Personal Identity Verification of Federal Employees and Contractors PIV

March 21, 2019:

Presentations of the FIPS 201-3 Business Requirements Meeting are available here. 
 

February 8, 2019:

Safe the date for the Federal Business Requirements Meeting for FIPS 201 Revision 3 on 3/19/19.

FIPS 201, Personal Identity Verification (PIV) for Federal Employees and Contractors, will be going through a third revision soon. In preparation for the revision, NIST invites federal departments and agencies’ representatives to participate in this government-only meeting to discuss the change requests accumulated over the past five years. For more information and to register, click here. The registration deadline is 3/12/19.
 

June 29, 2018:
NIST releases Special Publication SP 800-116 Revision 1, Guidelines for the Use of PIV Credentials in Facility Access

NIST is pleased to announce the release of Special Publication 800-116 Revision 1, Guidelines for the Use of PIV Credentials in Facility Access. This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. See summary of the high-level changes.

May 9, 2017:

Mid-Year 2016, the NIST PIV Validation Program proposed a transition plan to move from RNG to DRBG-based PIV cards by the end of June 2017. This transition was initiated because agencies indicated that agencies and vendors are not yet able to migrate to SP 800-90A DRBG PIV cards.

However, as the June 2017 date approaches, it has become apparent that another extension is necessary to issue and use RNG PIV cards until DRBG PIV cards are validated and available with compatible card management software.

To allow an orderly transition to DRBG PIV cards, the PIV Validation Program will grant an additional one-year extension through June 30, 2018. This allows affected PIV Card vendors time to complete CMVP- and PIV-based validation as well as grant additional time to prepare update or deploy any other components that may be necessary to issue or use the new DRBG PIV Cards.

According to this revised transition plan, agencies may continue to issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2018. Future procurements of any legacy PIV cards that may be needed during this transition should be planned to minimize excess legacy card stock at the time of this deadline.

However, agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2024. 
 

August 6, 2016:

Beginning in 2016, the CMVP enforced RNG transition, requiring new modules to implement the SP 800-90A DRBGs, and requiring vendors to update previously validated modules to remain on the active validation list. NPIVP, which relies on the CMVP for cryptographic module testing, also enforced this transition, and is requiring the use of validated DRBGs in PIV cards.

However, feedback from agencies has indicated that vendors are not yet able to migrate to SP 800-90A DRBG PIV cards. As a result, the legacy RNG PIV cards will continue to be issued and used until DRBG PIV cards are available with compatible card management software.

To support the migration of PIV cards to DRBGs, the PIV Validation Program proposes a one-year conditional transition plan ending by June 30, 2017, that allows the continued issuance and use of previously validated PIV cards using legacy RNGs that do not pose an immediate security risk.

According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023. 
 

August 5, 2016:

NPIVP laboratories have received the SP 800-73-4 Test Runner and have commenced testing and evaluation of PIV Card Application and PIV Middleware implementation based on SP 800-73-4. The tool is also available for download by the general public – including vendors who can accelerate the validation process by fine-tuning implementations with the tool before submitting the products to NPIVP labs. Use the following link to download the Test Runner. 
 

June 7, 2016:
Special Publication 800-166, Derived PIV Application and Data Model Test Guidelines

NIST announces the release of Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines. SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials. 
 

May 23, 2016:
NIST Releases Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export

NIST is pleased to announce the release of Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export. The document provides the data representation of a chain-of-trust record for the exchange of records between PIV Card issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest. 
 

April 21, 2016:
NIST Releases the final version of "Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access"

NIST announces the final release of the best practices guide for Personal Identity Verification (PIV)-enabled privileged access. The paper is in response to the Office of Management and Budget (OMB)’s October 2015 "Cybersecurity Strategy and Implementation Plan" (note: link was removed, no longer works) and included in the Cyber National Action Plan (CNAP), requiring Federal agencies to use PIV credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user authentication and provides best practices for agency es to implement PIV authentication for privileged users. 
 

April 13, 2016:
NIST Releases SP 800-85A-4,PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)

Special Publication (SP) 800-85A-4 provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification, and SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

• Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object;
• Tests for populating these newly added data objects in the PIV Card Application;
• Tests to verify the on-card biometric comparison mechanism;
• Tests to verify the correct behavior of secure messaging and the virtual contact interface; and
• Tests to verify that the PIV Card Application enforces PIN length and format requirements.

