Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Best Practice Guidelines for Using PIV Credentials in Facility Access: NIST Special Publication 800-116 Revision 1
June 29, 2018

NIST has published Special Publication (SP) 800-116 Revision 1, Guidelines for the Use of PIV Credentials in Facility Access. SP 800-116 Rev. 1 provides best practice guidelines for integrating the Personal Identity Verification (PIV) Card with the physical access control systems (PACS) that authenticate cardholders in federal facilities. SP 800-116 Rev. 1 recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets.

Revision 1 aligns the guidelines with Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors. High-level changes include:

  • Updates Section 4.4 (previously section 7.1) to reflect the FIPS 201-2 requirements for credential validation.
  • Reflects FIPS 201-2 deprecation of CHUID authentication mechanism throughout the document.
  • Reflects the downgrade of VIS authentication mechanism to “LITTLE or NO” confidence in cardholder's identity.
  • Removes the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms.
  • Adds an appendix, “Improving Authentication Transaction Times,” to improve the computationally expensive PKI one-factor authentication mechanism (i.e., PKI-CAK).
  • Adds the OCC-AUTH as a two-factor authentication mechanism introduced in FIPS 201-2.
  • Removes Section 9, “Migration Strategy,” as implementations have matured and are more advanced.
  • Removes Section 10, “Future Topics,” which are now addressed in FIPS 201-2 and associated NIST Special Publications.
  • Adds Section 6.1, “PIV Identifiers,” and a summary table with pros and cons to describe the identifiers available on the PIV Card that can map to a PACS's access control list.
  • Expands authentication in context, to allow context provided by physical measures that prevent more than one person from passing through an access point (e.g., turnstiles, gates) after each authentication. This is in addition to authentication in context where PACS can store and recall recent access control decisions.
  • Adds Section 6.7, “PACS and ICAM Infrastructure,” to describe PACS as part of an integrated ICAM infrastructure.
  • In coordination with the Interagency Security Committee (ISC), replaces the Department of Justice's “Vulnerability Assessment Report of Federal Facilities” document with ISC's “Risk Management Process for Federal Facilities” to aid in deriving security requirements for facilities.

A comprehensive list of changes can be found in Appendix I, “Revision History.”

Created June 29, 2018