NIST, Computer Security Division, Computer Security Resource Center
PIV News Archives
This page contains archived news items. These items are no longer updated and serve a historical purpose.
For current news items, please visit the Announcements section of the PIV website within CSRC.
POSTED October 22, 2009: Release of Partial CSP Version 1.3 Software
NIST is pleased to announce the release of reference implementation of a Partial CSP Version 1.3, Cryptographic Service Provider for Windows Logon. This existing PIV demonstration software is updated to decompress zipped certificates that are available on production PIV Cards. With this update, the CSP can be used to demonstrate Windows XP Logon with production PIV Cards. Note that this CSP does NOT implement all functions required of a production CSP. Please use the accompanying documentation to install the CSP and configure Windows XP operating system.
POSTED October 6, 2009: NIST Draft Special Publication 800-78-2 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV) has been Released
NIST is pleased to announce the release of Draft Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in draft SP 800-78-1:- The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in Draft SP800-78-2 as a key agreement scheme for the PIV card.
- The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, draft SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
- For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in draft SP 800-78-1.
The changes are incorporated in the document as well in a track-change version. Comments should be submitted to piv_comments@nist.gov with "Comments on SP800-78-2" in the subject line using the Comments Template Form (Excel Spreadsheet). The comment period closes at 5:00 EST on November 12, 2009.
POSTED September 11, 2009: NIST Draft Special Publication SP 800-85B-1 PIV Data Model Conformance Test Guidelines
NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 24, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
POSTED August 14, 2009: The National Institute of Standards and Technology (NIST) is pleased to announce the release of NIST Interagency Report 7611, Use of ISO/IEC 24727 -- Service Access Layer Interface for Identity (SALII): support for development and use of interoperable identity credentials
The Interagency Report details properties and capabilities of ISO/IEC 24727 to achieve identity credential interoperability -- enabling client-applications to access identity credentials from different issuers. Specifically, the document explores this new standard by discussing existing Federal identity credentials, such as PIV, and the PIV application demonstrations developed by NIST. The capabilities of ISO/IEC 24727 are illustrated through a proof-of-concept scenario where the PIV Card interacts with applications (Windows Logon, Linux Logon, Email Signing and Encryption) through the ISO/IEC 24727 framework thus achieving credential independence from client-application.
The document provides a high-level discussion and strives to minimize technical details. An additional publication elaborating the technical discussion, including an ISO/IEC 24727 reference implementation, will be provided after the proof-of-concept implementation.
POSTED August 13, 2009: NIST Releases Draft Special Publication 800-73-3, Interfaces for Personal Identity Verification
NIST announces that Draft Special Publication (SP) 800-73-3, Interfaces for Personal Identity Verification, has been released for public comment. Draft SP 800-73-3 introduces new, optional features including:
(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-1; and
(3) provisions for Non-Federal Issuer (NFI) credentials. Draft SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.
Except for minor editorial changes, all changes can be reviewed with the track-change version of Draft SP 800-73-3. (link provided above)
NIST requests comments on draft SP 800-73-3 by 5:00pm EDT on September 13, 2009. Please submit your comments, using the comment template form to PIV_comments@nist.gov with "Comments on Public Draft SP 800-73-3" in the subject line.
POSTED April 3, 2009: NIST Special Publication 800-85A-1 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 Compliance)
NIST is pleased to announce the release of SP800-85A-1 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and the PIV Middleware interfaces for conformance to specifications in SP 800-73-2 (Interfaces for Personal Identity Verification). The document is a revision for the earlier version (March 2006), which reflected TA and DTR from the superseded SP 800-73-1, 2006 Edition. The new SP 800-85A-1 is based on TA and DTRs from SP 800-73-2 (September 2008 Edition) and includes the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here.
POSTED February 6, 2009: NIST Draft Special Publication SP 800-85A-1 "PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 compliance)"
NIST has a revised version of NIST Special Publication SP 800-85A “PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance)”. The revised document is titled Draft SP800-85A-1 “PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 compliance)” and is posted on the Computer Security Resource Center Web site (www.csrc.nist.gov). The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVtesting@NIST.gov with "Comments on Public Draft SP 800-85A-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on February 28, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
POSTED November 21, 2008: NIST Releases Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems.
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This publication provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Specifically, this document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal government facilities and assets. This document also proposes a PIV implementation maturity model to measure the progress of agencies' PIV implementations.
POSTED September 24, 2008: Special Publication 800-73-2, Interfaces for Personal Identity Verification
NIST is pleased to announce the release of NIST Special Publication 800-73-2, Interfaces for Personal Identity Verification. Special Publication 800-73-2 (SP 800-73-2) specifies the PIV data model, command interface, client application programming interface and references to transitional interface specifications. The four parts that comprise SP 800-73-2 supersede the single document SP 800-73-1, published in April 2006. Comments received for first and second public draft of SP 800-73-2 have been addressed as are the errata items in SP 800-73-1. The high-level technical changes in SP 800-73-2 are summarized here. The Special Publication 800-73-2 document can be found by going to the Special Publications page.
POSTED September 10, 2008: 2nd DRAFT Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
The National Institute of Standards and Technology (NIST) is pleased to announce a 2nd draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Major changes in this draft include selection of outcome-based PIV authentication mechanisms and addition of PACS conformance best practice guideline. Federal agencies and private organizations as well as individuals are invited to review the 2nd draft document and submit comments using the comment template form (Excel spreadsheet) provided on the website.
Comments should be submitted to PIV_comments@nist.gov with "Comments on Public 2nd Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on September 24, 2008.
POSTED June 30, 2008: NIST Releases Special Publication 800-79-1
NIST is pleased to announce Special Publication 800-79-1, Guidelines for the Accreditation of Personal Identity Verification Card Issuers. This is a substantial improvement over SP 800-79 that takes into account: (a) the emergent business models (in-house, leased, shared etc) for Personal Identity Card Issuers (PCI), (b) lessons learnt in past accreditations and (c) the directives in OMB memorandums. The most significant change is the replacement of “Attributes” with an objective set of PCI controls and an assessment and accreditation methodology that assess the capability and reliability of a PCI based on these controls. Specifically the accreditation methodology consists of the following steps: (a) Derivation of PCI controls based on requirements in FIPS 201-1 and supporting documents, OMB Memorandums etc. (b) Providing a context for PCI controls by identifying a set of hierarchical concepts such as PCI Accreditation Topics and PCI Accreditation Focus Areas (c) Development of Assessment methods appropriate for each PCI control that will assess conformance to those underlying requirements and (d) guidance for evaluating the results of assessments in order to arrive at an accreditation decision.
