/IEC 10373 — Identification Cards — Test Methods. (multiple parts):

[ISO 14443] International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 14443-1:2018 — Cards and security devices for personal identification — Contactless proximity objects Part 1: Physical characteristics. (International Organization for Standardization, Geneva, Switzerland) [or as amended]. Available at https://www.iso.org/standard/73596.html

[M-03-22] Office of Management and Budget (2003) OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. (The White House, Washington, DC), OMB Memorandum M-03-22, September 26, 2003. Available at https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf

[M-04-04] Office of Management and Budget (2003) E-Authentication Guidance for Federal Agencies. (The White House, Washington, DC), OMB Memorandum M-04-04 (Rescinded), December 16, 2003. Available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2004/m04-04.pdf

[M-05-24] Office of Management and Budget (2005) Implementation of Homeland Security Presidential Directive (HSPD) 12 — Policy for a Common Identification Standard for Federal Employees and Contractors. (The White House, Washington, DC), OMB Memorandum M-05-24, August 5, 2005. Available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2005/m05-24.pdf

[M-17-12] Office of Management and Budget (2017) Preparing for and Responding to a Breach of Personally Identifiable Information. (The White House, Washington, DC), OMB Memorandum M-17-12, January 3, 2017. Available at https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf

[M-19-17] Office of Management and Budget (2019) Enabling Mission Delivery through Improved Identity, Credential, and Access Management. (The White House, Washington, DC), OMB Memorandum M-19-17, May 21, 2019. Available at https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf

[NISTIR 6529-A] Podio FL, Dunn JS, Reinert L, Tilton CJ, Struif B, Herr F, Russell J (2004) Common Biometric Exchange Formats Framework (CBEFF). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 6529-A. https://doi.org/10.6028/NIST.IR.6529-a

[NISTIR 7863] Polk WT, Ferraiolo H, Cooper DA (2015) Cardholder Authentication for the PIV Digital Signature Key. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7863. https://doi.org/10.6028/NIST.IR.7863

\clearpage

[OIDC4IA] Lodderstedt T, Fett D (2020) OpenID Connect for Identity Assurance 1.0 OpenID Foundation eKYC-IDA Working Group, July 6, 2020. Available at https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html

[PCSC] Personal Computer/Smart Card Workgroup (2020) PC/SC Workgroup Specifications Overview. Available at https://pcscworkgroup.com/specifications/

[PRIVACY] Privacy Act of 1974, Pub. L. 93-579, 88 Stat 1896. https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf

[PROF] Federal Public Key Infrastructure Policy Authority (2018) X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program. (Federal CIO Council), Version 1.9 [or as amended]. https://www.idmanagement.gov/docs/fpki-x509-cert-profiles-pivi.pdf

[PublicSans] U.S. Web Design Systems Public Sans Typeface. (U.S. Web Design Systems). Available at https://public-sans.digital.gov/

[REAL-ID] “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Final Rule,” 73 Federal Register 5271 (January 29, 2008), pp 5271-5340. https://www.federalregister.gov/d/08-140

[RFC 20] Cerf VG (1969) ASCII Format for Network Interchange. (Internet Engineering Task Force (IETF) Network Working Group), IETF Request for Comments (RFC) 20. https://doi.org/10.17487/RFC0020

[RFC 4122] Leach P, Mealling M, Salz R (2005) A Universally Unique IDentifier (UUID) URN Namespace. (Internet Engineering Task Force (IETF) Network Working Group), IETF Request for Comments (RFC) 4122. https://doi.org/10.17487/RFC4122

[RFC 5280] Cooper D, Santesson S, Farrell S, Boeyen S, Housley R, Polk W (2008) Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. (Internet Engineering Task Force (IETF) Network Working Group), IETF Request for Comments (RFC) 5280. https://doi.org/10.17487/RFC5280

[RFC 5652] Housley R (2009) Cryptographic Message Syntax (CMS). (Internet Engineering Task Force (IETF) Network Working Group), IETF Request for Comments (RFC) 5652. https://doi.org/10.17487/RFC5652

[RFC 6818] Yee P (2013) Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. (Internet Engineering Task Force (IETF)), IETF Request for Comments (RFC) 6818. https://doi.org/10.17487/RFC6818

