NIST releases final public drafts of PIV credential guidelines

The National Institute of Standards and Technology (NIST) released its final public drafts of two documents that aim to enhance the security and interoperability of identity verification processes within federal agencies.

The publications are NIST Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, and NIST Special Publication (SP) 800-217, Guidelines for Personal Identity Verification (PIV) Federation.

These publications are part of NIST’s ongoing efforts to enhance digital identity verification processes, ensuring they are secure, reliable, and interoperable across federal agencies.

The Guidelines for Derived PIV Credentials revision expands the scope of derived PIV credentials beyond mobile devices to include various form factors and authenticator types. It introduces non-PKI-based, phishing-resistant multi-factor credentials, aligning with directives from the Office of Management and Budget (OMB) Memoranda M-19-17 and M-22-09, and the Federal Information Processing Standards (FIPS) 201-3.

Key updates include the inclusion of non-PKI-based authenticators to provide flexibility in authentication methods; detailed guidelines on the issuance, maintenance, and termination of derived PIV credentials; and enhanced controls to ensure that non-PKI-based credentials offer assurance comparable to traditional PIV Cards.

The final version of NIST’s Guidelines for PIV Federation provides technical requirements for implementing federated PIV identity services, enabling cross-domain and interagency use of PIV credentials. It focuses on the use of assertions to facilitate PIV federations backed by PIV identity accounts and credentials.

Key components include specifications for protocols that support the federated use of PIV credentials across different agencies; guidelines for establishing trust agreements between agencies to ensure secure and interoperable identity verification; consistency with the Digital Identity Guidelines to maintain a cohesive approach to digital identity management.

NIST invites stakeholders to review and provide feedback on these drafts. The public comment period is open through January 10, 2025. Comments should be submitted to piv_comments@nist.gov. Reviewers are encouraged to use the comment templates provided on the publication details pages.

Article Topics

digital identity  |  identity management  |  identity verification  |  interoperability  |  NIST  |  PIV cards  |  U.S. Government