POSTED May 22, 2008: PIV Demonstration Software for Logical Access Applications
NIST is pleased to announce the release of reference implementations of a PIV Crypto Service Provider (CSP) and Public Key Cryptography Standards #11 (PKCS #11) module. These two modules, along with the PIV middleware, can be used by a client-application to access identity credentials on a PIV Card application. The CSP is developed to demonstrate Windows XP Logon with PIV Cards. Note that this CSP does NOT implement all functions required of a production CSP. Please use the accompanying documentation to install the CSP and configure Windows XP operating system. The PKCS #11 module has been developed to operate in Fedora Core 5 environment and it implements functions needed to perform Linux Logon, S/MIME and SSL authentication. The module is designed to access identity credentials on a PIV card application. Please use the accompanying documentation to install the PKCS #11 module and configure Linux OS, Firefox, and Thunderbird applications.POSTED May 9, 2008: Presentations from the PIV Physical Access Control (PAC) Workshop
The presentations from the May 1, 2008 PAC Workshop are now available.
POSTED April 30, 2008: Special Publication 800-87 Revision 1 Released
NIST is pleased to announce Special Publication 800-87 (SP 800-87) Codes for the Identification of Federal and Federally-Assisted Organizations, Revision 1 - 2008. SP 800-87 Revision 1 - 2008 provides the organizational codes necessary to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique (CHUID). Appendix A of SP 800-87 Revision 1 - 2008 lists the agency code updates incorporated in this revision.
POSTED April 8, 2008: PIV PACS Integration Workshop Announcement:
The National Institute of Standards and Technology (NIST), will hold a public Personal Identity Verification (PIV) Physical Access Control Systems (PACS) Integration workshop on Thursday, May 1, 2008 at the NIST campus in Gaithersburg, MD from 9:30am to 3:30pm. The purpose of the workshop is the exchange of information among the PACS implementers, Federal agencies, and NIST. NIST will provide a briefing on SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), followed by a question and answer session. NIST will facilitate 10 minute individual presentations through which interested individuals may present observations to the group. All material presented will be made public. Individuals desiring to present their observations must contact Ketan Mehta (mehta_ketan@nist.gov) via email and provide an abstract and a power point slides in advance. Workshop registration is required to gain entry to the NIST facilities. Please visit http://www.nist.gov/public_affairs/confpage/conflist.htm to register. The cost of registration is $50. Registration closes on April 28, 2008.
POSTED April 2, 2008: Draft Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems
The National Institute of Standards and Technology (NIST) is pleased to announce a draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. This draft includes recommendations for increasing the use of asymmetric key architecture and credential validation. Federal agencies and private organizations as well as individuals are invited to review the draft document and submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on May 12, 2008.
POSTED March 21, 2008: Comment Period for SP 800-73-2 has been EXTENDED
The public comment period for Draft SP 800-73-2 has been extended. Public comment are now due by April 18th 2008, 5:00 pm EST.
POSTED March 18, 2008: Track Changes Now Available for Draft Special Publication 800-73-2 (Parts 1-3)
The following documents contain the tracked changes from the first to second draft SP800-73-2. Editorial and formatting changes are not tracked. Out of the 4 parts for this document, ONLY Part 4 had NO changes made to it. Please go to the Drafts page to view Part 1, Part 2, and Part 3 track changes.
POSTED March 7, 2008: Second Draft of Special Publication 800-73-2, Interfaces for Personal Identity Verification
NIST has posted a second draft of SP 800-73-2 for public comments. This draft incorporates some comments and suggestions that were received after the first public comment period had closed (see 3). The changes since the first draft include: 1) relaxation of the Global PIN security status limitations, 2) incorporation of an optional Global and PIV PIN discovery object, 3) addition of a discovery object for the PIV card application, 4) elimination of the previously proposed optional U-CHUID data object, and 5) resolutions of the first draft public comments. Please go to the DRAFTS page to view the Second Public Draft and to learn more about this draft along with where to forward comments to. A comment template form is also provided. Comments period closes on April 4th 2008.
POSTED February 22, 2008: DRAFT Special Publication 800-79-1
NIST has drafted a new version of the document “Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations (SP 800-79).” The revised document is titled “Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI’s)”. This document, after a review and comment period, will be published as NIST SP 800-79-1. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVaccreditation@nist.gov before March 30, 2008. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. To learn more about this draft document, please visit the DRAFT PUBLICATIONS page for more details.
POSTED November 30, 2007: NIST Interagency Report 7452: Secure Biometric Match-on-Card Feasibility Report (NIST IR 7452)
NIST is pleased to announce the release of NIST Interagency Report 7452, Secure Biometric Match-on-Card Feasibility Report. NIST conducted the feasibility study to understand the effects of combining asymmetric cryptography with Biometric Match-on-Card. The report describes the tests that were conducted to obtain timing metrics for the SBMOC transaction and provides a summary of the test results.
POSTED October 4, 2007: Draft Special Publication 800-73-2, Interfaces for Personal Identity Verification
NIST Special Publication 800-73-2, Interfaces for Personal Identity Verification , is now available for a 30 day public comment period. When published in final form, the four parts that comprise SP 800-73-2 will supercede the single-part SP 800-73-1, published in April 2006 . The changes include 1) incorporation of separately published errata, 2) modifications required by SP 800-78-1 , 3) explanation of a cryptographic algorithm and key size discovery procedure, 4) introduction of an optional Unsigned CHUID data object, and 5) addition of a Card Authentication Key-based use case. Other editorial improvements have been made to the document. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-73-2" in the subject line. The comment period closes at 5:00 EST (US and Canada) on November 4, 2007.
SP 800-73-2 Zipped File -- contains 4 PDF files for Parts 1 -- 4Comments-form-on-NIST_SP800-73-2.xls (26 KB)
or if you want to download each Part separately, please visit the Drafts page.
POSTED August 30, 2007: Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST announced the release of Special Publication 800-78-1, Cryptographic Algorithms and Key Interfaces for Personal Identity Verification on August 2nd, 2007. NIST has added a clarification regarding the effective date of this document. Please see Section 1.4 of the document on the Standards and Supporting Documents page for the clarification.
POSTED August 2, 2007: Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST is pleased to announce the release of Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been modified to enhance interoperability, simplify the development of relying party applications, and enhance alignment with the National Security Agency's Suite B Cryptography. In addition, a new cryptographic migration timeline has been developed based on advances in cryptoanalysis of algorithms as well as operational deployment considerations.
