NIST is pleased to announce the public comment release of Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. High-level changes include:
- Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
- In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
- Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms
- Addition of a new section (5.3.1) titled “Migrating Away from the Legacy CHUID Authentication Mechanism” to aid in the transition away from the CHUID + VIS authentication mechanism
- In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks
- Addition of a new appendix titled “Improving Authentication Transaction Times” to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK)
- Addition of a new section (5.4) titled “PIV Identifiers” and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS’s access control list.
- In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice’s “Vulnerability Assessment Report of Federal Facilities” document with the ISC’s document titled “Risk Management Process for Federal Facilities” to aid deriving the security requirement for facilities.
For your convenience, we have provided a comment template - Excel file. Comments should be submitted to email@example.com with "Comments on Draft SP 800-116 Revision 1" in the subject line. The comment period has been extended and now closes at 5:00 EST (US and Canada) on March 1, 2016.