Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-217 (Initial Public Draft)

Guidelines for Personal Identity Verification (PIV) Federation

Date Published: January 10, 2023
Comments Due: April 21, 2023 (public comment period is CLOSED)
Email Questions to: piv_comments@nist.gov

Planning Note (03/17/2023): The public comment period has been extended to April 21, 2023 (from March 24, 2023).

Author(s)

Hildegard Ferraiolo (NIST), Andrew Regenscheid (NIST), Justin Richer (Bespoke Engineering)

Announcement

Summary

This publication complements FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors. The draft guidelines in SP 800-217 provide technical requirements on the use of federated PIV identity and the use of assertions to implement PIV federations backed by PIV identity accounts and PIV credentials.

Submit public comments by 11:59 PM ET on March 24 April 21, 2023 to piv_comments@nist.gov. We encourage you to use this comment template.

See the Note to Reviewers below for specific topics about which NIST is seeking your feedback. NIST will review all comments and make them available on this website.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Note to Reviewers

The family of PIV credentials includes a variety of form factors and authenticator types – as envisioned in OMB Memoranda M-19-22 and M-22-09 and subsequently outlined in FIPS 201-3. The cross-domain and interagency use of these credentials is provided by federation protocols outlined in this public draft SP 800-217 Guidelines for PIV Federation. The companion document, SP 800-157r1 Guidelines for Derived PIV Credentials, details the authenticators themselves. Both documents are closely aligned with draft release SP 800-63-4 Digital Identity Guidelines. NIST hopes that the draft document enable a close alignment with new and emerging digital identity and federation technologies employed in the federal government, while maintaining a strong security posture.

NIST is specifically interested in comments on and recommendations for the following topics:

Home Agency Attributes
  • Are additional attributes needed in the guidelines to achieve interagency or cross-domain interoperability?
  • Are additional attributes required for RP provisioning and access?
PIV Federation
  • Are additional process steps or mechanisms needed for the connection and communication between home-IdP-to PIV identity account?
  • Do the required parameters for establishing trust agreements fit the use cases for PIV RPs?
  • Are the required identity attributes sufficient for PIV use cases?
  • Are the federated subject identifier requirements sufficient for PIV use cases?
  • Is it clear how to apply the binding ceremony for RP-managed bound authenticators at FAL3 to PIV and non-PIV authenticators?

Abstract

Keywords

assertions; authentication; credential service provider; digital authentication; electronic authentication; electronic credentials; federations; PIV credentials; PIV federation; identity providers; relying parties
Control Families

Identification and Authentication

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-217.ipd
Download URL

Supplemental Material:
Comment template (xlsx)
Virtual workshop (Feb. 1, 2023)

Related NIST Publications:
SP 800-157 Rev. 1 (Draft)

Document History:
01/10/23: SP 800-217 (Draft)
01/10/23: SP 800-217 (Draft)