February 19, 2016:
Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), Comment Period Has Been Extended

The comment period for Draft Special Publication 800-116 Revision 1 has been extended, and now closes at 5:00 EST (US and Canada) on March 1, 2016 - Comment period is now closed. 
 

February 8, 2016:
NIST announces release of Draft Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines for public comment

Draft SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. Draft SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials. 

Comment period closed on: March 14, 2016.
Email comments or questions to [email protected].

Draft SP 800-166 
 

February 5, 2016:
Whitepaper - DRAFT Best Practices for Privileged User PIV Authentication

This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users. 

Comment period closed on: March 4, 2016.
Email comments or questions to [email protected].

Link to the Whitepaper "Best Practices for Privileged User PIV Authentication”

December 29, 2015:
NIST Announces that Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export is Available for Public Comment

NIST announces tha Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export, is now available for public comment. This document provides the data representation of a chain-of-trust record for the exchange of records between issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.

Comment period closed on January 28, 2016.
Email comments or questions to [email protected]
 

December 28, 2015:
NIST Announced Release of Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

NIST is pleased to announce the public comment release of Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. High-level changes include:

• Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
• In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
  • Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms
  • Addition of a new section (5.3.1) titled “Migrating Away from the Legacy CHUID Authentication Mechanism” to aid in the transition away from the CHUID + VIS authentication mechanism
  • In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks
  • Addition of a new appendix titled “Improving Authentication Transaction Times” to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK)
• Addition of a new section (5.4) titled “PIV Identifiers” and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS’s access control list.
• In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice’s “Vulnerability Assessment Report of Federal Facilities” document with the ISC’s document titled “Risk Management Process for Federal Facilities” to aid deriving the security requirement for facilities.

Email comments or questions to [email protected]
Comment period closed on March 1, 2016.
 

July 30, 2015:
Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI) has been Approved as Final

NIST is pleased to announce the release of Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). The document provides guidelines for assessing the reliability of issuers of PIV Cards and issuers of the newly introduced Derived PIV Credential for mobile devices. The document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

• Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
• Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
• Addition of issuer controls for the PIV Card’s visual topography,
• Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
• Updated references to the more recent credentialing guidance issued by OPM,
• Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
• Modified process to include an independent review prior to authorization of issuer. 

June 18, 2015:
NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key has been Approved as Final & is now Available

NIST is pleased to announce the release of NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key. The document provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card. The document clarifies the requirement for “explicit user action” and specifies a range of PIN caching options that maintains the goal of ‘explicit user action’ while adhering to consistent and reliable level of security. The document will encourage the development of compliant applications and middleware that use the digital signature key.
 

June 8, 2015:
Draft Special Publication 800-85A-4

NIST announces that Draft Special Publication (SP) 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

• Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object,
• Tests for populating these newly added data objects in the PIV Card Application,
• Tests to verify the on-card biometric comparison mechanism,
• Tests to verify the correct behavior of secure messaging and the virtual contact interface, and
• Tests to verify that the PIV Card Application enforces PIN length and format requirements.

Federal agencies and private organizations, including test laboratories as well as individuals, are invited to review the draft guidelines and submit comments.

Email comments or questions to [email protected]
Comment period closed on July 10, 2015.
 

June 1, 2015:
Two PIV Special Publications (SP) have been Released: (1) SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification

#1: NIST is pleased to announce the release of Special Publication 800-73-4, Interfaces for Personal Identity Verification. This document has been updated to align with Final FIPS 201-2 and to reflect the disposition of comments that were received on the first and second draft of SP 800-73-4, published in May 2013 and May 2014, respectively. The complete set of comments and dispositions is provided below. 

High level changes from SP 800-73-3 to SP 800-73-4 include:

• Removal of Part 4, The PIV Transitional Data Model and Interfaces;
• The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
• Inclusion of clarifying information about the virtual contact interface and the use of the pairing code;
• The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
• The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism;
• The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits;
• In collaboration with the FICAM FIPS 201 Test Program reduced some of the PIV Card options where possible.

The complete set of comments and dispositions is provided below.

• Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4.
• Comments Received & Disposition from May 2014 draft to Revised Draft SP 800-73-4

#2: NIST announces the release of Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to align with updates in SP 800-73-4. The document reflects the disposition of comments that were received on the first and second draft of SP 800-78-4, which was published in May, 2013 and May 2014, respectively. In particular, the following changes were introduced in SP 800-78-4:

• Removal of information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past;
• Addition of algorithm and key size requirements for the optional PIV Secure Messaging key.
• Addition of requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing.
• Clarified that RSA public keys may only have a public exponent of 65 537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65 537 and less than 2²⁵⁶.)

The complete set of comments and dispositions is provided below.

• Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4
• Comments Received & Disposition from May 2014 draft to Revised Draft SP 800-78-4
   

March 21, 2015:
Presentations of the Workshop on Upcoming Special Publications Supporting FIPS 201-2 is Available Here.
 

December 19, 2014:
Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials

NIST announces the release of Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 defines a technical specification for implementing and deploying Derived PIV Credentials on mobile devices, such as smart phones and tablets. The goal of the Derived PIV Credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.

Comments and their dispositions received during the public comment period are available here. 
 

September 5, 2014:
NIST PIV Validation Program updated the PIV Middleware and PIV Card Application Validation Lists

The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years.

The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are affected. This is due to the fact that to meet the FIPS 201-2 compliance requirements all that is required is that some of the previously optional PIV Card credentials under FIPS 201-1 must be present in FIPS 201-2 (as they are now mandatory). The Removed Products List (RPL) is now available. The effect on validated PIV Middleware, is broader. PIV Middleware is required to support all functionality (function calls/credentials) of a fully loaded PIV Card. Since SP 800-73-1 and SP 800-73-2 PIV Middleware do NOT support new FIPS 201-2-functionality, they have to be placed on the RPL. The PIV Middleware RPL is also available. Note: The PIV Middleware listed in the SP 800-73-3 PIV Middleware Validation list remains valid and will not be removed. These implementations support the optional credentials/functionality, which now are mandatory under FIPS 201-2.

Finally, the NPIVP validation Authority also removed validated PIV Card Applications that remain in a ‘pending’ state for FIPS 140-2 lasting 3 years or longer. These card applications never received FIPS 140-2 validation, and thus are not allowed to be used by USG. 
 

August 5, 2014:
NIST Draft Special Publication SP 800-85B-4, PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to [email protected] with "Comments on Public Draft SP 800-85B-4" in the subject line.

Link to the Draft Document

Comment period closed on September 5, 2014.
All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. 
 

June 2, 2014:
DRAFT Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)

NIST announces that Draft Special Publication 800-79-2,Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), is now available for public comment. This document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

• Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
• Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
• Addition of issuer controls for the PIV Card’s visual topography,
• Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
• Updated references to the more recent credentialing guidance issued by OPM,
• Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
• Modified process to include an independent review prior to authorization of the issuer.

Comment period closed on June 30, 2014.
Email comments or questions to: [email protected] 
 

May 19, 2014:
2 Draft PIV Special Publications (SP) have been Released for Public Comment: (1) Revised Draft SP 800-73-4, Interfaces for Personal Identity Verification, and (2) Revised Draft SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification

Draft #1: NIST announces that Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received Disposition from May 2013 draft to Revised Draft SP 800-73-4".

High level changes include:

• A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.
• In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:
  • rarely used data elements Buffer Length, DUNS and Organization Identifier in the CHUID data object
  • legacy data element MSCUID in all X.509 Certificate data objects and
  • legacy data elements Extended Application CardURL and Security Object Bufer in the Card Capability Container
• Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.
• odified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”

NIST also requests comments on the pairing code, which is part of the new Virtual Contact Interface (VCI) of the PIV Card. Its purpose is to prevent skimming of cardholder data in wireless environment by an unauthorized wireless reader in the vicinity of the cardholder and to ensure that ‘cardholder consent’ for the release of cardholder data is enabled. The pairing code is part of the Virtual Contact Interface that provides for communication and enables wireless transactions between the PIV Card and NFC-enabled devices for authentication, signing or encryption. NIST assesses that the pairing code concept is the optimum method available to provide mitigation against a skimming threat.

NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified. 
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue) 

Comment period closed on June 16, 2014.

