Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 1800-12 (2nd Public Draft)

Derived Personal Identity Verification (PIV) Credentials

Date Published: August 2018
Comments Due: October 1, 2018 (public comment period is CLOSED)
Email Questions to:


William Newhouse (NIST), Michael Bartock (NIST), Jeffrey Cichonski (NIST), Hildegard Ferraiolo (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE), Spike Dog (MITRE), Susan Prince (MITRE), Julian Sexton (MITRE)


This latest draft incorporates comments on the previous draft NIST Cybersecurity Practice Guide and expands the scope to include issuing Derived PIV Credentials (DPC) to manage mobile devices using Identity, Credentials, and Access Management (ICAM) shared services. The Federal Government utilizes PIV cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems. PIV cards require the use of a smart card reader that is typically integrated in desktop and laptop computers. Increasingly, users are performing their work on mobile devices, such as cell phones and tablets, which lack smart card readers needed to authenticate users. External readers are available, but they are an additional cost and cumbersome to use. As a result, the mandate to use PIV systems has pushed for new means to extend into mobile devices to enforce the same security policies as on desktop and laptop computers.

The NCCoE identified an architecture that use common mobile device families to demonstrate the use of Derived PIV Credentials in a manner that meets security policies. This example implementation is documented as a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system using standards-based cybersecurity technology. This practice guide helps organizations to meet authentication standards and provide users access to the information they need using the devices the want without having to purchase expensive and cumbersome external smart card readers. Users of mobile devices are authenticated using secure cryptographic authentication exchanges using a public key infrastructure (PKI) with credentials derived from a PIV card ensuring that strict security policies are met.

Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity.



enterprise mobility management (EMM); identity; mobile ; mobile threat; (multifactor) authentication; network/software vulnerability; Personal Identity Verification (PIV); PIV card; device; smart card; derived PIV credential (DPC); cybersecurity
Control Families

None selected


Second Draft SP 1800-12

Supplemental Material:
None available

Related NIST Publications:
SP 800-63-3
IR 8055
IR 8144 (Draft)

Document History:
09/29/17: SP 1800-12 (Draft)
08/02/18: SP 1800-12 (Draft)
08/27/19: SP 1800-12 (Final)