POSTED July 27, 2007: PIV Data Generator and PIV Data Loader
NIST is pleased to announce release of an improved version of the PIV Data Generator. The Data Generator is intended as a reference implementation that facilitates creation of PIV test data objects. The data generator can be used to generate PIV test data that is conformant to the data requirements set forth in FIPS 201, SP 800-73, SP 800-76, and SP 800-78. Developers and integrators are welcome to use the reference utility and its generated data objects in test environments. The data generator has been enhanced to allow dynamic data production, include test data assertion, and be conformant to the PIV Data Model Tester. The Data Loader utility can be used to load the test data on to PIV conformant cards. These reference implementation aids are available at the Downloadable PIV Software page.
POSTED June 29, 2007:
NIST is pleased to announce the publication of Special Publication 800-104, A Scheme for PIV Visual Card Topography. This document provides additional recommendations on the Personal Identity Verification (PIV) Card color-coding for designating employee affiliation. This document is intended to refine FIPS 201 to enable reliable visual verification of the PIV Card.
POSTED June 29, 2007: PIV Reference Implementation
NIST is pleased to announce the release of a reference implementation of SP 800-73-1. The reference implementation includes a software simulation of a PIV card and an implementation of the End-Point Client Application Programming Interface. NIST has also developed mandatory functions of a PIV Card application on a Basic Card. The source code and binaries for both are available at the Downloadable PIV Software page.
POSTED June 19, 2007: Feasibility Study of Secure Biometric Match-On-Card: Invitation to Participate
The National Institute of Standards and Technology (NIST) will conduct a feasibility study of Secure Biometric Match-On-Card (SBMOC) technology, and invites providers of such technology to submit devices to be tested. The goal of the feasibility study is to determine if the state-of-the-practice in smart card products and biometrics technology have advanced to enable a new mode of operation. To implement this mode, certain functional and security properties must be achieved by the SBMOC technology while meeting performance requirement for a biometric authentication transaction. Complete technical requirements are presented in the Test Approach document.
Submission providers should complete and transmit the Intention to Participate form to NIST by 20 Jul 2007. Providers may transmit a submission package to NIST, as described in the Materials Transfer Agreement, at any time before 20 Aug 2007.
On completion of the tests, NIST will publish a report indicating the number of successful submissions tested, and certain general qualities of the submissions stated in the Test Approach.
POSTED May 24, 2007:
The presentation from the Secure Biometrics Match-on-Card Workshop has been posted.
**Please visit the PIV-Program archived news page for past announcements regarding this project.
Posted May 14, 2007:
Secure Biometric Match-on-Card (sBMOC) Workshop
National Institute of Standards and Technology (NIST) will host a public workshop on goals, status, and plans for a secure Biometric Match-on-Card (sBMOC) technical feasibility study. The study will test the accuracy and performance of state-of-the-practice of Match-on-Card implementations on smart cards platforms similar to PIV Cards. Our goal is to develop one or more demonstrations of Match-on-Card biometric authentication meeting specific accuracy and functional requirements, using a secure protocol suited to contactless communication, and with total smart card transaction time below 2.5 seconds. Technical details of the project are included in the Test Plan for sBMOC. The workshop will also address the MINEX II protocol for evaluation of ISO/IEC 19794-2 compact card templates and MOC accuracy. The workshop will be held on Thursday, May 24, 2007 from 9:00 a.m. to 5:00 p.m. at NIST. Attendees are welcome to buy lunch, coffee, and snacks in the NIST cafeteria near the meeting room.
Please click here to register on-line. The registration closes at 5pm on Tuesday, May 22, 2007. Media interested in attending the event or media questions regarding the workshop should be directed to NIST Public and Business Affairs, Gail Porter, at 301-975-3392.
The preliminary agenda for the workshop is as follows:
| 8:30 - 9:00 | Registration |
| 9:00 - 12:00 | Goals, Schedule, and Deliverables Business Process Performance Test Review Security Analysis Review Follow-on Activities |
| 1:15-4:30 | MINEX II Biometric Testing Overview Business Process Profile of ISO/IEC 19794-2 compact card MOC Interface Specification API Specification General Q&A |
Posted February 1, 2007:
The PIV Data Model (SP 800-85B) Tester is now available. Click link to download installation guide (MS Word) and the tester software (.zip).
Posted January 29, 2007:
Draft Special Publication 800-104, A Scheme for PIV Visual Card Topography
Adobe PDF (122 KB)
*No Longer Draft Publication
NIST Special Publication 800-104, A Scheme for PIV Visual Card Topography, is now available for a 30 day public comment period. This document provides additional recommendations on the Personal Identity Verification (PIV) Card color-coding for designating employee affiliation. This document is intended to refine FIPS 201 to enable reliable visual verification of the PIV Card. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-104" in the subject line. The comment period closes at 5:00 PM EST (US and Canada) on February 28, 2007.
Posted January 25, 2007:
Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification
NIST is pleased to announce the release of NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification. This document is a revision for the earlier version of February 2006. The changes include incorporation of the published errata document and public comments, clarification on performance testing and certification procedures, and caution regarding fingerprint minutiae generation. Additional typographical fixes and aesthetic changes have been incorporated in this document.
Posted September 14, 2006:
Draft Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification
(See January 25, 2007 announcement above.)
NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, is now available for a three week public comment period. This document is a revision for the earlier version of February 1, 2006. The changes include incorporation of the published errata document, clarification on performance testing and certification procedures, and caution regarding fingerprint minutiae generation. Additional typographical fixes and aesthetic changes have been incorporated in this document. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-76-1" in the subject line. The comment period closes at 5:00 EST (US and Canada) on October 5th, 2006.
*Please note: 800-76-1 is no longer a draft Publication.
Posted September 11, 2006:
NIST Announces Publication of PIV Card to Reader Interoperability Guidelines (SP800-96)
NIST is pleased to announce the release of NIST Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. This document provides requirements for PIV card readers in the area of performance and communications characteristics to foster interoperability. Requirements for the contact and contactless card readers for both physical and logical access control systems are provided in this document. The requirements are for the PIV readers designed to read end-point cards.
Posted August 28, 2006:
NIST Interagency Report 7337: Personal Identity Verification Demonstration Summary.
NIST is pleased to announce the release of NIST Interagency Report 7337, Personal Identity Verification Demonstration Summary. The report summarizes the demonstration of commercially available products that support FIPS 201 and the accompanying special publications.
