Derived Personal Identity Verification (PIV) Credentials

Volume A:

Executive Summary

William Newhouse

National Cybersecurity Center of Excellence

Information Technology Laboratory

Michael Bartock

Jeffrey Cichonski

Hildegard Ferraiolo

Murugiah Souppaya

National Cybersecurity Center of Excellence

Information Technology Laboratory

Christopher Brown

Spike E. Dog

Susan Prince

Julian Sexton

The MITRE Corporation

McLean, Virginia

August 2019


Executive Summary

  • Misuse of identity, especially through stolen passwords, is a primary source for cyber breaches. Enabling stronger processes to recognize a user’s identity is a key component to securing an organization’s information systems.
  • Access to federal information systems relies on strong authentication of the user with a Personal Identity Verification (PIV) Card. This “smart card” contains identifying information about the user that enables stronger authentication to federal facilities, information systems, and applications.
  • Today, access to information systems is increasingly from mobile phones, tablets, and some laptops that lack an integrated smart card reader found in older, stationary computing devices, forcing organizations to have separate authentication processes for these devices.
  • Derived PIV Credentials (DPCs) leverage identity proofing and vetting results of current and valid credentials used in PIV Cards for issuing credentials that are securely stored on devices without PIV Card readers.
  • The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory environment to explore development of a security architecture that uses commercially available technology to manage the life cycle of DPCs.
  • This NIST Cybersecurity Practice Guide demonstrates how organizations can provide multifactor authentication for users to access PIV-enabled websites from mobile devices that lack PIV Card readers.


In accordance with Homeland Security Presidential Directive 12, the PIV standard was created to enhance national security by establishing a set of common authentication mechanisms that provide logical access to federal systems on PIV-Compatible (PIV-C) desktop and laptop computers. With the federal government’s increased reliance on mobile computing devices that cannot accommodate PIV Card readers, the mandate to use PIV has created the need to derive credentials for use in mobile devices in a manner that enforces the same security policies established for the life-cycle credentials in a PIV Card.

NIST has published guidance on DPCs, including a proof-of-concept research paper. Expanding upon this work, the NCCoE used common mobile devices available in the market today to demonstrate the use of DPCs in a manner that meets existing security policies. The flexibility of the technologies that support PIV, along with a growing understanding of the value of strong digital authentication practices, has resulted in an ecosystem of vendors able to provide digital authentication solutions with the capacity to adhere to the policies outlined in NIST guidance for DPCs. These mobile PIV standards-based credentials carry the designation of Derived PIV.

With experts from the federal sector and technology collaborators who provided the requisite equipment and services, we developed representative use-case scenarios to describe user authentication security challenges based on normal day-to-day business operations. The use cases include issuance, maintenance, and termination of the DPC.


The NCCoE has developed two DPC example solutions that demonstrate how DPCs can be added to mobile devices to enable multifactor authentication to information technology (IT) systems while meeting policy guidelines. The NCCoE DPC Project is aimed primarily at the federal sector. Private-sector organizations can leverage these solutions to extend identity proofing and vetting of a primary identity credential to credentials for mobile device users in the commercial sector who use smart-card-based credentials or other means of authenticating identity.

To that end, the example solutions are based on standards and best practices, and derive from a simple scenario that forms the basis of an architecture tailored to the public or private sector or both.

The NCCoE sought existing technologies that provided the following capabilities:

  • authenticate users of mobile devices by using secure cryptographic authentication exchanges
  • provide a feasible security platform based on Federal Digital Identity Guidelines
  • leverage a Public Key Infrastructure (PKI) using mobile devices provisioned with credentials derived from and managed like the credentials on a PIV Card
  • support operations in PIV, PIV-Interoperable, and PIV-C environments
  • provide logical access to remote resources hosted in either a data center or the cloud

While the NCCoE used a suite of commercial products to address this challenge, this guide does not endorse these particular products, nor does it guarantee compliance with any regulatory initiatives. Your organization’s information security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. Your organization can adopt this solution or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of a solution.


The NCCoE’s practice guide to Derived Personal Identity Verification (PIV) Credentials can help your organization:

  • extend authentication measures reliably to devices without having to purchase external smart-card readers
  • allow users to access the information that they need, using the devices that they want to use
  • meet authentication standards requirements for protected websites and information across all devices, both traditional and mobile
  • manage the DPCs centrally through an Enterprise Mobility Management system, reducing integration efforts and associated costs
  • leverage the Federal PKI Shared Service Provider Program, enabling cost savings associated with a contractor-provided service


You can view or download the guide at If you adopt this solution for your own organization, please share your experience and advice with us. We recognize that technical solutions alone will not fully enable the benefits of our solution, so we encourage organizations to share lessons learned and best practices for transforming the processes associated with implementing this guide.

To provide comments or to learn more by arranging a demonstration of this example implementation, contact the NCCoE at


Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement (CRADA) to collaborate with NIST in a consortium to build these example solutions.

Technology partners/collaborators logos for Intel, Entrust Datacard, Intercede, MobileIron, and Verizon.

Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. Through this collaboration, the NCCoE develops modular, easily adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. | | 301-975-0200