PIV and PIVTL frequently asked questions

• What is the GSA FIPS 201 Evaluation Program?
• What is the FIPS 201 Evaluation Approved Products List?
• What is HSPD-12?
• What is FIPS 201?
• What is the NIST PIV Program?
• What is the difference between a NIST Personal Identity Verification Test Laboratory (PIVTL) and an approved GSA FIPS 201 Evaluation Program (EP) test laboratory?
• What are the defined GSA FIPS 201 product/service categories?
• What is PIV?
• What is the GSA FIPS 201 Evaluation Program Suppliers Handbook?
• What are GSA FIPS 201 Evaluation Program approval procedures?
• How are PIV system components evaluated and approved?
• What is a PIVTL?
• What does the Test Lab do?
• What is conformance testing?
• Must I also get a FIPS 140-2 certificate for my smart card?
• What is PIV-I?
• What is PIV-II?
• What is Physical Access?
• What is Logical Access?
• Who defined PIV?
• What defines PIV?
• How is PIV used?
• What is on the PIV card?
• What does a PIV card look like?
• How is a PIV card authenticated?
• How is PIV implemented?
• Where can I get more information?

What is the GSA FIPS 201 Evaluation Program?
The GSA FIPS 201 Evaluation Program (EP) facilitates the evaluation of FIPS 201 related products/services and maintains the FIPS 201 EP Approved Products List. In addition, the GSA FIPS 201 Evaluation Program approves laboratories to perform FIPS 201 testing in all twenty-four GSA FIPS 201 product/service categories.

[up] 

What is the FIPS 201 Evaluation Approved Products List?
The FIPS 201 Evaluation Approved Products List is maintained by GSA and lists all federally approved products/services for implementing Homeland Security Presidential Directive 12 (HSPD-12). The OMB requires that agencies purchase approved products/services from the FIPS 201 Evaluation Approved Products List for implementation of HSPD-12. For more information see http://fips201ep.cio.gov/apl.php.

[up] 

What is HSPD-12?
Homeland Security Presidential Directive 12, dated August 27, 2004, "Policy for a Common Identification Standard for Federal Employees and Contractors" establishes requirements for a mandatory government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors. FIPS 201 (with its supporting documents) is the mandatory standard that addresses the mandate.

[up] 

What is FIPS 201?
Federal Information Processing Standards Publication 201: Personal Identity Verification (PIV) of Federal Employees and Contractors (FIPS 201) was implemented in 2005 in response to HSPD-12. The standard specifies the architectural and technical requirements of a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identify of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems. For the latest version of FIPS 201, see http://csrc.nist.gov/groups/SNS/piv/standards.html.

[up] 

What is the NIST PIV Program?
The NIST Personal Identify Verification Program (NPIVP) accredits National Voluntary Laboratory Accreditation Program (NVLAP) labs to perform PIV card application and PIV middleware testing. Vendors needing to validate PIV card applications and/or PIV middleware may select any NPIVP Test facility (also known as PIVTLs). See http://csrc.nist.gov/groups/SNS/piv/npivp/index.html.

[up] 

What is the difference between a NIST Personal Identity Verification Test Laboratory (PIVTL) and an approved GSA FIPS 201 Evaluation Program (EP) test laboratory?
NIST PIVTLs are third-party laboratories accredited by the National Voluntary Laboratory Accreditation Program’s (NVLAP) Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) to conduct PIV card application and PIV middleware test methods under the NIST Personal Identify Verification Program (NPIVP). All approved GSA FIPS 201 Evaluation Program test laboratories are NIST PIVTLs that have undergone a separate additional qualification process administered by GSA. Approved GSA FIPS 201 EP laboratories are qualified to perform evaluation and testing activities pertaining to all twenty-four FIPS 201 product/service categories in addition to PIV card application and PIV middleware testing performed by PIVTLs.

[up] 

What are the defined GSA FIPS 201 product/service categories?

The GSA FIPS 201 EP has defined the following twenty-four product/service categories based on the FIPS 201:

Products

• Card Printer Station
• Cryptographic Module
• Electromagnetically Opaque Sleeve
• Electronic Personalization
• Facial Image Capturing Camera
• Facial Image Capturing (Middleware)
• Fingerprint Capture Station
• Single Fingerprint Capture Device
• OCSP Responder
• PIV Card
• PIV Card Reader - Authentication Key
• PIV Card Reader - Biometric
• PIV Card Reader - Biometric Authentication
• PIV Card Reader - CHUID Authentication (Contact)
• PIV Card Reader - CHUID Authentication (Contactless)
• PIV Card Reader - CHUID (Contact)
• PIV Card Reader - CHUID (Contactless)
• PIV Card Reader - Transparent
• PIV Middleware
• Template Generator
• Template Matcher

Services

• Electronic Personalization
• Graphical Personalization
• PIV Card Delivery

See the GSA FIPS 201 EP website (http://fips201ep.cio.gov) for more information.

[up] 

What is PIV?
PIV stands for Personal Identity Verification. The NIST PIV Program (NPIVP) validates PIV components required by FIPS 201. Also see: What is FIPS 201.

[up] 

What is the GSA FIPS 201 Evaluation Program Suppliers Handbook?
The Suppliers Handbook is the GSA FIPS 201 Evaluation Program - Suppliers Policies and Procedures Handbook, which must be followed by vendors intending to submit a PIV product or service for evaluation. In addition to the Suppliers Handbook, vendors must also refer to the associated GSA FIPS 201 Evaluation Program product/service approval procedures, which provide product/service-specific details and requirements. For more information see http://fips201ep.cio.gov.