Posted July 28, 2006:
Second Draft Special Publication 800-96, PIV Card / Reader Interoperability Guidelines
Adobe PDF (138 KB)
NIST is pleased to announce the release of Draft Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a two week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. Comments should be submitted to PIV_comments@nist.gov with "Comments on SP800-96" in the subject line using the Comments Template Form. The comment period closes at 5:00 EST on Friday, August 11th, 2006.
Posted July 27, 2006:
Final Special Publication 800-85B, PIV Data Model Conformance Test Guidelines
Adobe PDF (1,927 KB)
NIST is pleased to announce the release of NIST SP 800-85B, PIV Data Model Conformance Test Guidelines. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules, PIV card issuers, and entities performing conformance tests.
Posted July 3, 2006:
Draft Special Publication 800-78-1, Cryptographic Standards and Key Sizes for Personal Identity Verification
Adobe PDF (250 KB)
Comment Template Form (Excel Spreadsheet)
NIST is pleased to announce the release of Draft Special Publication 800-78-1, Cryptographic Standards and Key Sizes for Personal Identity Verification. The SP 800-78-1 is available for a 90 day public comment period. The document has been modified to enhance interoperability, simplify the development of relying party applications, and enhance alignment with the National Security Agency s Suite B Cryptography. Suite B Cryptography reduces the set of elliptic curves approved for use with PIV cards and the supporting infrastructure from six curves to two. The changes are incorporated in the document as well as listed in Appendix C, Errata. Comments should be submitted to piv_comments@nist.gov with "Comments on SP800-78-1" in the subject line using the Comments Template Form (Excel Spreadsheet). The comment period closes at 5:00 EST on October 2nd, 2006.
Posted June 26, 2006:
NIST Announces Publication of FIPS 201-1, Change Notice 1
PDF file (1.04 MB)
NIST is pleased to announce the release of NIST FIPS 201-1 Change Notice 1, Personal Identity Verification (PIV) of Federal Employees and Contractors. This change notice clarifies requirements for printing Agency Card Serial Number on the back of the PIV card. Specifically, the requirement allows variable placement of Agency Card Serial Number along the outer edge of the back of the PIV Card. The change notice also provides corrections to the ASN.1 encoding of the NACI indicator.
Posted May 25, 2006:
Draft Special Publication 800-85B, PIV Data Model Conformance Test Guidelines
Adobe PDF (500 KB)
NIST Special Publication 800-85B, PIV Data Model Conformance Test Guidelines, is now available for a four week public comment period. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules and entities issuing PIV cards. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-85B" in the subject line using the Comments Template Form. The comment period closes at 5:00 EST on June 22, 2006.
Posted May 24, 2006:
The PIV Program is pleased to announce that Bill MacGregor will replace Curt Barker as NIST's Personal Identity Verification Program Manager effective immediately. Curt is being reassigned to another position within the NIST Information Technology Laboratory's Computer Security Division. Bill has worked on the program for some time and is a welcomed addition to our management team.
Posted May 23, 2006:
Draft Special Publication 800-96, PIV Card / Reader Interoperability Guidelines
Adobe PDF (138 KB)
NIST is pleased to announce the release of Preliminary Draft of the Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a three week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. Comments should be submitted to PIV_comments@nist.gov with "Comments on SP800-96" in the subject line using the Comments Template Form. The comment period closes at 5:00 EST on Tuesday, June 13th, 2006.
Posted May 2, 2006:
NIST has posted an Errata to SP 800-73-1 to effect corrections in the access control rules for PIV data model.
Posted April 27, 2006:
NIST is pleased to announce the schedule for the PIV Demonstration. Please click here for more information.
Posted April 21, 2006:
The NIST has initiated the PIV Biometric Product Testing Resource Center to inform the biometric vendor community of existing product testing procedures.
Posted April 18, 2006:
NIST would like to elicit comments on the IAFIS IMAGE QUALITY SPECIFICATIONS FOR SINGLE FINGER CAPTURE DEVICES White Paper. The document provides specifications for the FBI's single finger scanner certification applicable to fingerprint capture devices which scan and capture at least a single fingerprint in digital, softcopy. The specification are used by applications such as the Personal Identity Verification (PIV) Program. Please submit comments on the technical contents of the White Paper to Charles Wilson (NIST).
Posted April 17, 2006:
Sample PIV Data
In response to the request for a sample PIV data, NIST has developed a software tool that generates PIV data consistent with FIPS 201. The data generator and a sample data is now available for a two week public comment period. The software generates mandatory and optional PIV data elements. Note that it does not include the optional fields within each data elements since they are unique to agency use. This software is intended for research purposes only, and is not intended for nor appropriate for production systems. Please submit comments particularly with respect to the functionality and usability of this utility. Comments should be submitted to piv_webmaster@nist.gov with "Comments on Data Generator" in the subject line. The comment period closes at 5:00 EST on Friday, April 28th, 2006.
Posted April 5, 2006:
NIST is pleased to announce the release of NIST Special Publication 800-85A, PIV Card Application and Middleware Interface Test Guidelines (SP800-73 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and PIV Middleware interfaces for conformance to specifications in SP 800-73 (Interfaces for Personal Identity Verification). The Guidelines are to be used by the developers of software modules and testing laboratories. SP 800-85A is the first of the two documents (the other one is SP 800-85B to be released shortly) that will replace SP 800-85 released in October 2005.
Posted March 24, 2006:
NIST is pleased to announce the release of NIST Special Publication 800-73-1, Interfaces for Personal Identity Verification, 2006 Edition. Special Publication 800-73-1 specifies a PIV data model, communication interface, and application programming interface. This revision includes changes to the access control requirements for reading PIV public key certificates, storage of the biometric fingerprints in one container, incorporation of the Errata to date, and accomodation of public comments.
March 14, 2006 Federal Information Processing Standard 201 Revision 1 (FIPS 201-1), Personal Identity Verification (PIV) of Federal Employees and Contractors.
The National Institute of Standards and Technology (NIST) is pleased to announce the approval of a revision to Federal Information Processing Standard (FIPS) Publication 201, Standard for Personal Identity Verification of Federal Employees and Contractors. The revision makes changes to Section 2.2, PIV Identify Proofing and Registration Requirements, Section 4.3, Cryptographic Specifications, Section 5.2, PIV Identity Proofing and Registration Requirements, Section 5.3.1, PIV Card Issuance, Section 5.4.2.1 X.509 Certificate Content, and to Appendix D, PIV Object Identifiers and Certificate Extension. The revision also clarifies the identity proofing and registration process that departments and agencies must follow when issuing identity credentials. The changes are needed to make FIPS 201-1 consistent with the Memorandum for All Departments and Agencies (M-05-24), issued by the Office of Management and Budget on August 5, 2005, Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors.