Email comments or questions to: [email protected]

Draft #2: NIST announces that  Revised Draft Special Publication 800-78-4,  Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4". 

Comment period closed on June 16, 2014.
Email comments or questions to: [email protected] 
 

March 7, 2014: 
Draft Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials and Draft NIST Interagency Report 7981, Mobile, PIV, and Authentication, are now available

#1  -- NIST announces release of Draft Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, for public comment. Draft SP 800-157 defines a technical specification for implementing and deploying derived PIV credentials on mobile devices, such as smart phones and tablets. The goal of the derived PIV credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.

Email comments or questions to: [email protected]
Comment period closed on April 21, 2014.

#2 -- NIST announces the release of Draft NIST IR 7981, Mobile, PIV, and Authentication for public comment. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.

Email comments or questions to: [email protected] 
  Comment period closed on April 21, 2014.

December 13, 2013:
Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key is available for public comment.

NIST is pleased to announce that Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment. NISTIR 7863 provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card.

NIST requests comments on NISTIR 7863 by 5:00pm EST on January 17, 2014. Please submit comments on Draft NISTIR 7863 using the comments template form (Click link above to Draft NISTIR 7863 to go to Drafts page where link to comment template can be found) to [email protected] with “Comments on NISTIR 7863” in the subject line.
 

September 5, 2013:
Federal Information Processing Standard (FIPS) Publication 201-2, the Standard for Personal Identity Verification of Federal Employees and Contractors

NIST is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 201-2, Personal Identity Verification of Federal Employees and Contractors. (See the Federal Register Notice announcing FIPS 201-2 approval.) This revision includes adaptations to changes in the environment and technology since the publication of FIPS 201-1, clarifications to existing text, additional text to resolve ambiguities and specific changes requested by Federal agencies and implementers. 

FIPS 201-2 reflects the disposition of comments that were received during the public comment periods for the first and second drafts of the Standard, which were published on March 8, 2011, and July 9, 2012, respectively. The complete sets of comments and dispositions are provided in the two links below. 

High level changes include:

• Introduction of chain-of-trust and grace period for PIV card reissuance processes,
• Relaxation of PIV Card termination requirements and specifically certificate revocation,
• New options for physical card characteristics to help agencies achieve Section 508 compliance for PIV card orientation,
• A UUID as a mandatory unique identifier for the PIV Card,
• Downgrade of the authentication mechanism associated with the Card Holder Unique Identifier (CHUID) to indicate that it only provides little or no assurance of identity,
• Updates to the PIV card’s on-board credentials include:
  • Expansion of the core mandatory credentials: the previously optional asymmetric card authentication, digital signature and key management are now mandatory,
  • New optional credentials: Iris recognition capability and fingerprint biometric match-on-card (OCC),
• Introduction of an optional virtual contact interface (VCI), over which all functionalities of the PIV Card are accessible via contactless interface,
• Accommodation for mobile devices in the form of PIV derived credentials that can be provisioned to mobile devices.

A detailed list of changes is available in FIPS 201-2, Appendix E, Revision History. 

2011 Draft comments and dispositions

2012 Draft comments and dispositions
 

May 13, 2013:
Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, and Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, are now available

#1 -- NIST announces that Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to align with Candidate Final FIPS 201-2. Major changes in draft SP 800-73-4 include:

• Removal of Part 4, The PIV Transitional Data Model and Interfaces;
• The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
• The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
• The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism; and
• The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits.

#2 --- NIST announces that Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified add algorithm and key size requirements for secure messaging and to add requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing. In particular, the following changes are introduced in draft SP 800-78-4:

• Algorithm and key size requirements for the optional PIV Secure Messaging key have been added.
• RSA public keys may only have a public exponent of 65,537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65,537 and less than 2²⁵⁶.)
• A new Section was added to provide requirements for CAVP validation testing.

Comment period closed on June 14, 2013.
 

August 26, 2012:
Presentations From the Revised FIPS 201-2 Workshop

Presentations for the Revised Draft FIPS 201-2 workshop is available here.
 

July 26, 2012:
NIST is pleased to announce the availability of test Personal Identity Verification (PIV) Cards.

