NIST requests comments on the draft first revision of Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. This publication complements FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors. The draft guidelines in SP 800-157r1 on the issuance and maintainence of authenticators used as derived PIV credentials.
NIST requests that all comments be submitted by 11:59pm Eastern Time on April 21, 2023. Please submit your comments to piv_comments@nist.gov. See the Note to Reviewers section below for specific topics about which NIST is seeking your feedback. NIST will review all comments and make them available at the NIST Computer Security Resource Center website. Commenters are encouraged to use the comment template provided with the document announcement.
A PDF version of this document is available on the NIST Computer Security Resource Center.
Draft NIST SP 800-157r1 Guidelines for Derived Personal Identity Verification (PIV) Credentials expands the use of derived PIV credentials beyond mobile devices to include non-PKI-based phishing resistant multi-factor credentials. The draft details the expanded set of derived PIV credentials in a variety of form factors and authenticator types as envisioned in OMB Memoranda M-19-22, M-22-09, and subsequently outlined in FIPS 201-3. The cross-domain and interagency use of these credentials is provided by federation protocols outlined in public draft SP 800-217 Guidelines for PIV Federation. Both documents are closely aligned with draft release SP 800-63-4 Digital Identity Guidelines. NIST hopes that the draft document enables a close alignment with new and emerging digital authentication and federation technologies employed in the federal government, while maintaining a strong security posture.
NIST is specifically interested in comments on and recommendations for the following topics:
Are the new controls for issuance, use, maintenance, and termination of non-PKI-based derived PIV credentials clear and practical to implement?
Are phishing-resistant authenticators available to meet agency use cases as well as the requirements for derived PIV authentication?
Are the new controls sufficient to provide comparable assurance to PIV Cards and other derived PIV credentials?
NOTE: All comments and responses are subject to release under the Freedom of Information Act (FOIA). A call for patent claims is included on page ii of each draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy — Inclusion of Patents in ITL Publications.