U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

SP 800-157 Rev. 1 (Draft)

Guidelines for Derived Personal Identity Verification (PIV) Credentials

Date Published: January 10, 2023
Comments Due: March 24, 2023
Email Comments to: piv_comments@nist.gov

Author(s)

Hildegard Ferraiolo (NIST), Andrew Regenscheid (NIST), James Fenton (Altmode Networks)

Announcement

Summary

This publication complements FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors. The draft guidelines in SP 800-157r1 detail the issuance and maintenance of authenticators used as derived PIV credentials.

Submit public comments by 11:59 PM ET on March 24, 2023 to piv_comments@nist.gov. We encourage you to use this comment template.

See the Note to Reviewers below for specific topics about which NIST is seeking your feedback. NIST will review all comments and make them available on this website.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Note to Reviewers

Draft NIST SP 800-157r1 Guidelines for Derived Personal Identity Verification (PIV) Credentials expands the use of derived PIV credentials beyond mobile devices to include non-PKI-based phishing-resistant multi-factor credentials. The draft details the expanded set of derived PIV credentials in a variety of form factors and authenticator types as envisioned in OMB Memoranda M-19-22 and M-22-09, and subsequently outlined in FIPS 201-3. The cross-domain and interagency use of these credentials is provided by federation protocols outlined in the initial public draft of SP 800-217, Guidelines for PIV Federation. Both documents are closely aligned with draft release SP 800-63-4Digital Identity Guidelines. NIST hopes that the draft document enables a close alignment with new and emerging digital authentication and federation technologies employed in the federal government, while maintaining a strong security posture.

NIST is specifically interested in comments on and recommendations for the following topics:

  1. Are the new controls for issuance, use, maintenance, and termination of non-PKI-based derived PIV credentials clear and practical to implement?
  2. Are phishing-resistant authenticators available to meet agency use cases as well as the requirements for derived PIV authentication?
  3. Are the new controls sufficient to provide comparable assurance to PIV Cards and other derived PIV credentials?

Abstract

Keywords

authentication; credentials; derived PIV credentials; electronic authentication; electronic credentials; mobile devices; personal identity verification; PIV
Control Families

Identification and Authentication