Personal Identity Verification of Federal Employees and Contractors PIV

PIV Announcements from 2020 - Present

July 15, 2024

NIST Releases SP 800-73-5 and SP 800-78-5 including comment dispositions for SP 800-73-5 (Part 1, Part 2, and Part 3) and SP 800-78-5.  

September 27, 2023

Personal Identity Verification (PIV) Interfaces, Cryptographic Algorithms, and Key Sizes: Drafts of SP 800-73-5 and SP 800-78-5 Available for Public Comment

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201 and are now available for public comment.

SP 800-73-5: Parts 1–3 ipd (Initial Public Draft)

SP 800-73-5: Parts 1–3 ipd, Interfaces for Personal Identity Verification, describes the technical specifications for using the PIV cards including a PIV data model (Part 1), card edge interface (Part 2), and application programming interface (Part 3). Major changes to the documents include:

• Removal of the previously deprecated CHUID authentication mechanism
• Deprecation of the SYM-CAK and VIS authentication mechanisms
• Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for contactless interfaces for facility access applications
• Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
• Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
• SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5 ipd

SP 800-78-5 ipd, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing including:

• Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
• Removal of the retired RNG from CAVP PIV component testing where applicable
• Accommodation of the Secure Messaging Authentication key
• Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031

NIST specifically seeks input from federal agencies on the suitability of the digital signature algorithms and key sizes specified in SP 800-78-5. The draft revisions accommodate RSA signatures with 2048-bit and 3072-bit keys, and ECDSA signatures with the P-256 and P-384 curves, for authentication services. NIST requests feedback on the potential need to support RSA with 4096-bit keys, or for the need to add support for the EdDSA signature algorithm that is now specified in FIPS 186-5.

Submit Comments

The comment period for these drafts is open through December 8, 2023. See the publication details (linked above) to download the drafts and comment templates. Comments and inquiries should be sent to [email protected].

January 10, 2023

NIST Releases Two Draft Guidelines on Personal Identity Verification (PIV) Credentials

NIST is announcing the initial public drafts of NIST SP 800-157r1 (Revision 1), Guidelines for Derived Personal Identity Verification (PIV) Credentials, and NIST SP 800-217, Guidelines for Personal Identity Verification (PIV) Federation. These two SPs complement Federal Information Processing Standard (FIPS) 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.

• NIST SP 800-157 has been revised to feature an expanded set of derived PIV credentials to include public key infrastructure (PKI) and non-PKI-based phishing-resistant multi-factor authenticators.
• NIST SP 800-217 details technical requirements on the use of federated PIV identity and the interagency use of assertions to implement PIV federations backed by PIV identity accounts and PIV credentials.

The public comment period for both draft publications is open through April 21, 2023. See the publication details for NIST SP 800-157r1 and NIST SP 800-217 to download the drafts and find instructions for submitting comments.

NOTE: A call for patent claims is included on page iii of each draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

January 24, 2022

FIPS 201-3 Published: Revision of Personal Identity Verification (PIV) of Federal Employees and Contractors

NIST is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 201-3, Personal Identity Verification of Federal Employees and Contractors. (See the Federal Register Notice announcing FIPS 201-3 approval.)

 FIPS 201-3 addresses the comments received during the public comment period in November 2020. High-level changes include:

• Alignment with current NIST technical guidelines on identity management, OMB policy guidelines, and changes in commercially available technologies and services
• Accommodation of additional types of authenticators through an expanded definition of derived PIV credentials
• Focus on the use of federation to facilitate interoperability and interagency trust
• Addition of supervised remote identity proofing processes
• Removal of the previously deprecated Cardholder Unique Identifier (CHUID) authentication mechanism and deprecation of the symmetric card authentication key and visual authentication mechanisms (VIS)
• Support for the secure messaging authentication mechanism (SM-AUTH)

A detailed list of changes is available in FIPS 201-3, Appendix E, Revision History, and this matrix includes public comments received on the November 2020 draft, and their resolutions.

March 23, 2021

NIST is pleased to announce the availability of version 2 of the test Personal Identity Verification (PIV) Cards

In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards. The set of test PIV Cards contains sixteen smart cards that are loaded with a PIV Card Application, as specified in Special Publication 800-73-4. The PIV Card Applications on the smart cards are loaded with test data and keys that are similar to what might appear on actual PIV Cards, with the exception that the certificates on the test PIV Cards were issued from a test public key infrastructure. Version 2 of the test PIV Cards includes examples of new, optional features that were introduced in SP 800-73-4, such as on-card biometric comparison, secure messaging, and the virtual contact interface. Information about the test cards is available on the PIV Test Cards website. The test cards are available for purchase as NIST Special Database 33.

December 22, 2020

Presentations of the Draft FIPS 201-3 virtual public workshop are available here. The workshop recording and transcript of the Q&A chat are available here.

November 3, 2020

FIPS 201, Personal Identity Verification (PIV) for Federal Employees and  Contractors, is going through a third revision and is currently available for public review at https://pages.nist.gov/FIPS201/.  Public commenting period ends 2/1/2021.

The public workshop presenting Draft FIPS 201-3 will be held on December 9^th, 2020. Please visit the  https://www.nist.gov/news-events/events/2020/12/draft-fips-201-3-virtual-public-workshop to view the agenda and register for the event.