Derived PIV Credentials

Download the Practice Guide

The NCCoE has released the draft version of NIST Cybersecurity Practice Guide SP 1800-12, Derived PIV Credentials. Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »

Current Status

The NCCoE recently released a draft of the NIST Cybersecurity Practice Guide SP 1800-12 Derived Personal Identity Verification (PIV) Credentials. Public comments on the draft will be accepted through November 29, 2017. Submit your comments.

For ease of use, the guide is available in volumes:

  • SP 1800-12a: Executive Summary (PDF) (web page)
  • SP 1800-12b: Approach, Architecture, and Security Characteristics (PDF) (web page)
  • SP 1800-12c: How-To Guides (PDF) (web page)

Or download the complete guide (PDF) and supplemental files (zip).

Read the two-page fact sheet for a brief overview of this project.

If you have questions or suggestions, please email us at piv-nccoe@nist.gov. To receive announcements about additional milestones, sign up for our email alerts.

Summary

In 2005, Personal Identity Verification (PIV) credentialing focused on authentication through traditional computing devices, such as desktops and laptops, where a PIV card would provide a common authentication through integrated smart card readers. Today, the proliferation of mobile devices that do not have integrated smart card readers complicates PIV credentials and authentication.

Derived Personal Identity Verification (PIV) Credentials will help organizations authenticate individuals who use mobile devices and need secure access to information systems and applications.

The goal of the building block effort is to demonstrate a feasible security platform based on federal PIV standards that leverages identity proofing and vetting results of current and valid PIV credentials to enable two-factor authentication to information technology systems via mobile devices while meeting policy guidelines. Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity and supports operations in federal (PIV), non-federal critical infrastructure (PIV-interoperable or PIV-I), and general business (PIV-compatible or PIV-C) environments.

The NCCoE reference design includes the following capabilities:

  • authenticate users of mobile devices using secure cryptographic authentication exchanges
  • provide a feasible security platform based on Federal Digital Identity Guidelines
  • utilize a public key infrastructure (PKI) with credentials derived from a PIV card
  • support operations in a PIV, PIV-Interoperable (PIV-I), and PIV-Compatible (PIV-C) environments
  • issue PKI-based derived PIV credentials at levels of assurance (LoA) 3
  • provide logical access to remote resources hosted either in a data center or the cloud

 

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Entrust Datacard logo
Mobile Iron logo