U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

White Paper (Draft)

Best Practices for Privileged User PIV Authentication

Date Published: February 5, 2016
Comments Due: March 4, 2016 (public comment period is CLOSED)
Email Questions to: csip-pivforprivilege @nist.gov


Computer Security Division, Applied Cybersecurity Division,


This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users.



authentication; Cybersecurity Strategy and Implementation Plan (CSIP); Derived PIV ; Credential; identification; multi-factor authentication; Personal Identity Verification (PIV); PIV ; Card; privileged access; privileged user
Control Families

Access Control; Identification and Authentication; System and Communications Protection


Draft White Paper

Supplemental Material:
None available

Document History:
02/05/16: White Paper (Draft)
04/21/16: White Paper NIST CSWP 4 (Final)