\clearpage

[RFC 6960] Santesson S, Myers M, Ankney R, Malpani A, Galperin S, Adams C (2013) X.509 Internet Public Key Infrastructure Online Certificate Status Protocol — OCSP. (Internet Engineering Task Force (IETF)), IETF Request for Comments (RFC) 6960. https://doi.org/10.17487/RFC6960

[RFC 8485] Richer J, Johansson L (2018) Vectors of Trust. (Internet Engineering Task Force (IETF)), IETF Request for Comments (RFC) 8485. https://doi.org/10.17487/RFC8485

[RISK-MGMT-FACILITIES] Interagency Security Committee (2016) The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard. (U.S. Department of Homeland Security, Washington, DC), Interagency Security Standard, 2nd Edition [or as amended]. Available at https://www.cisa.gov/sites/default/files/publications/isc-risk-management-process-2016-508.pdf

[SAML-AC] Kemp J, Cantor S, Mishra P, Philpott R, Maler E (eds.) (2005) Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. (OASIS), OASIS Standard saml-authn-context-2.0-os. Available at https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

[SP 800-37] Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2 [or as amended]. https://doi.org/10.6028/NIST.SP.800-37r2

[SP 800-53] Joint Task Force (2020) Security and Privacy Controls for Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53, Rev. 5 [or as amended]. https://doi.org/10.6028/NIST.SP.800-53r5

[SP 800-59] Barker WC (2003) Guideline for Identifying an Information System as a National Security System. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-59 [or as amended]. https://doi.org/10.6028/NIST.SP.800-59

[SP 800-63] Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 02, 2020 [or as amended]. https://doi.org/10.6028/NIST.SP.800-63-3

\clearpage

[SP 800-63A] Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 02, 2020 [or as amended]. https://doi.org/10.6028/NIST.SP.800-63A

[SP 800-63B] Grassi PA, Newton EM, Perlner RA, Regenscheid AR, Fenton JL, Burr WE, Richer JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 02, 2020 [or as amended]. https://doi.org/10.6028/NIST.SP.800-63B

[SP 800-63C] Grassi PA, Nadeau EM, Richer JP, Squire SK, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Federation and Assertions. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63C, Includes updates as of March 02, 2020 [or as amended]. https://doi.org/10.6028/NIST.SP.800-63C

[SP 800-73] Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016 [or as amended]. https://doi.org/10.6028/NIST.SP.800-73-4

[SP 800-76] Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2 [or as amended]. https://doi.org/10.6028/NIST.SP.800-76-2

[SP 800-78] Polk WT, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4 [or as amended]. https://doi.org/10.6028/NIST.SP.800-78-4

[SP 800-79] Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2 [or as amended]. https://doi.org/10.6028/NIST.SP.800-79-2

\clearpage

[SP 800-85A] Chandramouli R, Mehta KL, Uzamere PA, II, Simon D, Ghadiali N, Founds AP (2016) PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-85A-4 [or as amended]. https://doi.org/10.6028/NIST.SP.800-85A-4

[SP 800-87] Ferraiolo H (2018) Codes for Identification of Federal and Federally-Assisted Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-87, Rev. 2 [or as amended]. https://doi.org/10.6028/NIST.SP.800-87r2

[SP 800-96] Dray JF, Jr., Giles A, Kelley M, Chandramouli R (2006) PIV Card to Reader Interoperability Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-96 [or as amended]. https://doi.org/10.6028/NIST.SP.800-96

[SP 800-116] Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1 [or as amended]. https://doi.org/10.6028/NIST.SP.800-116r1

[SP 800-122] McCallister E, Grance T, Scarfone KA (2010) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-122 [or as amended]. https://doi.org/10.6028/NIST.SP.800-122

[SP 800-156] Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156 [or as amended]. https://doi.org/10.6028/NIST.SP.800-156

[SP 800-157] Ferraiolo H, Cooper DA, Francomacaro S, Regenscheid AR, Burr WE, Mohler J, Gupta S (2014) Guidelines for Derived Personal Identity Verification (PIV) Credentials. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-157 [or as amended]. https://doi.org/10.6028/NIST.SP.800-157

[SP 800-217] Guidelines for the Use of Personal Identity Verification (PIV) Credentials with Federation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-217 [or as amended]. https://doi.org/10.6028/NIST.SP.800-217