Derived PIV Credentials

Download the Practice Guide

The NCCoE has released the final version of NIST Cybersecurity Practice Guide SP 1800-12, Derived PIV Credentials. Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »

Current Status

The NCCoE released a final version of the NIST Cybersecurity Practice Guide SP 1800-12 Derived Personal Identity Verification (PIV) Credentials on August 27, 2019. 

For ease of use, the guide is available in volumes:

  • SP 1800-12a: Executive Summary (PDF) (web page)
  • SP 1800-12b: Approach, Architecture, and Security Characteristics (PDF) (web page)
  • SP 1800-12c: How-To Guides (PDF) (web page)

Or download the complete guide (PDF) (web page).

Read the two-page fact sheet for a brief overview of this project.

If you have questions or suggestions, please email us at


In 2005, Personal Identity Verification (PIV) credentialing focused on authentication through traditional computing devices, such as desktops and laptops, where a PIV card would provide a common authentication through integrated smart card readers. Today, the proliferation of mobile devices that do not have integrated smart card readers complicates PIV credentials and authentication.

Derived Personal Identity Verification (PIV) Credentials helps organizations authenticate individuals who use mobile devices and need secure access to information systems and applications.

The project demonstrates a feasible security platform based on federal PIV standards that leverages identity proofing and vetting results of current and valid PIV credentials to enable two-factor authentication to information technology systems via mobile devices while meeting policy guidelines. Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity and supports operations in federal (PIV), non-federal critical infrastructure (PIV-interoperable or PIV-I), and general business (PIV-compatible or PIV-C) environments.

The NCCoE reference design includes the following capabilities:

  • authenticate users of mobile devices using secure cryptographic authentication exchanges
  • provide a feasible security platform based on Federal Digital Identity Guidelines
  • utilize a public key infrastructure (PKI) with credentials derived from a PIV card
  • support operations in a PIV, PIV-Interoperable (PIV-I), and PIV-Compatible (PIV-C) environments
  • Issue PKI-based derived PIV credentials at authenticator assurance level (AAL) 2

  • provide logical access to remote resources hosted either in a data center or the cloud


Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Verizon logo