NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

PIV Announcements

NIST Announcements

POSTED July 30, 2015

Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI) has been approved as final
 
NIST is pleased to announce the release of Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). The document provides guidelines for assessing the reliability of issuers of PIV Cards and issuers of the newly introduced Derived PIV Credential for mobile devices. The document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:
  • Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
  • Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
  • Addition of issuer controls for the PIV Card’s visual topography,
  • Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
  • Updated references to the more recent credentialing guidance issued by OPM,
  • Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
  • Modified process to include an independent review prior to authorization of issuer.


POSTED June 18, 2015

NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key has been approved as final & is now available
 
NIST is pleased to announce the release of NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key. The document provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card. The document clarifies the requirement for “explicit user action” and specifies a range of PIN caching options that maintains the goal of ‘explicit user action’ while adhering to consistent and reliable level of security. The document will encourage the development of compliant applications and middleware that use the digital signature key.


POSTED June 8, 2015

NIST announces that Draft Special Publication (SP) 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

  • Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object,
  • Tests for populating these newly added data objects in the PIV Card Application,
  • Tests to verify the on-card biometric comparison mechanism,
  • Tests to verify the correct behavior of secure messaging and the virtual contact interface and,
  • Tests to verify that the PIV Card Application enforces PIN length and format requirements.

Federal agencies and private organizations, including test laboratories as well as individuals, are invited to review the draft guidelines and submit comments to NIST by email to pivtesting@nist.gov with "Comments on Draft SP 800-85A-4" in the subject line. Comments should be submitted using the comment template (see link below - Excel spreadsheet). The comment period closes at 5:00pm EDT on July 10, 2015.

Link to the Draft SP 800-85A-4 Document (PDF)
Link to the Comment Template (Excel)


POSTED June 1, 2015

Two PIV Special Publications (SP) have been released: (1) SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification
 
#1: NIST is pleased to announce the release of Special Publication 800-73-4, Interfaces for Personal Identity Verification. This document has been updated to align with Final FIPS 201-2 and to reflect the disposition of comments that were received on the first and second draft of SP 800-73-4, published in May 2013 and May 2014, respectively. The complete set of comments and dispositions is provided below.
 
High level changes from SP 800-73-3 to SP 800-73-4 include:

  • Removal of Part 4, The PIV Transitional Data Model and Interfaces;
  • The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
  • Inclusion of clarifying information about the virtual contact interface and the use of the pairing code;
  • The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
  • The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism;
  • The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits;
  • In collaboration with the FICAM FIPS 201 Test Program reduced some of the PIV Card options where possible.
The complete set of comments and dispositions is provided below. #2: NIST announces the release of Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to align with updates in SP 800-73-4. The document reflects the disposition of comments that were received on the first and second draft of SP 800-78-4, which was published in May, 2013 and May 2014, respectively. In particular, the following changes were introduced in SP 800-78-4:
  • Removal of information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past;
  • Addition of algorithm and key size requirements for the optional PIV Secure Messaging key.
  • Addition of requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing.
  • Clarified that RSA public keys may only have a public exponent of 65 537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65 537 and less than 2256.)
The complete set of comments and dispositions is provided below.


POSTED March 21, 2015

Presentations of the Workshop on Upcoming Special Publications Supporting FIPS 201-2 is available here.


POSTED December 19, 2014 --- Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials

NIST announces the release of Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 defines a technical specification for implementing and deploying Derived PIV Credentials on mobile devices, such as smart phones and tablets. The goal of the Derived PIV Credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.

Comments and their dispositions received during the public comment period are available here.


POSTED September 5, 2014: NIST PIV Validation Program updated the PIV Middleware and PIV Card Application Validation Lists

The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years.

The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are affected. This is due to the fact that to meet the FIPS 201-2 compliance requirements all that is required is that some of the previously optional PIV Card credentials under FIPS 201-1 must be present in FIPS 201-2 (as they are now mandatory). The Removed Products List (RPL) is now available. The effect on validated PIV Middleware, is broader. PIV Middleware is required to support all functionality (function calls/credentials) of a fully loaded PIV Card. Since SP 800-73-1 and SP 800-73-2 PIV Middleware do NOT support new FIPS 201-2-functionality, they have to be placed on the RPL. The PIV Middleware RPL is also available. Note: The PIV Middleware listed in the SP 800-73-3 PIV Middleware Validation list remains valid and will not be removed. These implementations support the optional credentials/functionality, which now are mandatory under FIPS 201-2.

