In September 2017, this (legacy) site will be replaced with the new site you can see at beta.csrc.nist.rip. At that time, links to this legacy site will be automatically redirected to apporpriate links on the new site.

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

Announcements

05/09/2017

Mid-Year 2016, the NIST PIV Validation Program proposed a transition plan to move from RNG to DRBG-based PIV cards by the end of June 2017. This transition was initiated because agencies indicated that agencies and vendors are not yet able to migrate to SP 800-90A DRBG PIV cards.

However, as the June 2017 date approaches, it has become apparent that another extension is necessary to issue and use RNG PIV cards until DRBG PIV cards are validated and available with compatible card management software.

To allow an orderly transition to DRBG PIV cards, the PIV Validation Program will grant an additional one-year extension through June 30, 2018. This allows affected PIV Card vendors time to complete CMVP- and PIV-based validation as well as grant additional time to prepare update or deploy any other components that may be necessary to issue or use the new DRBG PIV Cards.

According to this revised transition plan, agencies may continue to issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2018. Future procurements of any legacy PIV cards that may be needed during this transition should be planned to minimize excess legacy card stock at the time of this deadline.

However, agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2024.

08/06/2016

Beginning in 2016, the CMVP enforced RNG transition, requiring new modules to implement the SP 800-90A DRBGs, and requiring vendors to update previously validated modules to remain on the active validation list. NPIVP, which relies on the CMVP for cryptographic module testing, also enforced this transition, and is requiring the use of validated DRBGs in PIV cards.
 
However, feedback from agencies has indicated that vendors are not yet able to migrate to SP 800-90A DRBG PIV cards. As a result, the legacy RNG PIV cards will continue to be issued and used until DRBG PIV cards are available with compatible card management software.
 
To support the migration of PIV cards to DRBGs, the PIV Validation Program proposes a one-year conditional transition plan ending by June 30, 2017, that allows the continued issuance and use of previously validated PIV cards using legacy RNGs that do not pose an immediate security risk.
 
According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023.

08/05/2016

(Two Updates):
  1. The new SP 800-73-4-based Test Runner has been released and is available for download. Please replace your current SP 800-73-3 Test Runner with the SP 800-73-4 Test Runner. (Links to this new Test Runner has also been added to the left menu bar of all NIST PIV Program pages)
     
    Please use the new Test Runner from now on, as NPIVP will only accept test reports from laboratories submitting test evidence for PIV Card Application and PIV Middleware generated by the new SP 800-73-4 Test Runner.
     
    Please send an e-mail to piv-dmtester@nist.gov to request for a password to unzip the PIV Data Model Tester file and/or for any questions you may have.
     
  2. NPIVP updated the PIV Card Application Validation list by removing validations with legacy RNGs for which NIST did not receive input from labs/vendors or received insufficient input in order to remain on the validation list as legacy RNG (See NPIVP email communication on 6/23/16).
     
    The remaining legacy RNG implementation on the validation list will be moved to the "Removed Products List on 7/31/17
    .

02/09/2016

SUNSET of RNG

To comply with NIST SP 800-131A, Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths,”  the CMVP has removed cryptographic modules implementing RNG from the FIPS 140-2 validation list as of 1/1/16. These modules have moved to the legacy/historic validation list as they are no longer suited for government procurement. According to CMVP’s announcement, affected modules can be re-introduced into the FIPS 140-2 validation list by 6/30/16 after corrective actions have been taken to replace RNG from affected the modules.  More information from CMVP about updating the module in an efficiently manner is provided at http://csrc.nist.rip/groups/STM/cmvp/notices.html.

The sunset of RNG affects PIV Card Applications’ cryptographic modules residing on PIV Cards’ ICC.  To reflect the sunset, the NPIVP will mark all PIV Card Applications with affected modules as LEGACY in the PIV Card Application validation list.  This change will be effective 2/12/16.

Once corrective actions have been taken to relist the module on the CMVP’s FIPS 140-2 validation list, the NPVIP will lift the LEGACY designation from the PIV Card Application validation list. If the module does not reappear in the CMVP’s FIPS 140-2 validation list by 06/30/16, NPIVP has no other choice but to remove affected PIV Card Applications from the validation list on 07/01/16 and place them in the removed products list. This will signify that procurement of these implementations are not appropriate for government.

09/05/2014

The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years.

