U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

SP 1800-12 (Draft)

Derived Personal Identity Verification (PIV) Credentials

Date Published: September 2017
Comments Due: November 29, 2017 (public comment period is CLOSED)
Email Questions to: piv-nccoe@nist.gov


William Newhouse (NIST), Michael Bartock (NIST), Jeffrey Cichonski (NIST), Hildegard Ferraiolo (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE), Spike Dog (MITRE), Susan Prince (MITRE)


The Federal Government utilizes PIV cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems. PIV cards require the use of a smart card reader that is typically integrated in desktop and laptop computers. Increasingly, users are performing their work on mobile devices, such as cell phones and tablets, which lack smart card readers needed to authenticate users. External readers are available, but they are an additional cost and cumbersome to use. As a result, the mandate to use PIV systems has pushed for new means to extend into mobile devices to enforce the same security policies as on desktop and laptop computers.

The NCCoE identified an architecture that use common mobile device families to demonstrate the use of Derived PIV Credentials in a manner that meets security policies. This example implementation is documented as a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system using standards-based cybersecurity technology. This practice guide helps organizations to meet authentication standards and provide users access to the information they need using the devices the want without having to purchase expensive and cumbersome external smart card readers. Users of mobile devices are authenticated using secure cryptographic authentication exchanges using a public key infrastructure (PKI) with credentials derived from a PIV card ensuring that strict security policies are met.

Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity.



derived PIV credentials; enterprise mobility management (EMM); identity; mobile device; mobile threat; (multifactor) authentication; network/software vulnerability; Personal Identity Verification; PIV card; cybersecurity; smart card
Control Families

None selected


Draft SP 1800-12 files

Supplemental Material:
None available

Document History:
09/29/17: SP 1800-12 (Draft)
08/02/18: SP 1800-12 (Draft)
08/27/19: SP 1800-12 (Final)