Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Pardon our Dust.

Welcome to the new site for Federal Identity, Credential, and Access Management (FICAM) Playbooks! We are consolidating all existing FICAM and Federal Public Key Infrastructure (FPKI) playbooks to this new page to help you find answers and content faster. Please bookmark this URL for future reference.

PIV-I Certification Playbook

Personal Identity Verification Interoperability (PIV-I) guidance has been issued to facilitate the issuance of identity credentials by organizations that are interoperable with Federal PIV-conformant systems and can be trusted by Federal organizations. In order to achieve this level of trust, PIV-I credentials must include digital credentials from a certification authority cross-certified with the Federal Bridge Certification Authority (FBCA) at the Medium Hardware Level of Assurance or above whose cross-certificate relationship includes PIV-I policy object identifiers (OIDs).

The Federal government has established a FPKI Approved Providers List for entities that have demonstrated the ability to provide digital credentials that meet the expectations of the PIV-I guidance by demonstrating comparability with the appropriate FBCA policies.

This playbook provides information and activities related to the cross-certification process for prospective PIV-I Providers, resulting in inclusion on the FPKI Approved Providers List It also describes requirements that must be met to maintain cross-certification.

The following diagram illustrates the high-level PIV-I Certification process.

enter image description here

Questions related to this playbook should be directed to idmanagement@gsa.gov.

Play 1 Understand Roles and Responsibilities

The Federal Public Key Infrastructure Policy Authority (FPKIPA) is the inter-agency body set up under the CIO Council to enforce digital certificate standards for trusted identity authentication across the federal agencies and between federal agencies and outside bodies, such as universities, state and local governments and commercial entities.

The FPKI Certificate Policy Working Group (CPWG) reviews a prospective PIV-I Provider’s documentation for cross-certification of the PIV-I Provider with the PIV-I requirements specified in the X.509 Certificate Policy (CP) for the Federal Bridge Certification Authority (FBCA), and makes recommendations for cross-certification to the FPKIPA. The CPWG is comprised of representatives from organizations that are members of the FPKIPA.

The FIPS 201 Evaluation Program performs PIV-I card interoperability testing. A favorable recommendation from the CPWG (after successful card interoperability testing) will be presented to the FPKIPA members for a vote to approve the applicant as a PIV-I Provider at their earliest convenience.

Play 2 Know The PIV-I Components

The PIV-I Provider must implement six distinct components:

While there are many ways to architect, deploy and manage these components, the responsibilities of the components remain the same:

The FPKIPA does not limit outsourcing of specific PKI services by the PIV-I Provider. For example, RA responsibilities may be outsourced to an external organization. However, the responsibility for the continuing conformance of the RA remains between the organization and the PIV-I Provider.

Checklist

Key Questions

  1. Do you fully understand what each PIV-I component does and how it fits into the overall PIV-I solution you are providing?
  2. Will you be outsourcing any of your PIV-I components?
  3. If outsourcing, do you understand your ongoing responsibilities in that context?

Play 3 Prepare for PIV-I Cross-certification

PIV-I cross certification with the FBCA encompasses six primary activities:

All entities must complete the full cross certification process for FBCA cross certification at PIV-I, which is discussed in detail in the following section.

Checklist

Key Questions

  1. Does your PIV-I solution support smart cards that conform to the latest NIST Special Publication 800-73 and listed on the FIPS 201 Evaluation Program Approved Products List (APL).

Play 4 Submit Application for PIV-I Cross-certification

The first step in achieving PIV-I cross certification with the FBCA is to submit a PIV-I Application to the FPKIPA.

The PIV-I Application must indicate that PIV-I cross certification is sought.

Upon receipt, the FPKIPA will review the application and determine whether cross-certification is in the best interest of the U.S. Federal Government. The Applicant will be notified of the FPKIPA’s decision. Those whose applications have been approved will move into the mapping and technical testing phase.

Organizations whose applications are rejected by the FPKIPA may request a written decision and an interview with the FPKIPA for reconsideration.

Checklist

Key Questions

  1. Does your application include a complete and compelling discussion of why your PIV-I application is in the best interest of the U.S. Federal Government?

Play 5 Perform a Policy Mapping

The FBCA Certificate Policy includes specific requirements pertaining to PIV-I. Entities should familiarize themselves with the following documents prior to beginning the mapping process:

Each PIV-I Provider must submit the following in order to initiate the mapping process:

The CPWG will review the PIV-I mapping matrices to determine their overall satisfaction of alignment with the FBCA CP. Questions or concerns that cannot be answered by consulting the supporting documentation provided with the matrix will be referred back to the applicant for resolution. If necessary, the CPWG will invite the applicant to a meeting to resolve open issues. In some cases, the applicant may be asked to provide copies of additional documents cited in the CP, where these are considered critical to resolving particular issues or concerns. This is an iterative process and may be repeated several times before successful completion. Any areas of concern will be discussed with the PIV-I Provider and resolved prior to providing a mapping recommendation to the FPKIPA.

