Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 1800-12 (DRAFT)

Derived Personal Identity Verification (PIV) Credentials

Date Published: September 2017
Comments Due: November 29, 2017 (public comment period is CLOSED)
Email Questions to: piv-nccoe@nist.gov

Author(s)

William Newhouse (NIST), Michael Bartock (NIST), Jeffrey Cichonski (NIST), Hildegard Ferraiolo (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE), Spike Dog (MITRE), Susan Prince (MITRE)

Announcement

The Federal Government utilizes PIV cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems. PIV cards require the use of a smart card reader that is typically integrated in desktop and laptop computers. Increasingly, users are performing their work on mobile devices, such as cell phones and tablets, which lack smart card readers needed to authenticate users. External readers are available, but they are an additional cost and cumbersome to use. As a result, the mandate to use PIV systems has pushed for new means to extend into mobile devices to enforce the same security policies as on desktop and laptop computers.

The NCCoE identified an architecture that use common mobile device families to demonstrate the use of Derived PIV Credentials in a manner that meets security policies. This example implementation is documented as a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system using standards-based cybersecurity technology. This practice guide helps organizations to meet authentication standards and provide users access to the information they need using the devices the want without having to purchase expensive and cumbersome external smart card readers. Users of mobile devices are authenticated using secure cryptographic authentication exchanges using a public key infrastructure (PKI) with credentials derived from a PIV card ensuring that strict security policies are met.

Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity.

Abstract

Keywords

cybersecurity; derived PIV credentials; enterprise mobility management (EMM); identity; mobile device; mobile threat; (multifactor) authentication; network/software vulnerability; Personal Identity Verification; PIV card; smart card
Control Families

None selected