In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards. The set of test PIV Cards contains sixteen smart cards that are loaded with a PIV Card Application, as specified in Special Publication 800-73-3. The PIV Card Applications on the smart cards are loaded with test data and keys that are similar to what might appear on actual PIV Cards, with the exception that the certificates on the test PIV Cards were issued from a test public key infrastructure. Information about the test cards is available on the PIV Test Cards website. The test cards are available for purchase as a NIST Special Database.
 

July 9, 2012:
Revised Draft FIPS 201-2 and Associated Public Workshop

The NIST Computer Security Division released the Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. The Revised Draft FIPS 201-2 reflects the disposition of comments received from the first public comment Draft FIPS 201-2 (the 2011 Draft) published on March 8, 2011. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the Revised Draft. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD, to present the Revised Draft FIPS 201-2.

Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on the Revised Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930. Electronic comments may be sent to: [email protected]. Please state "Revised Draft FIPS 201-2 Comments" in the subject line of the email. Comment period closed on August 10, 2012.

A summary and analysis of the comments received during the public comment period of the 2011 Draft and NIST's disposition of these comments, as reflected in the Revised Draft FIPS 201-2, are provided in the Federal Register Notice (FRN). The complete set of comments and dispositions are provided in a link provided below.

Simultaneously, NIST is releasing a revised draft of Special Publication 800-76-2 Biometric Specifications for Personal Identity Verification, supporting the Revised Draft FIPS 201-2. Comments are also invited by August 10, 2012 with the dedicated template listed below.

The public workshop on the Revised Draft FIPS 201-2 will be held on Wednesday, July 25, 2012, at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on the Revised Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Revised Draft. Anyone wishing to attend the workshop in person must pre-register by 5:00pm Eastern Time on Monday, July 18th, 2012, in order to enter the NIST facility and attend the workshop.

Revised_Draft_FIPS-201-2

Revised Draft FIPS 201-2 Track-Change version

Comments_and_Dispositions_on_the_2011_Draft

Revised_Draft_SP_800_76_2.pdf

April 26, 2011:
Presentations From FIPS 201-2 Workshop

Presentations for the Draft FIPS 201-2 workshop are available here.
 

April 18, 2011:
Biometric Data Specification for Personal Identity Verification is Now Available

NIST is pleased to announce the availability of the public comment draft of NIST Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification. The draft amends the 2007 specification SP 800-76-1 to include iris recognition and on-card fingerprint comparison, and to extend and refine the biometric sensor and performance specifications. Note that FIPS 201-2, the binding parent PIV specification, is simultaneously open for public comment. 

Written comments on SP 800-76-2 may be sent to: Patrick Grother, Information Access Division, Information Technology Laboratory, ATTN: Comments on Revision Draft SP 800-76-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7740, Gaithersburg, MD 20899-7740. 

Electronic comments on SP 800-76-2 should be drafted and sent to: [email protected].
Comment period closed on June 6, 2011.

(Note: As of July 2013, this draft (SP 800-76-2) has been approved as final).
 

April 11, 2011:
Registration for the FIPS 201-2 Workshop Has Been Extended - 2 Days

The deadline to register for the FIPS 201-2 workshop has been extended by two days. Register by close of business Wednesday, April 13, 2011, in order to enter the NIST facility and attend the workshop.
 

March 8, 2011:
NIST is Pleased to Announce the Public Comment Draft FIPS 201-2 and Associated Public Workshop

The NIST Computer Security Division is pleased to announce Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. Draft FIPS 201-2 amends FIPS 201-1 and includes adaptation to changes in the environment since the publication of FIPS 201-1, and specific changes requested by Federal agencies and implementers. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the proposed changes. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD to present the Draft FIPS 201-2. 

Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on Revision Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7730, Gaithersburg, MD 20899-7730. 

Electronic comments may be sent to: [email protected]. Comments must be received by June 6, 2011. 

Both FIPS 201-1 and Draft FIPS 201-2 are available electronically from the CSRC archive pub record page (both versions are withdrawn and superceded by updated versions)  A summary of changes reflected in Draft FIPS 201-2 is available in the Federal Register Notice (FRN). 

