Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-116 Rev. 1 (DRAFT)

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

Date Published: December 2015
Comments Due: March 1, 2016 (public comment period is CLOSED)
Email Questions to: piv_comments@nist.gov

Withdrawn: June 29, 2018

Author(s)

Hildegard Ferraiolo (NIST), David Cooper (NIST), Nabil Ghadiali (National Gallery of Art), Jason Mohler (Electrosoft Services), Vincent Johnson (Electrosoft Services), Steven Brady (Electrosoft Services)

Announcement

NIST announces the release of Draft Special Publication (SP) 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), and requests public comments. It provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document also recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to federal government facilities and assets.

Revision 1 updates SP 800-116 to align with FIPS 201-2. High-level changes include:

  • Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
  • In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
    • Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms.
    • Addition of a new section (5.3.1) titled "Migrating Away from the Legacy CHUID Authentication Mechanism" to aid in the transition away from the CHUID + VIS authentication mechanism.
    • In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks.
    • Addition of a new appendix titled "Improving Authentication Transaction Times" to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK).
  • Addition of a new section (5.4) titled "PIV Identifiers" and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS's access control list.
  • In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice's "Vulnerability Assessment Report of Federal Facilities" document with the ISC's document titled "Risk Management Process for Federal Facilities" to aid deriving the security requirement for facilities.

Abstract

Keywords

e-authentication; identity assurance level; identity credential; issuance; PACS; PIV authentication mechanisms; PIV cards; PKI; credential; validation
Control Families

Access Control; Identification and Authentication; Personnel Security; Physical and Environmental Protection; Planning;