NIST SPECIAL PUBLICATION 1800-12
Derived Personal Identity Verification (PIV) Credentials¶
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
William Newhouse
Michael Bartock
Jeffrey Cichonski
Hildegard Ferraiolo
Murugiah Souppaya
Christopher Brown
Spike E. Dog
Susan Prince
Julian Sexton
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-12
Previous drafts of this publication are available free of charge from https://www.nccoe.nist.gov/library/derived-piv-credentials-nist-sp-1800-12-practice-guide
NIST SPECIAL PUBLICATION 1800-12
Derived Personal Identity Verification (PIV) Credentials
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
William Newhouse
National Cybersecurity Center of Excellence
Information Technology Laboratory
Michael Bartock
Jeffrey Cichonski
Hildegard Ferraiolo
Murugiah Souppaya
National Institute of Standards and Technology
Information Technology Laboratory
Christopher Brown
Spike E. Dog
Susan Prince
Julian Sexton
The MITRE Corporation
McLean, VA
August 2019
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Walter G. Copan, NIST Director and Undersecretary of Commerce for Standards and Technology
- Volume B
- 1. Summary
- 2. How to Use This Guide
- 3. Approach
- 4. Architecture
- 5. Security Characteristic Analysis
- 5.1. Assumptions and Limitations
- 5.2. Build Testing
- 5.3. Scenarios and Findings
- 5.3.1. PR.AC-1: Identities and Credentials Are Issued, Managed, Verified, Revoked, and Audited for Authorized Devices, Users, and Processes
- 5.3.2. PR.AC-3: Remote Access Is Managed
- 5.3.3. PR.AC-6: Identities Are Proofed and Bound to Credentials and Asserted in Interactions
- 5.3.4. PR.AC-7: Users, Devices, and Other Assets Are Authenticated (e.g., Single-Factor, Multifactor) Commensurate with the Risk of the Transaction (e.g., Individuals’ Security and Privacy Risks and Other Organizational Risks)
- 5.3.5. PR.DS-2: Data in Transit Is Protected
- 5.3.6. PR.DS-5: Protections Against Data Leaks Are Implemented
- 5.3.7. PR.IP-3: Configuration Change Control Processes Are in Place
- 5.4. Authenticator AAL Mapping
- 6. Future Build Considerations
- Volume C
- 1. Introduction
- 2. Product Installation Guides
- 2.1. Managed Service Architecture with Enterprise Mobility Management (EMM) Integration
- 2.2. Hybrid Architecture for PIV and DPC Life-Cycle Management
- 2.2.1. Intercede MyID CMS
- 2.2.2. Intercede MyID Identity Agent
- 2.2.3. Intercede Desktop Client
- 2.2.4. Intercede Self-Service Kiosk
- 2.2.5. Windows Client Installation for MyID and Intel Authenticate
- 2.2.6. Intel Authenticate GPO
- 2.2.7. Intel Virtual Smart Card (VSC) Configuration
- 2.2.8. DPC Life-Cycle Workflows