Finally, the NPIVP validation Authority also removed validated PIV Card Applications that remain in a ‘pending’ state for FIPS 140-2 lasting 3 years or longer. These card applications never received FIPS 140-2 validation, and thus are not allowed to be used by USG.


POSTED August 5, 2014: NIST Draft Special Publication SP 800-85B-4 PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-4" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet).

Link to the Comment Template Form (Excel)
Link to the Draft Document (PDF)

The comment period closes at 5:00 EST (US and Canada) on September 5, 2014. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.


POSTED June 2, 2014 -- DRAFT Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)

NIST announces that Draft Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), is now available for public comment. This document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:
 
  • Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
  • Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
  • Addition of issuer controls for the PIV Card’s visual topography,
  • Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
  • Updated references to the more recent credentialing guidance issued by OPM,
  • Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
  • Modified process to include an independent review prior to authorization of issuer.
 
NIST requests comments on Draft Special Publications 800-79-2 by 5:00pm EDT on June 30, 2014. Please submit comments on Draft SP 800-79-2 using the SP 800-79-2 comments template form (Excel spreadsheet) to PIVaccreditation@nist.gov with “Comments on Draft SP 800-79-2” in the subject line.


POSTED May 19, 2014 -- 2 Draft PIV Special Publications (SP) have been released for public comment: (1) Revised Draft SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) Revised Draft SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification

Draft #1: NIST announces that Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4").
 
High level changes include:

  • A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.
  • In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:
    • rarely used data elements Buffer Length, DUNS and Organization Identifier in the CHUID data object
    • legacy data element MSCUID in all X.509 Certificate data objects and
    • legacy data elements Extended Application CardURL and Security Object Buffer in the Card Capability Container
  • Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.
  • Modified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”
NIST also requests comments on the pairing code, which is part of the new Virtual Contact Interface (VCI) of the PIV Card. Its purpose is to prevent skimming of cardholder data in wireless environment by an unauthorized wireless reader in the vicinity of the cardholder and to ensure that ‘cardholder consent’ for the release of cardholder data is enabled. The pairing code is part of the Virtual Contact Interface that provides for communication and enables wireless transactions between the PIV Card and NFC-enabled devices for authentication, signing or encryption. NIST assesses that the pairing code concept is the optimum method available to provide mitigation against a skimming threat.
 
NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified.
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue)
 
NIST requests comments on Revised Draft Special Publications 800-73-4 by 5:00pm EDT on June 16, 2014. Please submit comments on Revised Draft SP 800-73-4 using the SP 800-73-4 comments template form (lnk to comment form in Excel spreadsheet is 2nd to last link below for this draft document) to piv_comments@nist.gov with “Comments on Revised Draft SP 800-73-4” in the subject line
 
Draft #2: NIST announces that Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4".
 
NIST requests comments on Revised Draft Special Publication 800-78-4 by 5:00pm EDT on June 16, 2014. Please submit comments on Revised Draft SP 800-78-4 using the SP 800-78-4 comment template form (see third link on drafts page for this draft for Excel spreadsheet) to piv_comments@nist.gov with "Comments on Revised Draft SP 800-78-4" in the subject line.


POSTED March 7, 2014 -- Draft Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials and Draft NIST Interagency Report 7981, Mobile, PIV, and Authentication, are now available

#1 -- NIST announces release of Draft Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, for public comment. Draft SP 800-157 defines a technical specification for implementing and deploying derived PIV credentials on mobile devices, such as smart phones and tablets. The goal of the derived PIV credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.
 
Please submit comments on Draft SP 800-157 using the SP 800-157 comments template form (Excel spreadsheet) to piv_comments@nist.gov with “Comments on Draft SP 800-157” in the subject line
 
NIST requests comments to Draft Special Publication 800-157 by 5:00pm EDT on April 21, 2014.
 
#2 NIST announces release of Draft NIST IR 7981, Mobile, PIV, and Authentication for public comment. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
 
Please submit comments on Draft NIST IR 7981 using the NIST IR 7981 comment template form (Excel spreadsheet) to piv_comments@nist.gov with "Comments on Draft NIST IR 7981" in the subject line.
 
NIST requests comments on Draft NIST IR 7981 by 5:00pm EDT on April 21, 2014.