The PIV-I Provider shall operate their PKIs in a manner that ensures continuing alignment with the FBCA CP. Each PIV-I Provider shall develop and operate their systems according to a CPS governing operation of its PKI. The PIV-I Provider’s CPS must be in compliance with their Certificate Policy.

Checklist

Key Questions

  1. Does my CP or CPS reference any documents that I need to include in the mapping package?

Play 6 Complete Technical Testing

The PIV-I applicant must successfully complete technical testing in accordance with the PIV-I Test Plan. The purpose of technical testing is to validate the ability of a PIV-I candidate to issue PIV-I cards that meet the test requirements. Testing can be done any time after the application has been accepted. To expedite the certification process, testing can be done in parallel with the mapping step. However, testing must always be done with a “production card” issued by a production Issuing CA.

PIV-I Providers who operate under the PIV-I program must support smart cards conforming to the latest NIST Special Publication 800-73 and listed on the FIPS 201 Evaluation Program Approved Products List (APL).

If the PIV-I applicant does not successfully complete the requirements of the PIV-I Test Plan, the applicant will be provided with a list of criteria that were not met. PIV-I testing must be successfully completed before a PIV-I Issuer Applicant is taken to the FPKIPA for approval

Successful PIV-I implementation is dependent on the CMS. As a result, the CMS must be identified during the testing process. Organizations that plan to use multiple CMS products shall submit at least one card associated with each CMS for testing. Once complete, the approved PIV-I Provider shall list their approved CMS(s). Subsequent testing is required as follows:

Upon successful completion of the PIV-I Test Plan, the results are reported to the FPKIPA.

Checklist

Key Questions

  1. Does your PIV-I solution use more than one CMS?
  2. Know when testing is scheduled and who the ICAM Lab contacts are?

Play 7 Complete an Audit Review

To provide assurance of that their CP and CPS reflect their operations, PIV-I Providers must submit a compliance audit from a qualified, independent, third party auditor, in accordance with Section 8 of the FBCA CP, that establishes:

For an initial audit review, operational compliance may be determined by a Day Zero Audit, which covers all aspects of the PKI operations except issuance and management of end user certificates.

The PIV-I Provider and their third party auditor should consult FPKI Compliance Audit Requirements for guidance on preparing the audit letter to the FPKIPA.

Checklist

Key Questions

  1. Is this an initial audit review, in which case a Day Zero Compliance Audit can be performed instead of full audit?

Play 8 Execute a Memorandum of Agreement

Once all of the above criteria have been successfully completed, the CPWG will submit a recommendation to the FPKIPA to cross certify with the applicant at the identified levels of assurance, including PIV-I. Upon a favorable vote, the applicant and the Chairs of the FPKIPA shall complete a Memorandum of Agreement (MOA) citing each organization’s rights and responsibilities associated with the cross certification.

Checklist

Key Questions

  1. Are any changes to the proposed MOA needed that should be communicated to the FPKIPA?
  2. Who is the appropriate person to sign the MOA on behalf of the PIV-I Provider?

Play 9 Coordinate Cross-certificate Issuance

Once the MOA is complete, the Federal PKI Management Authority (FPKIMA) and the Applicant coordinate the steps necessary to issue cross-certificates.

The entity will then be added to the FPKI Approved Providers List.

Checklist

Key Questions

  1. Have you reviewed all forms associated with exchanging cross-certificates to ensure you have obtained all the latest information you need to provide the FPKIMA.
  2. Is the information you will be providing correct and up-to-date?

Play 10 Perform Annual Compliance Audit

The Compliance Audit Requirements document mandates yearly compliance audits performed by a competent, independent third party. The PIV-I Provider has ongoing audit and analysis responsibilities to ensure that the PKI continues to operate at the appropriate level of trustworthiness.

The PIV-I Provider shall submit a compliance audit letter each year covering PIV-I operated components for as long as they continue. If it is determined that a PIV-I Provider is out of compliance, the PIV-I Provider shall submit a remediation plan to the CPWG for consideration. Failure to submit an annual compliance audit letter, or findings that indicate the PIV-I Provider is out of alignment with the FBCA CP will result in removal from the FPKI Approved Providers List and/or revocation of the cross certificates.

