Read the Latest Draft Cybersecurity Practice Guide: Derived Personal Identify Verification (PIV) Credentials

We are excited to announce release of the second draft of National Institute of Standards and Technology (NIST)  Special Publication 1800-12: Derived Personal Identity Verification (PIV) Credentials. This latest draft incorporates comments on the previous draft NIST Cybersecurity Practice Guide and expands the scope to include issuing Derived PIV Credentials (DPC) to manage mobile devices using Identity, Credentials, and Access Management (ICAM) shared services.

The National Cybersecurity Center of Excellence (NCCoE), together with several technology vendors, has developed cybersecurity guidance that demonstrates how federal agencies can use standards-based, commercially available cybersecurity technologies to establish multifactor authentication that meets today's PIV standards for information systems and websites accessed by mobile devices that lack PIV Card readers. These example implementations are documented in a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system that pushes an authentication credential into an agency-provided mobile device leveraging existing PIV systems that are already compliant with security policies.

The second draft's reference architectures use an enterprise Credential Management System to issue credentials to a software container and hardware container to provide a convenient and secure means to authenticate a user's identity.

We look forward to receiving your comments on this draft guide regarding the approach, the architectures, and possible alternatives.

Stay informed about updates, send us an email at piv-nccoe@nist.gov.