The public workshop on Draft FIPS 201-2 will be held Monday and Tuesday, April 18 and 19, 2011 at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Draft. The agenda, webcast and related information for the public workshop will be available before the workshop on the NIST Computer Security Resource Center Web site at http://csrc.nist.gov. Anyone wishing to attend the workshop in person, must pre-register at http://www.nist.gov/allevents.cfm by close of business Monday, April 11, 2011, in order to enter the NIST facility and attend the workshop.

(Note: FIPS 201-2 has since been approved as final.)
 

January 5, 2011:
NIST is Proud to Announce the Release of Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identification Verification

NIST announces that Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, has been released. The document has been modified 1) to align the set of acceptable RSA public key exponents with FIPS 186-3 and 2) to permit the use of SHA-1 after 12/31/2010 when signing revocation information, under limited circumstances.
(Note: As of May 2015, SP 800-78-4 is the current supporting document.)
 

July 27, 2010:
Special Publication 800-85A-2, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-3 Compliance)

NIST is pleased to announce the release of Special Publication (SP) 800-85A-2 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance). This document provides Derived Test Requiremetns (DTR) and Test Assertions (TA) for testing the PIV Middleware, and the PIV Card Application interfaces for conformance to specifications in SP 800-73-3 (Interfaces for Personal Identity Verification) .The document is a revision for the earlier version (April 2009), which reflected TA and DTR from the superseded SP 800-73-2, 2008 Edition.
(Note: SP 800-85A-4 is the current version of this document.)

This 3rd revision, include the additional tests necessary to test the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through SP 800-73-3 Parts 1, 2 and 3. 

These include:

• Tests for retrieving newly added optional PIV data objects such as the Key History object, the twenty retired X.509 Certificates for Key Management and the Iris Image data object
• Test for populating these newly added data object on the PIV card
• Tests for verifying the correct behavior of RSA Key Transport and EC DH key agreement scheme.
   

May 13, 2010:
NIST Draft Special Publication SP 800-85A-2 "PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-3 compliance)"

NIST has a revised version of NIST Special Publication 800-85A. The revised document is titled Draft Special Publication 800-85A-2  “PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 compliance)”. The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-3 Parts 1, 2 and 3. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-2. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to [email protected] .

Comment period closed on May 27, 2010. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

(Note: As of Oct. 2017, the current supporting document is SP 800-85A-4. Please visit the CSRC SP page for more details on this document.)
 

March 18, 2010:
NIST Releases Draft NIST IR 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

NIST announces that Draft NIST Interagency Report 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards, has been released for public comment. (NOTE: The Draft NIST IR 7676 has been withdrawn and link directs to the final version).

NIST Special Publication 800-73-3, Interfaces for Personal Identity Verification, introduces the ability to store retired Key Management Keys within the PIV Card Application on a PIV Card. NIST IR 7676 complements SP 800-73-3 by providing some of the rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History mechanism.

Comment period closed on April 23, 2010.
Email comments/questions to [email protected]
(Note: This Draft NISTIR 7676 has been approved as final. Click here to learn more about the final version of NISTIR 7676.)
 

February 22, 2010:
NIST is Proud to Announce the Release of Special Publication 800-73-3 Interfaces for Personal Identity Verification

NIST announces that Special Publication 800-73-3, Interfaces for Personal Identity Verification, has been released. SP 800-73-3 introduces new, optional features including:

1. on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
2. use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-2; and 
3. provisions for Non-Federal Issuer (NFI) credentials. SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities. 

Except for very minor editorial changes, the Revision History in Part 1 of SP 800-73-3 lists all of updates to SP 800-73 since its initial release.

(Note:  As of Oct. 2015, the current document is SP 800-73-4)
(Note 2: As of July 2024, This document has been broken down into 3 Parts -- The current document is SP 800-73-5 Part 1 // SP 800-73-5 Part 2 // SP 800-73-5 Part 3). Please visit the CSRC Special Publications page for more details on this document.
 

February 22, 2010:
NIST is proud to announce the release of Special Publication 800-78-2 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)

NIST is pleased to announce the release of Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in SP 800-78-2:

• The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in SP800-78-2 as a key agreement scheme for the PIV card.
• The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
• For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in SP 800-78-2.

(Note:  As of Oct. 2017, the current document is SP 800-78-4)
Note 2: As of May 2015, the current document is SP 800-78-5)
Please visit the CSRC Special Publications page for more details on this document.