March 10, 2006:
NIST received a strong response to its first PIV Demonstration announcement. Due to the continued interest NIST is receiving from vendors who did not make it into the first response period, NIST is re-opening the window for vendors to submit their interest in participation. NIST invites potential vendors to provide products that support FIPS 201 Part 2 to NIST for the express purpose of their inclusion in the PIV demonstration. For a limited number of days, NIST will make the demonstration open to all Federal agencies interested in FIPS 201 implementations. All interested vendors should contact Erika McCallister or Hildy Ferraiolo by April 10, 2006. Click here to view announcement.
March 3, 2006:
Presentations for the NPIVP workshop is available here.
February 13, 2006:
Draft Special Publication 800-73-1 Interfaces for Personal Identity Verification
NIST has received several comments that it is difficult to track the proposed changes to Special Publication 800-73. We have therefore replaced the original posting with a concise list of the proposed changes. These changes reference the current version of Special Publication 800-73. Pending public comment, NIST plans to make these changes and post an updated version 800-73-1.
February 8, 2006:
Draft Special Publication 800-73-1 Interfaces to Personal Identity Verification
NIST Special Publication 800-73-1, Interfaces for Personal Identity Verification, is now available for a three week public comment period. This document provides necessary changes to SP 800-73 for synchronization with biometric data requirements in SP 800-76 and to enhance the utility of the PIV card for logical access. Please submit comments using the comment template form (Excel spreadsheet - .xls) provided on the website. Comments should be submitted to DraftFips201 at nist.gov with "Comments on Public Draft SP 800-73-1" in the subject line. The comment period closes at 5:00 EST on Tuesday, February 28th, 2006.
February 3, 2006:
The NIST PIV Program (NPIVP) and the National Voluntary Laboratory Accreditation Program (NVLAP) will hold a public workshop on 03/03/2006 at the NIST in Gaithersburg, MD. The purpose of the workshop is the exchange of information among NVLAP, laboratories interested in seeking accreditation for the testing of Personal Identity Verification (PIV) components, vendors interested in having their product NPIVP-certified and federal agency seeking NPIVP certified products. For more details and to register visit http://csrc.nist.gov/npivp.
February 1, 2006:
NIST is pleased to announce the release of NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. Special Publication 800-76 specifies technical acquisition and formatting requirements for the biometric credentials of Federal Information Processing Standard 201 (FIPS 201) conformant Personal Identity Verification (PIV) systems, including the PIV Card itself. Special Publication 800-76 enumerates required procedures and formats for fingerprints, fingerprint templates and facial images by appropriate instantiation of values and practices generically laid out in published biometric standards.
January 18, 2006:
NIST is pleased to announce the release of NIST Interagency Report 7284, Personal Identity Verification Card Management Report, which provides an overview of card management systems, identifies generic card management requirements, and considers some technical approaches to filling the existing gaps in PIV card management. The purpose of the report is to offer higher level of consistency and testability for PIV card issuance processes, enhance ability to outsource various card management components and functions, and improve overall security for the Federal PIV framework.
January 17, 2006:
NIST is pleased to announce the January 2006 edition of Special Publication 800-87 Codes for the Identification of Federal and Federally-Assisted Organizations. The January 2006 edition incorporates organizational code updates to the Department of Education.
January 10, 2006:
NIST is pleased to announce the Personal Identity Verification (PIV) Demonstration website. The purpose of the PIV demonstration is to provide proof of concept demonstrations of commercially available products that support Federal Information Processing Standard 201 (FIPS 201) Part 2. Additionally, the demonstrations will show the interoperability of PIV cards.
December 22, 2005:
NIST is pleased to announce the release of NIST Special Publication 800-21-1, the second edition of Guideline for Implementing Cryptography in the Federal Government. This revision updates and replaces the November 1999 edition of Guideline for Implementing Cryptography in the Federal Government. Many of the references and cryptographic techniques contained in the first edition of NIST SP 800-21 have been amended, rescinded, or superseded since its publication. The second edition also offers new tools and techniques.
Go to Special Publications page to view/download SP 800-21-1.
Posted December 15, 2005:
Draft NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification, is now available for a four week public comment period. This document specifies technical acquisition and formatting requirements for the biometric credentials of the PIV system, including the PIV Card itself. It enumerates required procedures and formats for fingerprints, fingerprint templates and facial images by appropriate instantiation of values and practices generically laid out in published biometric standards. Please submit comments using the comment template form (Excel spreadsheet - .xls) provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-76" in the subject line. The comment period closes at 5:00 EST on Friday, January 13th, 2006.
Posted November 21, 2005:
The NIST Computer Security Division is pleased to introduce the NIST Personal Identity Verification Program (NPIVP)'s official website. NPIVP validates Personal Identity Verification (PIV) components and sub-systems required by Federal Information Processing Standard (FIPS) 201 that meet the NPIVP requirements. The official NPIVP website, features the following services in support of NPIVP:
- Up-to-date validation lists for PIV components/sub-systems
- A list of NPIVP test facilities authorized to conduct FIPS 201 conformant components/sub-systems testing
- Announcements to NPIVP news and updates such as announcing new conformance test suites.
The NPIVP official website is http://csrc.nist.gov/npivp.
Posted November 21, 2005:
NIST is pleased to announce the Personal Identity Verification (PIV) Demonstration. The purpose of the PIV demonstration is to provide proof of concept demonstrations of commercially available products that support Federal Information Processing Standard 201 (FIPS 201) Part 2. Additionally, the demonstrations will show the interoperability of NPIVP certified PIV cards and PIV middleware.
NIST invites potential vendors to provide products that support FIPS 201 Part 2 to NIST for the express purpose of their inclusion in the PIV demonstration. NIST will make the demonstrations open to all Federal agencies interested in FIPS 201 implementations. Participation requires vendors to execute a Cooperative Research and Development Agreement (CRADA) with NIST. All interested vendors should contact NIST by December 31, 2005, to participate. For further information, including participation criteria, please consult the PIV Demonstration Announcement.