Checklist

Key Questions

  1. If notified of non-compliance, do you fully understand and agree with the list of non-compliance items?

Glossary

| Term| Description | | — | — | | Applicant| Any organization seeking to participate in the Federal Certified PKI Personal Identity Verification Interoperability (PIV-I) program.| | Archive| Long-term, physically separate storage.| | Audit| Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.| | Authentication| The process of establishing confidence in the identity of users or information systems.| | Biometric | A measurable physical characteristic used to recognize the identity of an individual. Examples include fingerprints and facial images. A biometric system uses biometric data for authentication purposes.| | Card Management System (CMS)| The Card Management System is responsible for managing smart card token content.| | Certificate| A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its user,(3) contains the user’s public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.| | Certification Authority (CA)| An authority trusted by one or more users to issue and manage X.509 public key certificates and CRLs. | | Certification Policy (CP)| A certificate policy is a specialized form of administrative policy tuned to electronic transactions performed during certificate management. A certificate policy addresses all aspects associated with the generation, production, distribution, accounting, compromise, recovery and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications. | | Certification Practice Statement (CPS)| A statement of the practices that a CA employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this CP, or requirements specified in a contract for services). | | Certificate Revocation List (CRL)| Lists maintained by a certification authority of the certificates that it has issued that are revoked prior to their stated expiration date.| |Compliance Audit| Independent review of documentation and operations to ensure the systems are operated in accordance with their governing documentation. | |Federal Public Key Infrastructure Policy Authority (FPKIPA) |The FPKIPA is a Federal Government body responsible for setting,implementing, and administering policy decisions regarding the Federal PKI Architecture.| |Online Certificate Status Protocol (OCSP) |An Internet protocol used for obtaining the revocation status of an X.509 digital certificate.| |PIV-Interoperable (PIV-I)Providers |Providers of PKI Services that have successfully completed the review and evaluation activities described in this guidance.| |Public Key Infrastructure (PKI) |A set of policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public/private key pairs, including the ability to issue, maintain, and revoke public key certificates.| |Registration Authority (RA) |An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e., a registration authority is delegated certain tasks on behalf of an authorized CA).| |Repository |A database containing information and data relating to certificates as specified in this CP; may also be referred to as a directory.| |Server| A system component that provides a service in response to requests from clients.| |Smart Card|Any pocket-sized card with embedded integrated circuits that allows storage and retrieval of information. For the purposes of this document, a smart card is a dual-interface card, allowing both contact and contactless access to a microprocessor that contains, among other features a cryptographic engine capable of generating strong asymmetric key pairs.|

References

HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors http://www.dhs.gov/homeland-security-presidential-directive-12

FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors
http://csrc.nist.gov/publications/PubsFIPS.html

NIST Special Publication 800-37 Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems
http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-63 Version 1.0.2: Electronic Authentication Guideline
http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-73-3: Interfaces for Personal Identity Verification (4 Parts)
http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-76-1: Biometric Data Specification for Personal Identity Verification http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-78-3: Cryptographic Algorithms and Key Sizes for Personal Identity Verification http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-79-1: Guidelines for the Accreditation of Personal Identity Verification Card Issuers http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-104: A Scheme for PIV Visual Card Topography
http://csrc.nist.gov/publications/PubsSPs.html

NIST Special Publication 800-116: A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) http://csrc.nist.gov/publications/PubsSPs.html

OMB M-04-04: E-Authentication Guidance for Federal Agencies http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf

OMB M-05-05: Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-05.pdf

OMB M-05-24: Implementation of Homeland Security Presidential Directive (HSPD) 12– Policy for a Common Identification Standard for Federal Employees and Contractors
https://www.fismacenter.com/m05-24.pdf

Personal Identity Verification Interoperability for Non-Federal Issuers
https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNSVAA4&field=File__Body__s

Request for Comments (RFC) 3852: Cryptographic Message Syntax (CMS) http://www.ietf.org/rfc/rfc3852.txt

Request for Comments (RFC) 4122: A Universally Unique IDentifier (UUID) URN Namespace http://www.ietf.org/rfc/rfc4122.txt

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems, Version 2.3
https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t00000008OgCAAU&field=File__Body__s

X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for Personal Identity Verification Interoperable (PIV-I) Cards
https://www.idmanagement.gov/IDM/s/document_detail?Id=kA0t00000008ObiCAE

X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)
https://www.idmanagement.gov/IDM/s/article_content_old?tag=a0Gt0000000SfwS

Personal Identity Verification Interoperable (PIV-I) Frequently Asked Questions (FAQ)
https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNPlAAO&field=File__Body__s