Guidance requested regarding PIV development by foreign nationals
81 views
Skip to first unread message
John Stewart
Feb 7, 2020, 9:35:54 AM2/7/20
to piv-test-cards
Hello,
I am looking for guidance regarding the use of foreign nationals for the development of PIV related solutions. I'm not finding any specific guidance in this regard as I search online (lots about foreign nationals getting a PIV credential).
Our solution utilizes the content of the PIV card after authentication (by another solution not authored by us). For example we use the PIV card in a laptop to authenticate against AD but we are not involved in any of the authentication process.
Are there known restrictions about potentially adding a foreign national to my development team which has access to the NIST sample PIV cards?
Thank you for any guidance.
John Stewart
Pharos Systems (www.pharos.com)
Douglas E Engert
Feb 10, 2020, 8:59:18 AM2/10/20
to piv-tes...@list.nist.gov
Although this may not answer your question, are you using the test/sample cards
with a production or test AD accessible from the internet?
Each set of cards are duplicates including duplicate PINs, certs, keys and objects.
Thus anyone, foreign national or not, with a set of the cards could try and access
any of your servers willing to accept the card.
> --
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> ---
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-card...@list.nist.gov>.
--
Douglas E. Engert <DEEn...@gmail.com>
with a production or test AD accessible from the internet?
Each set of cards are duplicates including duplicate PINs, certs, keys and objects.
Thus anyone, foreign national or not, with a set of the cards could try and access
any of your servers willing to accept the card.
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> ---
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-card...@list.nist.gov>.
--
Douglas E. Engert <DEEn...@gmail.com>
Jeffrey Walton
Feb 10, 2020, 10:25:11 AM2/10/20
to John Stewart, piv-test-cards
in HR and Federal would probably be in a better position to answer.
Maybe even a company's Security Officer. You might try
https://workplace.stackexchange.com/ .
NIST sells the test cards to the general public. If there were
restrictions, then NIST would enforce it at the point of sale.
Foreign nationals cannot obtain a security clearance. If the project
has security requirements - and the employee is not cleared - then
they probably should not be working on the project. Confer,
https://www.clearancejobs.com/security-clearance-faqs.
I think what you will find in practice is, NIST usually covers US
Federal agencies like Social Security Administration and there are no
security requirements or simply a Public Trust. Companies doing
business with US DoD have security requirements and require employees
with clearances.
Jeff
Stanley Global LLC
Feb 11, 2020, 8:29:25 AM2/11/20
to Douglas E Engert, piv-tes...@list.nist.gov
Of possible relevance, I formerly worked as DOD CIV and my Korean and Japanese foreign national IT Level II counterparts lost their clearances to work in a similar environment. There wasn't a mechanism to perform equivalent background checks.
To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov.
Reply all
Reply to author
Forward
0 new messages