Requirements for Issuing Derived PIV Credentials

In order to issue devices that use derived credentials, a specific configuration is required. The sections below outline NIST recommendations concerning derived PIV credentials, as well as how to configure CMS so that users can issue devices with derived PIV credentials using the HID CMS Self-Service portal.

Important: Derived PIV credentials rely on CMS support for multiple devices per user. Enabling this feature may impact your licensing:

If you are using HID Credential Management System under HID's subscription model, the license grants access to multiple devices per user.
If you are using HID Credential Management System under HID's perpetual license model, you need the "Additional Devices" license in addition to the "Classic" or "Advanced" license.

Prerequisites: A user who wants to use a derived PIV credential must have a PIV card. It is up to the operator to issue the PIV card to the user.

Note: This section is related to derived PIV credentials based on NIST SP 800-157 R1.

Important: The HID CMS Self-Service portal is currently available as a Beta version and has limited functionality.

NIST Requirements for Derived PIV Credentials

It is up to users to issue their own derived PIV credentials.
To issue derived PIV credentials, users must be authenticated using their PIV card.

Note: To be compliant with NIST SP 800-157 R1, when an operator needs to terminate a user's PIV card, they must use the button Terminate All Devices. This automatically terminates any derived credentials associated with the PIV card.

CMS Configuration Requirements

Enable support for multiple devices. For more information, refer to Setting Parameters for Devices in the ActivID CMS online documentation.

Issue the primary PIV card (no specific configuration).

Note: Operators can use the new Operator Portal (or the legacy one) to issue the primary PIV card.

Allow users to self-issue a device:

For more information, refer to Configuring the ActivID CMS User Portal in the ActivID CMS online documentation.

Configure the policy used for primary devices to require a strong authentication to be used by a user. For more information, refer to Applying a Condition to a Device Policy in the ActivID CMS online documentation.

Assign that policy to the user group(s).

Ensure that within the same user group, there is only one policy matching the device type targeted for derived PIV credentials. For more information, refer to Managing User Groups and Configuring Group Assignments in the ActivID CMS online documentation.

Managing Derived PIV Credentials in CMS

Once the configuration described above is done, users can easily issue their derived PIV credentials. There is no limit concerning the device type but the device profile used for the derived credentials policy must be different from the PIV card device profile.

Issuing Derived PIV Credentials

To issue a device that uses a derived PIV credential, users must log on to the Self-Service portal using their PIV card; they can then click on the Add Device button and follow the steps to perform the issuance.

Declaring an Incident

Operators can declare an incident for a user device in the new Operator Portal.

Terminating a Derived PIV Credential

Operators can terminate a user's derived PIV credentials in the new Operator Portal. They can also recycle these devices.

Note: According to your device policy, its credentials may be revoked after a device is terminated. If you are using an encryption certificate that is shared with the PIV card, it will also be revoked on the PIV Card. For more information, refer to Creating a Device Policy in the ActivID CMS online documentation.

Terminating All User Devices

When an operator needs to terminate a user's PIV card, they must use the Terminate All Devices button. This automatically terminates any derived credentials associated with the PIV card