Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases Second Draft of Federal ID Credential Security Standard for Comment

photo of the smart chip on a PIV card

This smart chip on a Personal Identity Verification (PIV) card holds two fingerprint biometrics, a unique number that identifies the individual within the PIV system, a PIN number that never leaves the card and a cryptographic key that is used to authenticate the cardholder to the PIV system.

Credit: K. Talbott/NIST

The National Institute of Standards and Technology (NIST) has released the second-round draft version of its updated security standard for identity credentials in the Personal Identity Verification cards (PIV cards) that all federal employees and contractors must use. NIST is requesting comments from the public on the document, which is intended to be the last draft before the final version is published.

The document is the next step toward updating Federal Information Processing Standard (FIPS) 201, which was published in February 2005. Among its requirements are that all PIV cards contain an integrated circuit chip for storing electronic information, a personal identification number and protected biometric data—a printed photograph and two electronically stored fingerprints.

According to NIST computer security researcher Hildegard Ferraiolo, the update was anticipated from the start. "The original FIPS 201 indicates the standard should be reviewed after five years to see if changes need to be made," says Ferraiolo. "After implementing the standard, federal departments and agencies learned a number of lessons that, combined with technological changes over the years, made an update worthwhile."

Ferraiolo says the update will not require anyone to replace their current PIV card, but will make the new cards, based on the revised specification, more flexible and effective. Among the numerous improvements in the revised draft are the abilities to:

  • Update a card's credentials remotely without the need to appear in person at the issuer site, a change that should create significant cost savings.
  • Create additional credential(s) for use on mobile devices such as smart phones.
  • Offer additional capabilities, such as secure messaging and on-card fingerprint comparison, to provide more flexibility in selecting the appropriate level of security for federal applications that use the PIV card for authentication.

Comments on the revised draft of FIPS 201 will be incorporated and targeted to be published as the final version, to be entitled FIPS 201-2. The document, Personal Identity Verification of Federal Employees and Contractors, is available at http://csrc.nist.gov/publications/PubsFIPS.html.

NIST also is requesting comments on a related FIPS support publication, the Biometric Data Specification for Personal Identity Verification (NIST Special Publication 800-76-2). The draft update to SP 800-76-2 amends the 2007 biometric data specifications to include new card options: Agencies will be able to use iris recognition as a biometric, on-card fingerprint comparison instead of a 6-digit personal identification number for card activation. The draft also extends and refines the biometric sensor and performance specifications for improved security. The draft revision of SP 800-76-2 is available at http://csrc.nist.gov/publications/PubsFIPS.html.

Comments on both documents should be submitted by email to piv_comments [at] nist.gov (piv_comments[at]nist[dot]gov), and must be received by August 10, 2012.

NIST also is holding a free public workshop to discuss the revised draft on July 25, 2012. Online registration is required; the workshop will be webcast as well.

Released July 11, 2012, Updated January 24, 2023