About PIV and FIPS 201

FIPS 201 defines smart cards as the devices to be used to provide the appropriate security and rapid electronic authentication required by HSPD-12. FIPS 201-compliant smart cards contain multiple electronic credentials, including cryptographic keys, digital certificates, biometric templates, and other data. There are two parts to FIPS 201: PIV1 and PIV2.

  • PIV1 describes the minimum requirements for a system that meets the specified control and security objectives including the identity proofing process.

  • PIV2 provides detailed technical specifications to support the control and security objectives in PIV1 and the details for technical interoperability of PIV cards with authentication, access control and management systems across the U.S. Federal Government.

The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-73. Credentials issued for HSPD-12 must be:

  • Issued based on sound criteria for verifying an individual’s identity.

  • Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.

  • Rapidly authenticated electronically.

  • Issued only by providers whose reliability has been established by an official process.

In response to HSPD-12, standards organizations (including the Interagency Advisory Board (IAB) for Equipment Standardization and Interoperability, and the National Institute of Standards and Technology (NIST)) have defined the processes and specifications necessary to satisfy the security and interoperability requirements.

About Standard Updates

In 2013, NIST published FIPS 201-2, an update to the FIPS 201 standard.

This standard has been further refined by a number of Special Publications such as SP 800-73-4, released in 2015.

By default, ActivID CMS is configured to issue PIV Personal Identity Verification (technical standard of "HSPD-12") cards that are compliant with all mandatory requirements of FIPS 201-2 and SP 800-73-4.

Specifically, the card UUID is now included, in addition to the FASC-N, in the CHUID Card Holder Unique Identifier and in the subject alternative name attribute for the PIV Authentication and Card Authentication certificates.

Note: Future versions of ActivID CMS will add support for the new optional capabilities of SP 800-73-4 such as secure contactless interface with OPACITY and biometrics on card comparison.

To issue FIPS 201-2-compliant devices, you must:

  • Make sure that you are using one of the supported card types,

  • Install the new device profiles and create new card policies using the correct device profile (SP 800-73-3 compliant),

  • Upgrade the Card Personalization Request used, using the new CPR 2.1.8 schema, and

  • Make sure that within the PIVEnrollment.properties configuration, Standard Revision is set to 800-73-3 (StandardRevision=800-73-3).

  • Change the policy from the default “PIV” to “PIV-201-2” in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\PIVEnrollment.properties” file.

  • Update the PIV CPR request XML file by changing the policy from “PIV” to “PIV-201-2”.

It is recommended that the use of the CPR 2.1.8 schema to issue PIV cards to be in compliance with SP 800-73-3. This guide assumes that your system will be configured to comply with this new revision. However, ActivID CMS will continue to issue cards with a system configured using previous CPR’s in compliance with SP 800-73-1 until the CPR schema has been upgraded.