In November 2008, the National Institute of Standards and Technology (NIST) released a new document that will likely have significant impact on all physical access control systems (PACS) in use at federal government facilities today. The new document is called Special Publication (SP) 800-116 and is titled "A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)" (download PDF of NIST SP 800-116). This new document redefines how the PIV card issued to Federal Government employees and contractors should be used for access control, and this new recommendation goes well beyond what typical PACS implementations have done in the past. Such a drastic change to the status quo will necessarily create challenges for PACS vendors to meet these requirements, and will cause all Federal Government agencies to re-evaluate their systems.

In February 2005 NIST released Federal Information Processing Standard (FIPS) publication 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors." This standard defines not only the minimum requirements for identity vetting and card issuance, but also the requirements for use of the so-called PIV card from a technological perspective. FIPS 201 includes many options for unique identification of the cardholder: the Cardholder Unique Identifier (CHUID), the Globally Unique Identifier (GUID), Federal Agency Smart Credential Number (FASC-N), and digital signatures.

Optional data elements lead to a lowest common denominator approach

The goal of FIPS 201 is to provide a framework to allow interoperability of credentials issued to all Federal Government employees and contractors at federally controlled facilities. Without such a standard, different agencies would not be able to trust the identity vetting and card authenticity of credentials issued at other agencies. Providing this framework for trust has been crucial. However, a desire for interoperability of the credential across disparate PACS posed various problems.