[up] 

What are GSA FIPS 201 Evaluation Program approval procedures?
The GSA FIPS 201 Evaluation Program mandates the use of product/service approval procedures by PIV Testing Laboratories (PIVTLs) for the evaluation and approval of all FIPS 201 products/services. Approval procedures contain all requirements for PIV/FIPS 201 products/services and their approval mechanisms. For more information see http://fips201ep.cio.gov.

[up] 

How are PIV system components evaluated and approved?
PIV system components are evaluated by PIV Test Laboratories and approved through the GSA FIPS 201 Evaluation Program. In addition, the GSA FIPS 201 EP works closely with the NIST Personal Identity Verification Program (NPIVP) to evaluate and approve PIV middleware and PIV card applications. For more information, see the NPIVP website (http://csrc.nist.gov/groups/SNS/piv/npivp/index.html), and the GSA FIPS 201 EP website (http://fips201ep.cio.gov).

[up] 

What is a PIVTL?
PIVTL stands for PIV Test Laboratory. The National Institute of Standards and Technology (NIST) has designated atsec information security corporation as a NIST Personal Identity Verification Program test facility.

[up] 

What does the Test Lab do?
An accredited PIV Test Laboratory conducts PIV testing and has the following responsibilities:

1. Prepare and provide the test application forms and the documentation
2. Receive and configure the PIV software component to be tested
3. Conduct the test with a testing toolkit
4. Review the test results and report failures
5. Inspect the vendor documentation
6. Communicate the results.

Additionally, PIV Test Laboratories that satisfy additional qualification requirements are eligible to become approved GSA FIPS 201 Evaluation Program (EP) qualified laboratories. Approved GSA FIPS 201 EP laboratories are qualified to perform evaluation and testing activities pertaining to all twenty-four FIPS 201 product/service categories. For more information, see What are the PIV/FIPS 201 product/service categories? and the GSA FIPS 201 EP website (http://fips201ep.cio.gov).

[up] 

What is conformance testing?
Conformance testing is the verification of PIV product/service conformance to FIPS 201 and associated standards. Conformance testing verifies that  PIV middleware and card applications perform as specified in NIST SP 800-85A, “PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 compliance)”. Conformance testing documents for additional PIV products or services are outlined in the GSA FIPS 201 Evaluation Program Approval Procedures for each product or service. For more information, see What are the PIV/FIPS 201 product/service categories? and the GSA FIPS 201 EP website (http://fips201ep.cio.gov).

[up] 

Must I also get a FIPS 140-2 certificate for my smart card?
Yes, all the smart cards must be certificated as compliant with FIPS 140-2 through the CMVP (Cryptographic Module Validation Program) as well as being certified as compliant to PIV by the PIV Program.

[up] 

What is PIV-I?
PIV-I specifies the minimum requirements for a Federal personal identification system to meet the control and security objectives of HSPD-12, including the personal identity proofing process.

[up] 

What is PIV-II?
PIV-II provides detailed technical specifications of components and processes required for interoperability of PIV cards with the personal authentication, access control, and PIV card management systems across the Federal government. OMB plans to issue guidance regarding department and agency development of transition plans to PIV-II.

[up] 

What is Physical Access?
The PIV card can be used to authenticate the cardholder in a physical access control environment. For example, a Federal facility may have physical entry doors that have human guards at checkpoints, or may have electronic access control points.

[up] 

What is Logical Access?
The PIV card may be used to authenticate the cardholder in support of decisions concerning access to logical information resources.

[up] 

Who defined PIV?
PIV was defined by NIST, the National Institute of Standards and Technology, an agency of the U.S. Commerce Department's Technology Administration. (see http://www.nist.gov/).

[up] 

What defines PIV?
PIV is defined in the FIPS 201 document, "Personal Identity Verification (PIV) of Federal Employees and Contractors", issued by NIST.

[up] 

How is PIV used?
In operation, a PIV system consists of three functional components:

• PIV Front-End Subsystem—PIV card, card and biometric readers, and personal identification number (PIN) input device. The PIV cardholder interacts with these components to gain physical or logical access to the desired Federal resource.
• PIV Card Issuance and Management Subsystem—the components responsible for identity proofing and registration, card and key issuance and management, and the various repositories and services (e.g., public key infrastructure [PKI] directory, certificate status servers) required as part of the verification infrastructure.
• Access Control Subsystem—the physical and logical access control systems, the protected resources, and the authorization data.

[up] 

What is on the PIV card?
A PIV card must contain four mandatory data elements:

1. A PIN - Personal Identification Number
2. A CHUID - Card Holder Unique ID
3. PIV authentication data (one asymmetric key pair and corresponding certificate)
4. Two biometric fingerprints

A PIV card may also contain:

1. An asymmetric key pair and corresponding certificate for digital signatures
2. An asymmetric key pair and corresponding certificate for key management
3. Asymmetric or symmetric card authentication keys for supporting additional physical access applications
4. Symmetric key(s) associated with the card management system.

[up] 

What does a PIV card look like?
A sample card front layout is shown below.

[up] 

How is a PIV card authenticated?
There are four techniques:

1. Using PIV Visual Credentials
2. Using the PIV CHUID
3. Using PIV Biometric (unattended or attended)
4. Using PIV Asymmetric Cryptography (PKI)

[up] 

How is PIV implemented?
There are two main PIV card components:

1. PIV middleware

• implements the commands in the PIV Client API
• interfaces with card resident PIV card application by generating commands (APDUs) in PIV card command interface

2. PIV card application

• implements the PIV application card command interface
• accesses and modifies the content of PIV data objects
• facilitates realization of PIV authentication use cases

[up] 

Where can I get more information?
At the NIST PIV web page: http://csrc.nist.gov/piv-program/index.html
and the GSA FIPS 201 EP web page: http://fips201ep.cio.gov.

[up]