Note to Reviewers

The family of PIV credentials includes a variety of form factors and authenticator types – as envisioned in OMB Memoranda M-19-22 and M-22-09 and subsequently outlined in FIPS 201-3. The cross-domain and interagency use of these credentials is provided by federation protocols outlined in this public draft SP 800-217 Guidelines for PIV Federation. The companion document, SP 800-157r1 Guidelines for Derived PIV Credentials, details the authenticators themselves. Both documents are closely aligned with draft release SP 800-63-4 Digital Identity Guidelines. NIST hopes that the draft document enable a close alignment with new and emerging digital identity and federation technologies employed in the federal government, while maintaining a strong security posture.

NIST is specifically interested in comments on and recommendations for the following topics:

Home Agency Attributes:

Are additional attributes needed in the guidelines to achieve interagency or cross-domain interoperability?
Are additional attributes required for RP provisioning and access?

PIV Federation:

Are additional process steps or mechanism needed for the connection and communication between home-IdP-to PIV identity account?
Do the required parameters for establishing trust agreements fit the use cases for PIV RPs?
Are the required identity attributes sufficient for PIV use cases?
Are the federated subject identifier requirements sufficient for PIV use cases?
Is it clear how to apply the binding ceremony for RP-managed bound authenticators at FAL3 to PIV and non-PIV authenticators?

Reviewers are encouraged to comment on all or part of both SP 800-157r1 and SP 800-217. NIST requests that all comments be submitted by 11:59pm Eastern Time on March 24, 2023. Please submit your comments to piv_comments@nist.gov. NIST will review all comments and make them available at the NIST Computer Security Resource Center website. Commenters are encouraged to use the comment template provided with the document announcement.