The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are affected. This is due to the fact that to meet the FIPS 201-2 compliance requirements all that is required is that some of the previously optional PIV Card credentials under FIPS 201-1 must be present in FIPS 201-2 (as they are now mandatory). The Removed Products List (RPL) is now available. The effect on validated PIV Middleware, is broader. PIV Middleware is required to support all functionality (function calls/credentials) of a fully loaded PIV Card. Since SP 800-73-1 and SP 800-73-2 PIV Middleware do NOT support new FIPS 201-2-functionality, they have to be placed on the RPL. The PIV Middleware RPL is also available. Note: The PIV Middleware listed in the SP 800-73-3 PIV Middleware Validation list remains valid and will not be removed. These implementations support the optional credentials/functionality, which now are mandatory under FIPS 201-2.

Finally, the NPIVP validation Authority also removed validated PIV Card Applications that remain in a ‘pending’ state for FIPS 140-2 lasting 3 years or longer. These card applications never received FIPS 140-2 validation, and thus are not allowed to be used by USG.

11/29/2010

As of 11/29/2010, NPIVP hereby authorizes all NPIVP Test Facilities to commence certification of PIV cards for conformance to NIST SP 800-73-3 specifications. However certifications of PIV cards for conformance to NIST SP 800-73-2 that are currently under testing will be accepted till December 31, 2010.Effective January 1, 2011, NPIVP will not be accepting test reports from laboratories for NIST SP 800-73-2 cards. From that date, PIV Card Application products claiming conformance to SP 800-73-3 specifications alone will be accepted for validation and issuance of certificates. NIST will be shortly making an announcement regarding the acceptance of test reports for NIST SP 800-73-3 PIV Middleware. If you need any clarifications please do not hesitate to contact us at npivp@nist.gov. Thanks for your cooperation.

06/23/2009

Effective July 11, 2009, NPIVP will not be accepting test reports from laboratories submitting test evidence for PIV Card Application and PIV Middlware based on SP 800-73-1 specifications. Test Results for PIV Middleware or PIV Card Application products claiming conformance to SP 800-73-2 specifications alone will be accepted for validation and issuance of certificates. If you need any clarifications please do not hesitate to contact us at npivp@nist.gov. Thanks for your cooperation.

12/15/2008

Effective January 1, 2009, NPIVP will not accept test reports from laboratories submitting test evidence for RSA-1024-based DSK and/or  KMK, since these keys do not comply with the cryptographic timelines established in SP 800-78-1, Table 3-1.

11/26/2008

Beginning January 1, 2009, PIV Card Applications implementing the PIV Digital Signature Key (DSK) and/or the PIV Key Management Key (KMK) are required to support cryptographic keys that provide a minimum of 112 bits of security strength.  RSA 1024-based DSK and KMK provide only 80 bit security strength. These keys, as per SP 800-78-1, Table 3-1, are to be discontinued by the end of 2008. As a result, the validation listing on NPIVPs validation web page will be revised to mark RSA 1024-based DSK and KMK that are no longer valid with respect to the scope of the validation, since they do not comply with the cryptographic timelines established in SP 800-78-1, Table 3-1. 
 
Effective January 1, 2009, affected PIV card application validation entry will appears as follows: 
 
Optional PIV Data Object Implemented:
1) Card Holder Facial Image
2) Card Holder Printed Information
3)  X.509 Certificate for Digital Signature
4)  X.509 Certificate for PIV Key Management
5) X.509 Certificate for Card Authentication

As of January 1, 2009, PIV card applications implementing the PIV Digital Signature Key (DSK) and/or the PIV Key Management Key (KMK) are required to support cryptographic keys that provide a minimum of 112 bits of security strength.   The private key (corresponding to the X.509 certificate in gray font) provides only 80 bit security strength. This key is no longer valid, since it does not comply with the cryptographic timelines established in SP 800-78-1, Table 3-1 and is therefore out of the scope of the validation.

09/27/2006

All current NPIVP test facilities are now fully accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) to conduct PIV card application and PIV middleware testing.

06/12/2006

As a reminder, NVLAP has announced the addition of the PIV Test Methods to the NVLAP Cryptographic Module Testing LAP (CMT LAP) on 4/26/06.

04/25/2006

Due to numerous inquiries about the READ BINARY command, the NIST would like to clarify its use on the contact and contacless cards chip of the PIV card. View Full Report

04/21/2006

The NIST has initiated the PIV Biometric Product Testing Resource Center to inform the biometric vendor community of existing product testing procedures.