NIST Updates FIPS 201 Personal Identity Credential Standard

To ensure that federal employees have a broader set of modern options for accessing facilities and electronic resources, the National Institute of Standards and Technology (NIST) has increased the number of acceptable types of credentials that federal agencies can permit as official digital identity.

The increase is part of the latest update to Federal Information Processing Standard (FIPS) 201, which specifies the credentials that can be used by federal employees and contractors to access federal sites. The update, formally titled FIPS 201-3: Personal Identity Verification (PIV) of Federal Employees and Contractors, also allows for remote identity proofing and issuing, in addition to doing so in-person as was previously required. 

“We have expanded the set of credentials that can be used for gaining access to federal facilities and also for logging onto workstations and other IT resources,” said Hildegard Ferraiolo, a NIST computer scientist. “It’s not all about PIV cards anymore.”

The preceding FIPS standard, version 201-2, came out in 2013 and specified credentials embedded on PIV cards as the primary means for authentication, with limited exceptions for credentials designed for mobile devices that lacked PIV card readers. Millions of PIV cards have been issued to federal employees. 

The 201-3 update, the result of a regular review cycle, still specifies that PIV cards can be used but now offers additional options. It keeps the standard aligned with the most recent federal policies, including the Office of Management and Budget’s Memorandum M-19-17 on identity, credential and access management. It also ensures that the standard reflects current technological capabilities and needs, Ferraiolo said.

“It has become important to provide more flexibility to agencies in choosing credentials to use for authentication,” she said. “Not all laptop computers are available with built-in PIV card slots, for example, and often, there are cloud-based applications that don’t use public-key infrastructure that PIV cards provide. For these situations we need alternatives.”

The new options are a subset of credentials that are specified in NIST SP 800-63-3, a multivolume publication on digital identity. Branches of the government will have a richer set of multifactor credentials for different devices — including, for example, FIDO (Fast ID Online) tokens and one-time passwords (OTP).

With the revision milestone now complete, the focus for NIST has shifted to providing additional guidelines and implementation details, Ferraiolo said. NIST is currently in the process of updating guidelines for the expanded set of PIV credentials in Revision 1 of NIST SP 800-157. Additionally, to ensure that different credentials are interoperable across different agencies, a concept known as “federation,” NIST will provide guidelines in NIST SP 800-217.

Ferraiolo said these and other NIST publications associated with FIPS 201-3 would be updated in coming months. 

For more information, see the complete FIPS update, which is available online.