Posted November 3, 2005:
Designation of new NIST Personal Identity Verification Program (NPIVP) Test Facilities - The National Institute of Standards and Technology (NIST) has designated Atlan Laboratories, atsec information security corporation, ICSA Labs, a division of Cybertrust, Inc, and LogicaCMG FIPS Laboratory as interim NIST Personal Identity Verification Program (NPIVP) test facilities. As such, these laboratories may employ NIST-provided test suites to validate Personal Identification Verification (PIV) components, sub-systems, and integrated systems required by Federal Information Processing Standard (FIPS) 201 that meet the NPIVP requirements. Additional information regarding the laboratories is available at http://csrc.nist.gov/cryptval/ . These new laboratories join COACT Inc., CAFE Laboratory, InfoGard Laboratories, Inc., DOMUS IT Security Laboratory, BKP Security Labs, BT Cryptographic Module Testing Laboratory, CEAL: a CygnaCom Solutions Laboratory, and the EWA - Canada IT Security Evaluation & Test Facility as designated interim NVPIP test facilities. During the next year, these laboratories will be assessed for NVLAP accreditation for PIV testing. Once NVLAP accreditation is achieved, the "Interim" designation will be removed. Testing under the NPIVP has been authorized with a limited scope of tests based on FIPS 201. The scope of tests will be increased as the program matures.
October 20, 2005:
NIST is pleased to announce the release of Special Publication 800-87 (SP 800-87) Codes for the Identification of Federal and Federally-Assisted Organizations.
SP 800-87 provides the organizational codes necessary to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique (CHUID) and is a companion document to FIPS 201.
Posted October 19, 2005:
The NIST Computer Security Division is pleased to announce publication of NIST Special Publication 800-85 (SP800-85), PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 Compliance). SP800-85 provides an approach for development of conformance tests for PIV middleware and PIV card application products. The approach includes Derived Test Requirements (DTR) and Test Assertions (TA). The DTRs and TAs are based on SP 800-73 Interfaces for Personal Identity Verification. The Guidelines are to be used by the developers of software modules and testing laboratories.
Posted October 06, 2005:
The Errata Sheet for Special Publication 800-73 and Special Publication 800-73 Supplemental Information:Namespace Management for Personal Identity Verification(PIV) Applications and Data Objects have been updated. Please go to the PIV Program Supporting Documents page to view/download the latest versions.
Posted September 02, 2005:
The National Institute of Standards and Technology proposes revisions to paragraphs 2.2 and 5.3.1 of Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. Before recommending these proposed changes to FIPS 201 to the Secretary of Commerce for review and approval, NIST invites comments from the public, users, the information technology industry, and Federal, State and local government organizations concerning the proposed changes. Comments on these proposed changes must be received by 30 days after publication of the Federal Register notice of the change proposal.
Draft Federal Information Processing Standard 201 Revision 1 (FIPS 201-1), Personal Identity Verification (PIV) of Federal Employees and Contractors.
Posted August 26, 2005:
The NIST Computer Security Division is pleased to announce publication of NIST Special Publication 800-57, Recommendation for Key Management - Part 2, Best Practices for Key Management Organization. The Recommendation for Key Management is divided into three parts. Part 1 contains general guidance. Part 2 provides guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Part 3 will provide guidance to system administrators regarding the use of cryptographic algorithms in specific applications, select products to satisfy specific operational environments, and configure the products appropriately.
Posted August 19, 2005:
Designation of new NIST Personal Identity Verification Program (NPIVP) Test Facilities - On August 16, 2005, the National Institute of Standards and Technology (NIST) designated CEAL: a CygnaCom Solutions Laboratory as interim NIST Personal Identity Verification Program (NPIVP) test facility. On August 18, 2005, the National Institute of Standards and Technology (NIST) designated the EWA-Canada IT Security Evaluation & Test Facility as interim NIST Personal Identity Verification Program (NPIVP) test facility. As such, CEAL and EWA may employ NIST-provided test suites to validate Personal Identification Verification (PIV) components, sub-systems, and integrated systems required by Federal Information Processing Standard (FIPS) 201 that meet the NPIVP requirements. Additional information regarding the laboratories is available at http://csrc.nist.gov/cryptval/. CEAL and EWA join COACT, Inc. CAFÉ Laboratory, InfoGard Laboratories, DOMUS IT Security Laboratory, BKP Security Labs, and BT Cryptographic Module Testing Laboratory as designated interim NVPIP test facilities. It is anticipated that other Cryptographic Module Validation Program (CMVP) facilities will be added to the list of NPIVP test facilities in the near future. During the next year, these laboratories will be assessed for NVLAP accreditation for PIV testing. Once NVLAP accreditation is achieved, the "Interim" designation will be removed. Testing under the NPIVP will begin with a limited scope of tests based on FIPS 201. The scope of tests will be increased as the program matures.
Posted August 19, 2005:
The NIST Computer Security Division is pleased to announce publication of NIST Special Publication 800-57, Recommendation for Key Management - Part 1, General. The Recommendation for Key Management is divided into three parts. Part 1 contains general guidance. Part 2 will provide guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Part 3 will provide guidance to system administrators regarding the use of cryptographic algorithms in specific applications, select products to satisfy specific operational environments, and configure the products appropriately.
Posted August 16, 2005:
Designation of new NIST Personal Identity Verification Program (NPIVP) Test Facilities - On August 15, 2005, the National Institute of Standards and Technology (NIST) designated COACT, Inc. CAFÉ Laboratory and InfoGard Laboratories, Inc. as interim NIST Personal Identity Verification Program (NPIVP) test facilities. As such, the COACT, Inc. CAFÉ Laboratory and InfoGard Laboratories, Inc. may employ NIST-provided test suites to validate Personal Identification Verification (PIV) components, sub-systems, and integrated systems required by Federal Information Processing Standard (FIPS) 201 that meet the NPIVP requirements. Additional information regarding the laboratories is available at http://csrc.nist.gov/cryptval/. COACT, Inc. CAFÉ Laboratory and InfoGard Laboratories, Inc. join DOMUS IT Security Laboratory, BKP Security Labs, and BT Cryptographic Module Testing Laboratory as designated interim NVPIP test facilities. It is anticipated that other Cryptographic Module Validation Program (CMVP) facilities will be added to the list of NPIVP test facilities in the near future. During the next year, these laboratories will be assessed for NVLAP accreditation for PIV testing. Once NVLAP accreditation is achieved, the "Interim" designation will be removed. Testing under the NPIVP will begin with a limited scope of tests based on FIPS 201. The scope of tests will be increased as the program matures.
Posted August 15, 2005:
On August 5, 2005, the Office of Management and Budget issued a Memorandum for the Heads of all Departments and Agencies, M-05-24, "Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors." The memorandum provides implementing instructions and time frames for the Presidential Directive and for FIPS 201, "Personal Identity Verification for Federal Employees and Contractors."
