Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-157 Rev. 1 (Initial Public Draft)

Guidelines for Derived Personal Identity Verification (PIV) Credentials

Date Published: January 10, 2023
Comments Due: April 21, 2023 (public comment period is CLOSED)
Email Questions to: piv_comments@nist.gov

Planning Note (03/17/2023): The public comment period has been extended to April 21, 2023 (from March 24, 2023).

Author(s)

Hildegard Ferraiolo (NIST), Andrew Regenscheid (NIST), James Fenton (Altmode Networks)

Announcement

Summary

This publication complements FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors. The draft guidelines in SP 800-157r1 detail the issuance and maintenance of authenticators used as derived PIV credentials.

Submit public comments by 11:59 PM ET on March 24 April 21, 2023 to piv_comments@nist.gov. We encourage you to use this comment template.

See the Note to Reviewers below for specific topics about which NIST is seeking your feedback. NIST will review all comments and make them available on this website.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Note to Reviewers

Draft NIST SP 800-157r1 Guidelines for Derived Personal Identity Verification (PIV) Credentials expands the use of derived PIV credentials beyond mobile devices to include non-PKI-based phishing-resistant multi-factor credentials. The draft details the expanded set of derived PIV credentials in a variety of form factors and authenticator types as envisioned in OMB Memoranda M-19-22 and M-22-09, and subsequently outlined in FIPS 201-3. The cross-domain and interagency use of these credentials is provided by federation protocols outlined in the initial public draft of SP 800-217, Guidelines for PIV Federation. Both documents are closely aligned with draft release SP 800-63-4Digital Identity Guidelines. NIST hopes that the draft document enables a close alignment with new and emerging digital authentication and federation technologies employed in the federal government, while maintaining a strong security posture.

NIST is specifically interested in comments on and recommendations for the following topics:

  1. Are the new controls for issuance, use, maintenance, and termination of non-PKI-based derived PIV credentials clear and practical to implement?
  2. Are phishing-resistant authenticators available to meet agency use cases as well as the requirements for derived PIV authentication?
  3. Are the new controls sufficient to provide comparable assurance to PIV Cards and other derived PIV credentials?

Abstract

Keywords

authentication; credentials; derived PIV credentials; electronic authentication; electronic credentials; mobile devices; personal identity verification; PIV
Control Families

Identification and Authentication