Date Published: December 13, 2023
Comments Due:
Email Questions to:
Author(s)
Hildegard Ferraiolo (NIST), Andrew Regenscheid (NIST), Sarbari Gupta (Electrosoft Services), Nabil Ghadiali (Electrosoft Services)
Announcement
NIST SP 800-79r3 ipd, Guidelines for the Authorization of PIV Card and Derived PIV Credential Issuers, expands the set of issuer controls to include new and updated requirements from FIPS 201-3, its supporting updated publications (e.g., SP 800-157r1, SP 800-76r2, etc.) and newly-issued OMB Memoranda aimed at achieving compliance with federal requirements with regard to identity proofing and the issuance of a common and reliable form of a primary and derived identity credential.
NIST is specifically interested in comments on and recommendations for the following topics:
- Are the new and updated controls for identity proofing and the issuance and maintenance of PIV Cards and derived PIV credentials clear and practical to implement?
- Is it easy to determine where the updated controls need to be implemented (i.e., at the enterprise level, issuing facility level, or both)?
- Are the new controls for derived PIV credentials sufficient to provide comparable assurance for PIV Cards?
NIST requests that all comments be submitted by 11:59 p.m. Eastern Standard Time (EST) on January 29, 2024. Please submit comments to piv_comments@nist.gov. NIST will review all comments and make them available on CSRC. Commenters are encouraged to use this comment template.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
The document provides appropriate and useful guidelines for assessing the reliability of issuers of PIV Cards and derived PIV credentials. These issuers store personal information and issue credentials based on OMB policies and the standards published in response to HSPD-12. The reliability of an issuer is of utmost importance when an organization (e.g., a federal agency) is required to trust identity credentials that were created and issued by another organization. This trust relies on having the necessary level of assurance that the reliability of the issuing organization has been established through a formal authorization process.
The document provides appropriate and useful guidelines for assessing the reliability of issuers of PIV Cards and derived PIV credentials. These issuers store personal information and issue credentials based on OMB policies and the standards published in response to HSPD-12. The reliability of an...
See full abstract
The document provides appropriate and useful guidelines for assessing the reliability of issuers of PIV Cards and derived PIV credentials. These issuers store personal information and issue credentials based on OMB policies and the standards published in response to HSPD-12. The reliability of an issuer is of utmost importance when an organization (e.g., a federal agency) is required to trust identity credentials that were created and issued by another organization. This trust relies on having the necessary level of assurance that the reliability of the issuing organization has been established through a formal authorization process.
Hide full abstract
Keywords
assessment; authorization; compliance; derived PIV credentials; HSPD-12; issuer controls; personal identity verification; PIV Card
Control Families
None selected
