Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Personal Identity Verification of Federal Employees and Contractors PIV

PIV Announcements

Posted September 27, 2023

Personal Identity Verification (PIV) Interfaces, Cryptographic Algorithms, and Key Sizes: Drafts of SP 800-73-5 and SP 800-78-5 Available for Public Comment

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201 and are now available for public comment.

SP 800-73-5: Parts 1–3 ipd (Initial Public Draft)

SP 800-73-5: Parts 1–3 ipd, Interfaces for Personal Identity Verification, describes the technical specifications for using the PIV cards including a PIV data model (Part 1), card edge interface (Part 2), and application programming interface (Part 3). Major changes to the documents include:

  • Removal of the previously deprecated CHUID authentication mechanism
  • Deprecation of the SYM-CAK and VIS authentication mechanisms
  • Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for contactless interfaces for facility access applications
  • Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
  • Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
  • SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5 ipd

SP 800-78-5 ipdCryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing including:

  • Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
  • Removal of the retired RNG from CAVP PIV component testing where applicable
  • Accommodation of the Secure Messaging Authentication key
  • Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031

NIST specifically seeks input from federal agencies on the suitability of the digital signature algorithms and key sizes specified in SP 800-78-5. The draft revisions accommodate RSA signatures with 2048-bit and 3072-bit keys, and ECDSA signatures with the P-256 and P-384 curves, for authentication services. NIST requests feedback on the potential need to support RSA with 4096-bit keys, or for the need to add support for the EdDSA signature algorithm that is now specified in FIPS 186-5.

Submit Comments

The comment period for these drafts is open through December 8, 2023. See the publication details (linked above) to download the drafts and comment templates. Comments and inquiries should be sent to piv_comments@nist.gov.

Posted January 10, 2023

NIST Releases Two Draft Guidelines on Personal Identity Verification (PIV) Credentials

NIST is announcing the initial public drafts of NIST SP 800-157r1 (Revision 1), Guidelines for Derived Personal Identity Verification (PIV) Credentials, and NIST SP 800-217, Guidelines for Personal Identity Verification (PIV) Federation. These two SPs complement Federal Information Processing Standard (FIPS) 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.

  • NIST SP 800-157 has been revised to feature an expanded set of derived PIV credentials to include public key infrastructure (PKI) and non-PKI-based phishing-resistant multi-factor authenticators.
  • NIST SP 800-217 details technical requirements on the use of federated PIV identity and the interagency use of assertions to implement PIV federations backed by PIV identity accounts and PIV credentials.

 

The public comment period for both draft publications is open through April 21, 2023. See the publication details for NIST SP 800-157r1 and NIST SP 800-217 to download the drafts and find instructions for submitting comments.

NOTE: A call for patent claims is included on page iii of each draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Posted January 24, 2022

FIPS 201-3 Published: Revision of Personal Identity Verification (PIV) of Federal Employees and Contractors

NIST is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 201-3Personal Identity Verification of Federal Employees and Contractors. (See the Federal Register Notice announcing FIPS 201-3 approval.)

 FIPS 201-3 addresses the comments received during the public comment period in November 2020. High-level changes include:

  • Alignment with current NIST technical guidelines on identity management, OMB policy guidelines, and changes in commercially available technologies and services
  • Accommodation of additional types of authenticators through an expanded definition of derived PIV credentials
  • Focus on the use of federation to facilitate interoperability and interagency trust
  • Addition of supervised remote identity proofing processes
  • Removal of the previously deprecated Cardholder Unique Identifier (CHUID) authentication mechanism and deprecation of the symmetric card authentication key and visual authentication mechanisms (VIS)
  • Support for the secure messaging authentication mechanism (SM-AUTH)

A detailed list of changes is available in FIPS 201-3, Appendix E, Revision History, and this matrix includes public comments received on the November 2020 draft, and their resolutions.

