NIST is pleased to announce the release of Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). The document provides guidelines for assessing the reliability of issuers of PIV Cards and issuers of the newly introduced Derived PIV Credential for mobile devices. The document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

• Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
• Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
• Addition of issuer controls for the PIV Card’s visual topography,
• Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
• Updated references to the more recent credentialing guidance issued by OPM,
• Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
• Modified process to include an independent review prior to authorization of issuer.