Also, on August 10, 2005, the General Services Administration issued a Memorandum for Chief Financial Officers, Chief Information Officers, and Chief Acquisition Officers, "Acquisition of Products and Services for Implementation of HSPD 12." The GSA memorandum specifies the procedures for ordering goods and services in compliance with the Presidential Directive.
Posted August 12, 2005:
Designation of new NIST Personal Identity Verification Program (NPIVP) Test Facility On August 10, 2005, the National Institute of Standards and Technology (NIST) designated DOMUS IT Security Laboratory as an interim NIST Personal Identity Verification Program (NPIVP) test facility. As such, the DOMUS IT Security Laboratory may employ NIST-provided test suites to validate Personal Identification Verification (PIV) components, sub-systems, and integrated systems required by Federal Information Processing Standard (FIPS) 201 that meet the NPIVP requirements. Additional information regarding the laboratories is available at http://csrc.nist.gov/cryptval/. DOMUS IT Security Laboratory joins BKP Security Labs and BT Cryptographic Module Testing Laboratory as designated interim NVPIP test facilities. It is anticipated that other Cryptographic Module Validation Program (CMVP) facilities will be added to the list of NPIVP test facilities in the near future. During the next year, these laboratories will be assessed for NVLAP accreditation for PIV testing. Once NVLAP accreditation is achieved, the "Interim" designation will be removed. Testing under the NPIVP will begin with a limited scope of tests based on FIPS 201. The scope of tests will be increased as the program matures.
Posted August 9, 2005:
Draft NIST Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations
Adobe .pdf file (446 KB)
NIST Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations, is now available for a thirty day public comment period. Special Publication 800-87 provides the organizational codes necessary to establishing the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder-Unique ID (CHUID). Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-87" in the subject line. The comment period closes at 5:00 EST (US and Canada) on September 8th, 2005.
Posted August 9, 2005:
Designation of NIST Personal Identity Verification Program (NPIVP) Test Facilities On August 8, 2005, the National Institute of Standards and Technology (NIST) designated BKP Security Labs and BT Cryptographic Module Testing Laboratory as interim NIST Personal Identity Verification Program (NPIVP) test facilities. As such, the BKP Security Labs and BT Cryptographic Module Testing Laboratory may employ NIST-provided test suites to validate Personal Identification Verification (PIV) components, sub-systems, and integrated systems required by Federal Information Processing Standard (FIPS) 201 that meet the NPIVP requirements. Additional information regarding the laboratories is available at http://csrc.nist.gov/cryptval/. It is anticipated that other Cryptographic Module Validation Program (CMVP) facilities will be added to the list of NPIVP test facilities in the near future. During the next year, these laboratories will be assessed for NVLAP accreditation for PIV testing. Once NVLAP accreditation is achieved, the "Interim" designation will be removed. Testing under the NPIVP will begin with a limited scope of tests based on FIPS 201. The scope of tests will be increased as the program matures.
Posted August 5, 2005:
Draft NIST Special Publication 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines
NIST Special Publication 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 Compliance), is now available for a three week public comment period. These guidelines provide an approach for development of conformance tests for PIV middleware and PIV card application products. The approach includes Derived Test Requirements (DTR) and Test Assertions (TA). The DTRs and TAs are based on SP 800-73 Interfaces for Personal Identity Verification. The Guidelines are to be used by the developers of software modules and testing laboratories. Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-85" in the subject line. The comment period closes at 5:00 EST (US and Canada) on August 26th, 2005.
Posted July 26, 2005:
NIST Announces Publication of PIV Card Issuer (PCI) Accreditation Guidelines
The Computer Security Division, responsible for the development and support of the Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification of Federal Employees and Contractors, has published NIST Special Publication (SP) 800-79 entitled Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations. These Guidelines describe an assessment model that includes conformance testing (e.g., PIV component validation), certification, and accreditation. . Examples of PIV organization management structures, the attributes of PIV Card Issuers (PCIs) that are required and desired to demonstrate capability and reliability, the methods for assessing these attributes, and sample accreditation decision letters are included in the Guidelines. The Guidelines are to be used by Federal departments and agencies to accredit the capability and reliability of PCIs they use to perform identity proofing, PIV Card Applicant registration, and PIV Card issuing services. The Guidelines will be augmented as experience is gained by Federal departments and agencies in complying with FIPS 201. Electronic copies of SP 800-79 are available from the CSRC Special Publications page or click here to go directly to the pdf document. Questions and answers about SP 800-79 are also available.
Posted June 29, 2005:
On June 16, 2005, NIST posted a Request for Information (RFI) in the Commerce Business Daily (Federal Business Opportunities) concerning products and services that comply with Federal Information Processing Standard 201 on the following WWW site:
http://www2.eps.gov/spg/DOC/NIST/AcAsD/Reference-Number-FIPS201/SynopsisR.html (NOTE: You will be leaving the PIV-Program and NIST webserver when clicking this link)
The following is a synopsis of that request for information. People interested in providing information should visit the referenced WWW site to obtain more complete information before preparing a response to the request. Information must be provided on or before July 1, 2005, in order to be responsive to the RFI.
This notice requests comments on products and services developed to meet the requirements of Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification of Federal Employees and Contractors; Special Publication 800-73, Interface for Personal Identity Verification; and Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. This document is not a request for proposals or a statement of intent to initiate a procurement action, but it is a request for information regarding vendor's capability to develop FIPS 201 compliant products. In order to facilitate planning for testing, procurement, validation, and implementation of PIV systems conforming to all applicable functional and security requirements, information is being sought regarding products and services being offered to meet FIPS 201 requirements.
Specifically, NIST requests information regarding the hardware and software characteristics of FIPS 201-compliant products, timelines for product development, dates of availability of compliant in production quantities, and estimated cost of products and services. NIST requests this information for both PIV components and integrated solutions. Additionally, NIST requests information on a vendor's capability to set up test harnesses for PIV systems and conduct compliance tests. Funding to support a future procurement has not been secured at this time. Responses are due by July 1, 2005.
DATES: Comments and information submitted by interested parties must be received by NIST by 5:00 p.m. Eastern Standard Time on July 1, 2005.
FOR FURTHER INFORMATION CONTACT: William C. Barker, NIST, (301) 975-8443 (FIPS201_products@nist.gov) or Ron Martin, Department of Commerce, (202) 482-4637.
PLEASE NOTE: All information submitted in response to this request will be publicly released. Therefore, do not include proprietary or confidential business information in your response. Vendors responding to this notice assume the risk of public disclosure if confidential information is included.