Posted March 23, 2021

NIST is pleased to announce the availability of version 2 of the test Personal Identity Verification (PIV) Cards

In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards. The set of test PIV Cards contains sixteen smart cards that are loaded with a PIV Card Application, as specified in Special Publication 800-73-4. The PIV Card Applications on the smart cards are loaded with test data and keys that are similar to what might appear on actual PIV Cards, with the exception that the certificates on the test PIV Cards were issued from a test public key infrastructure. Version 2 of the test PIV Cards includes examples of new, optional features that were introduced in SP 800-73-4, such as on-card biometric comparison, secure messaging, and the virtual contact interface. Information about the test cards is available on the PIV Test Cards website. The test cards are available for purchase as NIST Special Database 33.

Posted December 22, 2020

Presentations of the Draft FIPS 201-3 virtual public workshop are available here. The workshop recording and transcript of the Q&A chat are available here.

Posted November 3, 2020

FIPS 201, Personal Identity Verification (PIV) for Federal Employees and  Contractors, is going through a third revision and is currently available for public review at https://pages.nist.gov/FIPS201/.  Public commenting period ends 2/1/2021.

The public workshop presenting Draft FIPS 201-3 will be held on December 9th, 2020. Please visit the  https://www.nist.gov/news-events/events/2020/12/draft-fips-201-3-virtual-public-workshop to view the agenda and register for the event.

Posted March 21, 2019

Presentations of the FIPS 201-3 Business Requirements Meeting are available here.

Posted February 8, 2019

Safe the date for the Federal Business Requirements Meeting for FIPS 201 Revision 3 on 3/19/19 

FIPS 201, Personal Identity Verification (PIV) for Federal Employees and  Contractors, will be going through a third revision soon. In preparation for the revision, NIST invites federal departments and agencies’ representatives to participate in this government-only meeting to discuss the change requests accumulated over the past five years. For more information and to register, click here. The registration deadline is 3/12/19.

POSTED June 29, 2018

NIST releases Special Publication SP 800-116 Revision 1, "Guidelines for the Use of PIV Credentials in Facility Access"  

NIST is pleased to announce release of Special Publication 800-116 Revision 1, Guidelines for the Use of PIV Credentials in Facility Access. This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. See summary of the high-level changes.

POSTED May 9, 2017

Mid-Year 2016, the NIST PIV Validation Program proposed a transition plan to move from RNG to DRBG-based PIV cards by the end of June 2017. This transition was initiated because agencies indicated that agencies and vendors are not yet able to migrate to SP 800-90A DRBG PIV cards.

However, as the June 2017 date approaches, it has become apparent that another extension is necessary to issue and use RNG PIV cards until DRBG PIV cards are validated and available with compatible card management software.

To allow an orderly transition to DRBG PIV cards, the PIV Validation Program will grant an additional one-year extension through June 30, 2018. This allows affected PIV Card vendors time to complete CMVP- and PIV-based validation as well as grant additional time to prepare update or deploy any other components that may be necessary to issue or use the new DRBG PIV Cards.

According to this revised transition plan, agencies may continue to issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2018. Future procurements of any legacy PIV cards that may be needed during this transition should be planned to minimize excess legacy card stock at the time of this deadline.

However, agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2024.


POSTED August 6, 2016

Beginning in 2016, the CMVP enforced RNG transition, requiring new modules to implement the SP 800-90A DRBGs, and requiring vendors to update previously validated modules to remain on the active validation list. NPIVP, which relies on the CMVP for cryptographic module testing, also enforced this transition, and is requiring the use of validated DRBGs in PIV cards.

However, feedback from agencies has indicated that vendors are not yet able to migrate to SP 800-90A DRBG PIV cards. As a result, the legacy RNG PIV cards will continue to be issued and used until DRBG PIV cards are available with compatible card management software.

To support the migration of PIV cards to DRBGs, the PIV Validation Program proposes a one-year conditional transition plan ending by June 30, 2017, that allows the continued issuance and use of previously validated PIV cards using legacy RNGs that do not pose an immediate security risk.

