The U.S. Secretary of Commerce has approved the publication of FIPS 201-3, the National Institute of Standards and Technology (NIST) latest revision of “Personal Identity Verification (PIV) of Federal Employees and Contractors.”
NIST released the updated Federal Information Processing Standards (FIPS) 201-3 on January 24, 2022 and provided an executive overview of the publication:
“This document establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12. It is based on secure and reliable forms of identity credentials issued by the Federal Government to its employees and contractors. These credentials are used by mechanisms that authenticate individuals who require access to federally controlled facilities, information systems, and applications. This Standard addresses requirements for initial identity proofing, infrastructure to support interoperability of identity credentials, and accreditation of organizations and processes issuing PIV credentials.”
As revealed in the NIST press release, high level changes in FIPS 201-3 include:
- Alignment with current NIST technical guidelines on identity management, OMB policy guidelines, and changes in commercially available technologies and services.
- Accommodation of additional types of authenticators through an expanded definition of derived PIV credentials.
- Focus on the use of federation to facilitate interoperability and interagency trust.
- Addition of supervised remote identity proofing processes.
- Removal of the previously deprecated Cardholder Unique Identifier (CHUID) authentication mechanism and deprecation of the symmetric card authentication key and visual authentication mechanisms (VIS).
- Support for the secure messaging authentication mechanism (SM-AUTH).
Readers can also download the full PDF version of FIPS 201-3.
- NIST SP-800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-204B: Attribute-based Access Control for Microservices-based Applications using a Service Mesh
- NIST SP 800-210: General Access Control Guidance for Cloud Systems
- FIPS 201-3: Personal Identity Verification (PIV) of Federal Employees and Contractors