About PIV and FIPS 201

FIPS 201 defines smart cards as the devices to be used to provide the appropriate security and rapid electronic authentication required by HSPD-12. FIPS 201-compliant smart cards contain multiple electronic credentials, including cryptographic keys, digital certificates, biometric templates, and other data. There are two parts to FIPS 201: PIV1 and PIV2.

  • PIV1 describes the minimum requirements for a system that meets the specified control and security objectives including the identity proofing process.

  • PIV2 provides detailed technical specifications to support the control and security objectives in PIV1 and the details for technical interoperability of PIV cards with authentication, access control and management systems across the U.S. Federal Government.

The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in the National Institute of Standards and Technology (NIST) publication SP 800-73. Credentials issued for HSPD-12 must be:

  • Issued based on sound criteria for verifying an individual’s identity.

  • Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.

  • Rapidly authenticated electronically.

  • Issued only by providers whose reliability has been established by an official process.

In response to HSPD-12, standards organizations (including the Interagency Advisory Board (IAB) for Equipment Standardization and Interoperability, and the National Institute of Standards and Technology (NIST)) have defined the processes and specifications necessary to satisfy the security and interoperability requirements.

About Standard Revision SP 800-73-4

In 2013, NIST National Institute of Standards and Technology published FIPS 201-2, an update to the FIPS 201 standard.

This standard has been further refined by a number of Special Publications such as SP 800-73-4, released in 2015.

By default, ActivID CMS is configured to issue PIV cards that are compliant with all mandatory requirements of FIPS 201-2 and SP 800-73-4.

Specifically, the card UUID is now included, in addition to the FASC-N, in the CHUID Card Holder Unique Identifier and in the subject alternative name attribute for the PIV Authentication and Card Authentication certificates.

Note: Future versions of ActivID CMS will add support for the new optional capabilities of SP 800-73-4 such as secure contactless interface with OPACITY and biometrics on card comparison.

To issue FIPS 201-2-compliant cards, you must:

  • Make sure you are using one of the supported card types,

  • Install the new device profiles and create new device policies using the correct card profile (SP 800-73-3 compliant),

  • Upgrade the Card Personalization Request used, using the new CPR 2.1.8 schema, and

  • Make sure that within the PIVEnrollment.properties configuration, Standard Revision is set to 800-73-3 (StandardRevision=800-73-3).

  • Change the policy from the default “PIV” to “PIV-201-2” in the %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\PIVEnrollment.properties file.

  • Update the PIV CPR request XML file by changing the policy from “PIV” to “PIV-201-2”.

It is strongly recommended that you use the CPR 2.1.8 schema to issue PIV cards, in compliance with SP 800-73-3. This guide assumes that your system will be configured to comply with this new revision. However, ActivID CMS will continue to issue cards with a system configured using previous CPRs (e.g., in compliance with SP 800-73-1) until the CPR schema has been upgraded.

About PIV-Interoperable Cards

To support PIV for Non-Federal Issuers (also known as PIV-Interoperable or PIV-I standard), ActivID CMS enables the issuance of cards in either a PIV-compliant mode or a PIV-I-compliant mode.

To issue PIV-I-compliant cards, the cards must be:

  • Technically interoperable with Federal government PIV systems, and

  • Issued in a way that allows Federal government relying parties to trust the cards.

To issue PIV-I cards in ActivID CMS, you must perform additional steps. For more details on these additional steps, see Issue PIV-I Compliant Cards.

About CIV Cards

ActivID CMS also supports the issuance of Commercial Identity Verification (CIV) cards. These cards follow the same specifications, but do not provide any trust relationship with the US Government and its partners (using PIV and PIV-I cards).

The CIV cards follow the same specifications, but more loosely, providing more flexibility to organizations worldwide, while providing compatibility with the large number of PIV-compatible applications.

This section provides instructions on how to configure ActivID CMS to issue CIV cards.