According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023.


POSTED August 5, 2016

NPIVP laboratories have received the SP 800-73-4 Test Runner and have commenced testing and evaluation of PIV Card Application and PIV Middleware implementation based on SP 800-73-4. The tool is also available for download by the general public – including vendors who can accelerate the validation process by fine-tuning implementations with the tool before submitting the products to NPIVP labs. Use the following link to download the Test Runner


POSTED June 7, 2016

Special Publication 800-166, Derived PIV Application and Data Model Test Guidelines
 
NIST announces the release of Special Publication (SP) 800-166Derived PIV Application and Data Model Test Guidelines. SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials.


POSTED May 23, 2016

NIST Releases Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export
 
NIST is pleased to announce the release of Special Publication 800-156Representation of PIV Chain-of-Trust for Import and Export. The document provides the data representation of a chain-of-trust record for the exchange of records between PIV Card issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.


POSTED April 21, 2016

NIST Releases the final version of "Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access" 
 
NIST announces the final release of the best practices guide for Personal Identity Verification (PIV)-enabled privileged access. The paper is in response to the Office of Management and Budget (OMB)’s October 2015 Cybersecurity Strategy and Implementation Plan (and included in the Cyber National Action Plan (CNAP), requiring Federal agencies to use PIV credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user authentication and provides best practices for agencies to implement PIV authentication for privileged users.


POSTED April 13, 2016

NIST Releases SP 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)

Special Publication (SP) 800-85A-4 provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification, and SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

  • Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object;
  • Tests for populating these newly added data objects in the PIV Card Application;
  • Tests to verify the on-card biometric comparison mechanism;
  • Tests to verify the correct behavior of secure messaging and the virtual contact interface; and
  • Tests to verify that the PIV Card Application enforces PIN length and format requirements.

POSTED February 19, 2016

Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), Comment Period Has Been Extended
February 19, 2016 
 
The comment period for Draft Special Publication 800-116 Revision 1 has been extended, and now closes at 5:00 EST (US and Canada) on March 1, 2016 - Comment period is now closed.


POSTED February 8, 2016

NIST announces release of Draft Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines for public comment 
 
Draft SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. Draft SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials. 
 
Comment period closed on: March 14, 2016
Email comments or questions to piv_derived@nist.gov 
 
Draft SP 800-166 - – Draft Document


POSTED February 5, 2016

Whitepaper - DRAFT Best Practices for Privileged User PIV Authentication 
 
This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users. 
 
Comment period closed on: March 4, 2016.
Email comments or questions to csip-pivforprivilege@nist.gov 
 
Link to the Whitepaper "Best Practices for Privileged User PIV Authentication".


POSTED December 29, 2015

NIST announces that Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export is available for public comment

NIST announces that Draft Special Publication (SP) 800-156Representation of PIV Chain-of-Trust for Import and Export, is now available for public comment. This document provides the data representation of a chain-of-trust record for the exchange of records between issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.

Comment period closed on January 28, 2016.
Email comments or questions to piv_comments@nist.gov



POSTED December 28, 2015

NIST Announced Release of DRAFT Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
December 28, 2015 
 
NIST is pleased to announce the public comment release of Draft Special Publication 800-116 Revision 1A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. High-level changes include:

  • Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
  • In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
    • Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms
    • Addition of a new section (5.3.1) titled “Migrating Away from the Legacy CHUID Authentication Mechanism” to aid in the transition away from the CHUID + VIS authentication mechanism
    • In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks
    • Addition of a new appendix titled “Improving Authentication Transaction Times” to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK)
  • Addition of a new section (5.4) titled “PIV Identifiers” and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS’s access control list.
  • In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice’s “Vulnerability Assessment Report of Federal Facilities” document with the ISC’s document titled “Risk Management Process for Federal Facilities” to aid deriving the security requirement for facilities.

Email comments or questions to piv_comments@nist.gov
Comment period closed on March 1, 2016.


