Date Published: August 2018
Comments Due:
Email Questions to:
Author(s)
William Newhouse (NIST), Michael Bartock (NIST), Jeffrey Cichonski (NIST), Hildegard Ferraiolo (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE), Spike Dog (MITRE), Susan Prince (MITRE), Julian Sexton (MITRE)
Announcement
This latest draft incorporates comments on the previous draft NIST Cybersecurity Practice Guide and expands the scope to include issuing Derived PIV Credentials (DPC) to manage mobile devices using Identity, Credentials, and Access Management (ICAM) shared services. The Federal Government utilizes PIV cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems. PIV cards require the use of a smart card reader that is typically integrated in desktop and laptop computers. Increasingly, users are performing their work on mobile devices, such as cell phones and tablets, which lack smart card readers needed to authenticate users. External readers are available, but they are an additional cost and cumbersome to use. As a result, the mandate to use PIV systems has pushed for new means to extend into mobile devices to enforce the same security policies as on desktop and laptop computers.
The NCCoE identified an architecture that use common mobile device families to demonstrate the use of Derived PIV Credentials in a manner that meets security policies. This example implementation is documented as a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system using standards-based cybersecurity technology. This practice guide helps organizations to meet authentication standards and provide users access to the information they need using the devices the want without having to purchase expensive and cumbersome external smart card readers. Users of mobile devices are authenticated using secure cryptographic authentication exchanges using a public key infrastructure (PKI) with credentials derived from a PIV card ensuring that strict security policies are met.
Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity.
Federal Information Processing Standards (FIPS) Publication 201-2, "Personal Identity Verification (PIV) of Federal Employees and Contractors, establishes a standard for a PIV system based on secure and reliable forms of identity credentials issued by the federal government to its employees and contractors. These credentials are intended to authenticate individuals who require access to federally controlled facilities, information systems, and applications. In 2005, when FIPS 201 was published, logical access was geared toward traditional computing devices (i.e., desktop and laptop computers) where the PIV card provides common multifactor authentication mechanisms through integrated smart card readers across the federal government. With the emergence of computing devices such as tablets, convertible computers, and in particular mobile devices, the use of PIV cards has proved challenging. Mobile devices lack the integrated smart card readers found in laptop and desktop computers and require separate card readers attached to devices to provide authentication services. To extend the value of PIV systems into mobile devices that do not have PIV Card readers, NIST developed technical guidelines on the implementation and lifecycle of identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV card. These NIST guidelines, published in 2014, describe Derived PIV Credentials (DPCs) which leverage identity proofing and vetting results of current and valid PIV credentials.
To demonstrate the DPCs guidelines, the National Cybersecurity Center of Excellence (NCCoE) at NIST built a security architecture using commercial technology to manage the lifecycle of DPCs demonstrating the process that enables a PIV Card holder to establish DPCs in a mobile device which then can be used to allow the PIV Card holder to access websites that require PIV authentication.
This project resulted in a freely available NIST Cybersecurity Practice Guide which demonstrates how an organization can continue to provide two-factor authentication for users with a mobile device that leverages the strengths of the PIV standard. Although this project is primarily aimed at the Federal sector’s needs, it is also relevant to mobile device users with smart card based credentials in the private sector.
Federal Information Processing Standards (FIPS) Publication 201-2, "Personal Identity Verification (PIV) of Federal Employees and Contractors, establishes a standard for a PIV system based on secure and reliable forms of identity credentials issued by the federal government to its employees and...
See full abstract
Federal Information Processing Standards (FIPS) Publication 201-2, "Personal Identity Verification (PIV) of Federal Employees and Contractors, establishes a standard for a PIV system based on secure and reliable forms of identity credentials issued by the federal government to its employees and contractors. These credentials are intended to authenticate individuals who require access to federally controlled facilities, information systems, and applications. In 2005, when FIPS 201 was published, logical access was geared toward traditional computing devices (i.e., desktop and laptop computers) where the PIV card provides common multifactor authentication mechanisms through integrated smart card readers across the federal government. With the emergence of computing devices such as tablets, convertible computers, and in particular mobile devices, the use of PIV cards has proved challenging. Mobile devices lack the integrated smart card readers found in laptop and desktop computers and require separate card readers attached to devices to provide authentication services. To extend the value of PIV systems into mobile devices that do not have PIV Card readers, NIST developed technical guidelines on the implementation and lifecycle of identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV card. These NIST guidelines, published in 2014, describe Derived PIV Credentials (DPCs) which leverage identity proofing and vetting results of current and valid PIV credentials.
To demonstrate the DPCs guidelines, the National Cybersecurity Center of Excellence (NCCoE) at NIST built a security architecture using commercial technology to manage the lifecycle of DPCs demonstrating the process that enables a PIV Card holder to establish DPCs in a mobile device which then can be used to allow the PIV Card holder to access websites that require PIV authentication.
This project resulted in a freely available NIST Cybersecurity Practice Guide which demonstrates how an organization can continue to provide two-factor authentication for users with a mobile device that leverages the strengths of the PIV standard. Although this project is primarily aimed at the Federal sector’s needs, it is also relevant to mobile device users with smart card based credentials in the private sector.
Hide full abstract
Keywords
enterprise mobility management (EMM); identity; mobile mobile threat; (multifactor) authentication; network/software vulnerability; Personal Identity Verification (PIV); PIV card; device; smart card; derived PIV credential (DPC); cybersecurity
Control Families
None selected