NIST updates federal PIV standards to better align with FIPS 201

This week, the U.S. National Institute of Standards and Technology (NIST) issued revisions to two of its special publications which set forth the technical requirements of Federal Information Processing Standard 201 (FIPS 201) for the Personal Identity Verification (PIV) credentials that are issued to U.S. federal employees and contractors.

Roughly five million PIV cards have been issued to provide multifactor authentication access to federal IT resources and facilities. Each PIV card includes a photo of the cardholder and lists the sponsoring agency, the cardholder’s name, and an expiration date. Each card also has an embedded chip with certificates and keys to verify the authenticity of the card, which allows cardholders to access secured areas and information systems.

The U.S. Department of Homeland Security (DHS) has said that it considers PIV cards, which can remain active for up to six years, sensitive and high-value items with “grave potential for misuse if lost, stolen, or compromised.”

Meanwhile, David Marroni, director of the Physical Infrastructure Team at the U.S. Government Accountability Office (GAO), testified this week that U.S. Federal Protective Service (FBS) officials told GAO that security guard contractors “routinely inform them” that the Post Tracking System (PTS) that’s used to verify individual contract guard identities and requisite qualifications to staff for a specific post does not allow qualified guards to sign into the system due to technology issues with guard identification cards, vendor-supplied equipment, or Internet connection problems.”

FPS is the agency of DHS that’s responsible for protecting 9,000 federal facilities. FPS spent almost $1.7 billion on contract guards, which represented more than 76 percent of its budget, in Fiscal Year 2024. FPS officers and more than 13,000 contract guards control access to facilities, conduct access point screenings to detect prohibited items, and respond to safety and security emergencies.

While “nationwide deployment of PTS is ongoing,” Marroni told the U.S. House Committee on Transportation and Infrastructure’s Subcommittee on Economic Development, Public Buildings, and Emergency Management, “the system is not fully functional in any region because of technology, data reliability, and interoperability issues identified by FPS and security guard contractor officials,” adding, “FPS continues to require use of its old paper-based system for billing and guard verification.”

Less than two years ago, GAO informed Congress that DHS “did not always terminate personal identity verification card access or withdraw security clearances for separated employees and contractors in accordance with federal regulations and department policies.”

GAO said it was unable to “determine the exact magnitude of the problem because records in DHS’ information systems were incomplete.”

The latest revisions to NIST’s FIPS 201 are designed to enhance both the security and interoperability of PIV credentials and the systems that use and support them. By revising NIST Special Publication (SP) 800-73-5 and SP 800-78-5, NIST said these standards better align with FIPS 201, and better supports the secure identification and authentication needs of federal agencies that rely on PIV credentials for facility and other access.

For some time, the chief problem with PIV-based authentication has been that it can be unwieldy and not especially friendly to contractors and other third parties.

NIST said the “updates are meant to ensure that the cryptographic standards keep pace with advancements in security technology and provide robust protection for PIV credentials.”

NIST has updated its PIV standards numerous times to better align with revisions to FIPS 201.

The latest changes “have subsequently been revised to align with FIPS 201,” NIST said, and contain the technical specifications for the Interfaces for Personal Identity Verification; describe the technical specifications for using PIV credentials; and covers the PIV data model, the card edge interface, and the application programming interface.

FIPS 201 specifies the credentials that must be used by federal employees and contractors to access federal sites and is the standard that covers the activities involved in issuing a PIV card, such as identity proofing and enrollment, as well as the lifecycle activities for updating, using, and maintaining PIV cards.

FIPS 201 publications are intended for U.S. government agencies, vendors that make PIV cards, and vendors that develop hardware and software that works with the cards. The standard ensures that PIV systems meet the security and control objectives of Homeland Security Presidential Directive-12 (HSPD-12), which was issued on August 27, 2004, and sets forth the federal government’s policies for a common identification standard for all federal employees and contractors.

HSPD-12 directed the U.S. Secretary of Commerce to promulgate in accordance a federal standard for secure and reliable forms of identification. NIST is an agency of the U.S. Department of Treasury.

The “significant” changes announced by NIST involve the removal of the previously deprecated CHUID authentication mechanism and SYM-CAK and VIS authentication mechanisms for PIV credentials. CHUID is an outdated method that was used to identify a person using a unique number on the person’s PIV card while SYM-CAK is a security method that uses a unique shared key for authentication. VIS is a method that relies on a visual check of a PIV card.

An optional 1-factor secure messaging authentication mechanism (SM-Auth) has also been added for secure facility access applications, as well as the additional use of the facial image biometric for general authentication using the BIO and BIO-A authentication methods.

The revised SP 800-73-5 also includes an optional cardholder identifier in the PIV Authentication Certificate which identifies a PIV credential holder within their PIV credential set issued during eligibility, and places restrictions on the number of activation attempts for both PIN and On-Card Comparison attempts, limiting them to ten or less consecutive attempts at access.

Conspicuously removed from the standard is the PIV Middleware specification. Under the new revision, this requirement is optional, which will provide much more flexibility in PIV deployment.

The revision to NIST SP 800-78-5 – which defines the cryptographic capabilities required for PIV Cards and their supporting systems – updates the Cryptographic Algorithms and Key Sizes for PIVs. The important changes include the deprecation of certain Triple Data Encryption Algorithm identifiers and the removal of the retired Random Number Generator from Cryptographic Algorithm Validation Program (CAVP) PIV component testing.

The now retired FIPS 186-2 key generation method has been removed from CAVP PIV component testing where it’s applicable and modified to add additional algorithm and key size requirements for CAVP validation testing, including deprecation of 3TDEA algorithms with identifier 00 and 03; accommodation of the Secure Messaging Authentication key; and use of higher strength keys with at least 128-bit security, which will be required for authentication starting in 2031.

Article Topics

access control  |  multifactor authentication  |  NIST  |  PIV cards  |  standards  |  U.S. Government