POSTED July 30, 2015

Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI) has been approved as final
 
NIST is pleased to announce the release of Special Publication 800-79-2Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). The document provides guidelines for assessing the reliability of issuers of PIV Cards and issuers of the newly introduced Derived PIV Credential for mobile devices. The document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

  • Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
  • Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
  • Addition of issuer controls for the PIV Card’s visual topography,
  • Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
  • Updated references to the more recent credentialing guidance issued by OPM,
  • Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
  • Modified process to include an independent review prior to authorization of issuer.

POSTED June 18, 2015

NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key has been approved as final & is now available
 
NIST is pleased to announce the release of NIST Interagency Report 7863Cardholder Authentication for the PIV Digital Signature Key. The document provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card. The document clarifies the requirement for “explicit user action” and specifies a range of PIN caching options that maintains the goal of ‘explicit user action’ while adhering to consistent and reliable level of security. The document will encourage the development of compliant applications and middleware that use the digital signature key.


POSTED June 8, 2015

NIST announces that Draft Special Publication (SP) 800-85A-4PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

  • Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object,
  • Tests for populating these newly added data objects in the PIV Card Application,
  • Tests to verify the on-card biometric comparison mechanism,
  • Tests to verify the correct behavior of secure messaging and the virtual contact interface and,
  • Tests to verify that the PIV Card Application enforces PIN length and format requirements.

Federal agencies and private organizations, including test laboratories as well as individuals, are invited to review the draft guidelines and submit comments.

Email comments or questions to pivtesting@nist.gov
Comment period closed on July 10, 2015.

Link to the Draft SP 800-85A-4 Document (PDF)


POSTED June 1, 2015

Two PIV Special Publications (SP) have been released: (1) SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification
 
#1: NIST is pleased to announce the release of Special Publication 800-73-4Interfaces for Personal Identity Verification. This document has been updated to align with Final FIPS 201-2 and to reflect the disposition of comments that were received on the first and second draft of SP 800-73-4, published in May 2013 and May 2014, respectively. The complete set of comments and dispositions is provided below. 
 
High level changes from SP 800-73-3 to SP 800-73-4 include:

  • Removal of Part 4, The PIV Transitional Data Model and Interfaces;
  • The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
  • Inclusion of clarifying information about the virtual contact interface and the use of the pairing code;
  • The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
  • The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism;
  • The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits;
  • In collaboration with the FICAM FIPS 201 Test Program reduced some of the PIV Card options where possible.

The complete set of comments and dispositions is provided below.

#2: NIST announces the release of Special Publication 800-78-4Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to align with updates in SP 800-73-4. The document reflects the disposition of comments that were received on the first and second draft of SP 800-78-4, which was published in May, 2013 and May 2014, respectively. In particular, the following changes were introduced in SP 800-78-4:

  • Removal of information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past;
  • Addition of algorithm and key size requirements for the optional PIV Secure Messaging key.
  • Addition of requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing.
  • Clarified that RSA public keys may only have a public exponent of 65 537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65 537 and less than 2256.)

The complete set of comments and dispositions is provided below.


POSTED March 21, 2015

Presentations of the Workshop on Upcoming Special Publications Supporting FIPS 201-2 is available here.


POSTED December 19, 2014 --- Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials

NIST announces the release of Special Publication (SP) 800-157Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 defines a technical specification for implementing and deploying Derived PIV Credentials on mobile devices, such as smart phones and tablets. The goal of the Derived PIV Credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.

Comments and their dispositions received during the public comment period are available here.


POSTED September 5, 2014: NIST PIV Validation Program updated the PIV Middleware and PIV Card Application Validation Lists

The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years.