June 16, 2005
NIST has posted a Request for Information (RFI) (NOTE: You will be leaving NIST webserver after clicking this link) for products and services developed to meet the requirements of Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors; Special Publication 800-73, Interface for Personal Identity Verification; and Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification on FedBizOpps. Responses are requested by July 1, 2005.
June 13, 2005
NIST has announced a public workshop to provide additional guidance on Federal Information Processing Standards (FIPS) 201 implementation. The workshop is designed to provide clarifications and respond to the questions raised by the industry and Federal agencies. Further information about registration and the workshop can be found here.
Posted May 20, 2005:
May 16, 2005 -- Reporting Format for Homeland Security Presidential Directive (HSPD) 12 Implementation Plans: The Office of Management and Budget has published instructions and a reporting template for HSPD #12 implementation plans. HSPD #12, Policy for a Common Identification Standard for Federal Employees and Contractors, requires Federal Departments and Agencies, by June 27, 2005, to have a program in place to ensure identification issued by your department or agency to Federal employees and contractors meets a common standard. The instructions and a reporting template can be accessed at http://www.whitehouse.gov/omb/inforeg/hspd-12_corrected_051905.doc.
April 25, 2005:
NIST Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available. This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and the related Special Publications 800-73, Interfaces for Personal Identity Verification, and 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic functions.
April 12, 2005:
Special Publication 800-73 has been updated and an updated .pdf file is now available on the Special Publications page. An errata sheet also has been posted as well (both files posted April 12, 2005). The original release of SP 800-73 was April 8th.
April 8, 2005:
NIST is pleased to announce the release of Special Publication 800-73, Interfaces for Personal Identity Verification. SP 800-73 provides the specifications for interfacing with the Personal Identity Verification (PIV) Card as specified in FIPS 201. SP 800-73 provides a streamlined, ISO compliant unified card edge independent of the underlying card platform technology.
April 8, 2005
OMB has published a request for comments in the Federal Register on their draft agency implementation guidance for HSPD #12. Comments are due to OMB by May 9, 2005.
March 28, 2005
NIST Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for a two week public comment period. This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and the related Special Publications 800-73, Interfaces for Personal Identity Verification, and 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic functions. Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-78" in the subject line. It is requested that Federal organizations submit one consolidated/coordinated set of comments. The comment period closes at 5:00 EST (US and Canada) on April 11th, 2005.
March 8, 2005
NIST has revised the Special Publication 800-73 Second DRAFT (SP 800-73) in response to the comments received on the January 31st public draft. The SP 800-73 provides the specifications for interfacing with the Personal Identity Verification (PIV) Card as specified in FIPS 201. SP 800-73 provides a streamlined, ISO compliant unified card edge independent of the underlying card platform technology. Please submit your comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-73" in the subject line. It is requested that Federal organizations submit one consolidated/coordinated set of comments. The comment period closes at 5:00 EST (US and Canada) on March 22nd, 2005.
March 3, 2005
Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors
February 25, 2005
FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, developed in response to Homeland Security Presidential Directive #12, is now available. Details about the development of the new standard can be found on the NIST's PIV webpages.
January 24, 2005
Based on the comments received on November 8th draft of FIPS 201, NIST has decided to move technical requirements for biometric data to a Special Publication 800-76, Biometric Data Specification for Personal Identity Verification (.pdf). NIST is pleased to announce the draft of SP 800-76 for the public comments. The comment period for this draft is two weeks, ending on February 7th, 2005. Please direct all comments and questions to DraftFips201@nist.gov.
This session is now full and no longer accepting registration.
January 6, 2004 A second session has been formed, from 1:00-4pm. Due to the number of responses from individuals interested in attending this meeting, there will a second meeting in the afternoon at the same location. The afternoon session will cover the same topics. Because of space limitations, attendees may only attend one session. Attendees registered for the morning session, may not switch sessions. If you are on the waiting list, you will receive email confirmation; there is no need to contact NIST.
January 4, 2005 -- Update:
NIST has received over 1900 comments from over 80 individuals and organizations during the public comment period on the draft standard. We are now working through the comments to finalize the standard for approval. As is our normal procedure for FIPS, we will be posting the comments we recevied to our web site (hopefully by the end of the month.) NIST appreciates the time and energy of those who reviewed the draft and provided us with many helpful comments and suggestions.
The morning meeting has reached capacity and is now full. All people registering now will be put on a waiting list.
December 22, 2004 -- On January 19, 2005, from 8:30-noon, the General Services Administration, in partnership with the Department of Commerce and the Office of Management and Budge will hold a public meeting. The meeting will cover the policy, privacy, and security issues associated with the Personal Identity Verification (PIV) Standard for Federal Employees and Contractors. Karen Evans, Administrator for E-Government and Information Technology is the keynote speaker. Ms. Evans will be followed by 2 panels to discuss key policy questions. For details click here.
December 8, 2004
FIPS 201/SP 800-73 Update: NIST held a FIPS 201 public industry briefing on November 18, 2004. The briefing provided an opportunity for an exchange of information among key government and industry representatives regarding FIPS 201 implementation requirements and capabilities. Many inputs were provided to NIST regarding implementation realities and the continuing requirement to meet HSPD 12 time lines. In answer to many questions, NIST's intent in the FIPS 201 companion document, Special Publication 800-73, is to provide a technology neutral approach to support all card types. Some readers have commented that the language in the draft Special Publication 800-73 is not clear on this point. NIST intends to make some changes to Special Publication 800-73. The Interagency Advisory Board (IAB) has subsequently agreed to make specific suggested changes for the revision through its Technical Working Group. NIST has provided a terms of reference document to the IAB. The IAB has agreed to provide its recommended revisions to NIST on Special Publication 800-73 by January 20, 2005. Given the different procedures for FIPS and Special Publication processing, this will afford more development and review time for Special Publication 800-73 than for FIPS 201 within the HSPD #12-prescribed schedule. NIST plans a brief second public review of the revised Special Publication 800-73 in late January, 2005. Comments on FIPS 201 are still due on December 23, 2004. Slides from the November 18 industry briefing are available at http://csrc.nist.gov/groups/SNS/piv/documents/workshop-Nov18-2004/presentations.html.
November 8, 2004
NIST is pleased to announce the first public drafts of Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification for Federal Employees and Contractors, and Special Publication 800-73 (SP 800-73), Integrated Circuit Card for Personal Identity Verification. These publications are being published in response to Homeland Security Presidential Directive #12 of August 27, 2004. The comment periods for FIPS 201 and SP 800-73 public drafts will be 45 days, ending on December 23rd, 2004. Please direct all comments and questions to DraftFips201@nist.gov. To view/download these two drafts, the README file and comment file.