The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are affected. This is due to the fact that to meet the FIPS 201-2 compliance requirements all that is required is that some of the previously optional PIV Card credentials under FIPS 201-1 must be present in FIPS 201-2 (as they are now mandatory). The Removed Products List (RPL) is now available. The effect on validated PIV Middleware, is broader. PIV Middleware is required to support all functionality (function calls/credentials) of a fully loaded PIV Card. Since SP 800-73-1 and SP 800-73-2 PIV Middleware do NOT support new FIPS 201-2-functionality, they have to be placed on the RPL. The PIV Middleware RPL is also available. Note: The PIV Middleware listed in the SP 800-73-3 PIV Middleware Validation list remains valid and will not be removed. These implementations support the optional credentials/functionality, which now are mandatory under FIPS 201-2.

Finally, the NPIVP validation Authority also removed validated PIV Card Applications that remain in a ‘pending’ state for FIPS 140-2 lasting 3 years or longer. These card applications never received FIPS 140-2 validation, and thus are not allowed to be used by USG.


POSTED August 5, 2014: NIST Draft Special Publication SP 800-85B-4 PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.govwith "Comments on Public Draft SP 800-85B-4" in the subject line.

Link to the Draft Document (PDF)

Comment period closed on September 5, 2014.
All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.


POSTED June 2, 2014 -- DRAFT Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)

NIST announces that Draft Special Publication 800-79-2Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), is now available for public comment. This document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are: 
 
  • Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI), 
  • Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity, 
  • Addition of issuer controls for the PIV Card’s visual topography, 
  • Updated issuer controls to detail controls for post-issuance updates of PIV Cards, 
  • Updated references to the more recent credentialing guidance issued by OPM, 
  • Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
  • Modified process to include an independent review prior to authorization of issuer. 
 
Comment period closed on June 30, 2014.
Email comments or questions to: PIVaccreditation@nist.gov


POSTED May 19, 2014 -- 2 Draft PIV Special Publications (SP) have been released for public comment: (1) Revised Draft SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) Revised Draft SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification

Draft #1: NIST announces that Revised Draft Special Publication 800-73-4Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4"). 
 
High level changes include:

  • A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.
  • In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:
    • rarely used data elements Buffer Length, DUNS and Organization Identifier in the CHUID data object
    • legacy data element MSCUID in all X.509 Certificate data objects and
    • legacy data elements Extended Application CardURL and Security Object Buffer in the Card Capability Container
  • Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.
  • Modified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”

NIST also requests comments on the pairing code, which is part of the new Virtual Contact Interface (VCI) of the PIV Card. Its purpose is to prevent skimming of cardholder data in wireless environment by an unauthorized wireless reader in the vicinity of the cardholder and to ensure that ‘cardholder consent’ for the release of cardholder data is enabled. The pairing code is part of the Virtual Contact Interface that provides for communication and enables wireless transactions between the PIV Card and NFC-enabled devices for authentication, signing or encryption. NIST assesses that the pairing code concept is the optimum method available to provide mitigation against a skimming threat. 
 
NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified. 
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue) 
 
Comment period closed on June 16, 2014.
Email comments or questions to: piv_comments@nist.gov
 
Draft #2: NIST announces that Revised Draft Special Publication 800-78-4Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4". 
 
Comment period closed on June 16, 2014.
Email comments or questions to: piv_comments@nist.gov


POSTED March 7, 2014 -- Draft Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials and Draft NIST Interagency Report 7981, Mobile, PIV, and Authentication, are now available

#1 -- NIST announces release of Draft Special Publication (SP) 800-157Guidelines for Derived Personal Identity Verification (PIV) Credentials, for public comment. Draft SP 800-157 defines a technical specification for implementing and deploying derived PIV credentials on mobile devices, such as smart phones and tablets. The goal of the derived PIV credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems. 
 
Email comments or questions to:  piv_comments@nist.gov
 Comment period closed on April 21, 2014
 
#2 NIST announces release of Draft NIST IR 7981Mobile, PIV, and Authentication for public comment. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices. 
 
Email comments or questions to: piv_comments@nist.gov 
 Comment period closed on April 21, 2014.

Created May 24, 2016, Updated January 04, 2024