Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Pardon our Dust.

Welcome to the new site for Federal Identity, Credential, and Access Management (FICAM) Playbooks! We are consolidating all existing FICAM and Federal Public Key Infrastructure (FPKI) playbooks to this new page to help you find answers and content faster. Please bookmark this URL for future reference.

FIPS 201 Evaluation Program

The Federal Information Processing Standard 201 (FIPS 201) Evaluation Program (sometimes called the FICAM Testing Program) tests and certifies services and commercial products used in PIV credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs).

For the latest testing news, view the program announcements.

Testing and Certification

We test and certify a variety of products and services such as:

Smartcards (secure elements) used in Personal Identity Verification (PIV) and Common Access Card (CAC) credentials Physical access control systems for buildings including readers and infrastructure Service providers who manage, install, or provide hosted solutions for issuance of Personal Identity Verification (PIV) and CAC credentials If you’re looking for testing procedures related to products not listed above, review the announcements. Over the years, some product testing has been deprecated to eliminate redundancy, or the product categories have become stable and represent general commercial use products.

Product Testing

Product testing is performed by either:

Third-party accredited testing labs, OR GSA-managed testing labs If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the Approved Products List (APL). The APL includes product information, version, date of certification, and special considerations.

Visit the Sell page for more on testing and certification.

Testing Guidance and Documents

Functional requirements for the products are outlined in each test procedure. Review the testing agreements, and the test procedure for your specific product, and submit the agreement and package to fips201ep@gsa.gov.

Testing Agreements

Review the testing agreements, and sign and submit the appropriate agreement with your testing package to fips201ep@gsa.gov.

FIPS 201 Evaluation Program – Evaluation Agreement (PDF, September 2020) – The formal agreement to enter into testing, signed by the vendor and the government official. Reseller Acknowledgement Form (MS Word, September 2014) – If you are reselling another product, this must be disclosed and the signed agreement submitted. Product/Service Application Form and Guidance (MS Word, August 2018) – Provides a checklist of which documents are required when submitting a new or upgraded solution. Must accompany all submissions. Removed Products List (RPL) Process Document (PDF, June 2014) – If your product has been removed from the APL, review this document for the procedures.

Personal Identity Verification (PIV) Credentials

Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020) – If you are an agency or organization applying for your annual Audit for the Federal Public Key Infrastructure (FPKI), submit this form to fips201ep@gsa.gov with available dates and times to visit the GSA testing labs. Personal Identity Verification (PIV) Credential (PDF, January 2010) – These test procedures are used by the independent, third-party labs to test card stock.

Derived PIV (D-PIV) Credentials

Annual Derived PIV Credential Issuer (DPCI) Testing Application Form (MS Word, September 2017) – If you are an agency or organization that currently issues D-PIV credentials and need to complete credential testing for your annual FPKI Audit, submit this form to fips201ep@gsa.gov. Agencies that wish to issue D-PIV credentials should follow these steps: Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO) Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs) Submit the Annual DPCI Testing Application Form (linked above) to fips201ep@gsa.gov Submit sample D-PIV credentials for testing Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials.

Badge Holders

Electromagnetically Opaque Sleeve (Badge Holder) Approval and Test Procedure (PDF, February 2014) – Review the test procedures, and contact one of the third-party labs to schedule testing.

Physical Access Control System (PACS)

GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used to restrict physical access to government facilities. Review the test procedures, choose one of the application packages, and submit to fips201ep@gsa.gov.

PACS Functional Requirements and Test Cases v1.3.3 Rev. G (PDF, February 2019) PACS FRTC PIN Usage Policy Addendum(PDF, April 2018) Review this Addendum for help resetting PIN retry counters, and determining the number of remaining PIN retries during Discovery Object testing.

PACS Application Package for New Systems

Vendors wishing to submit a new solution are required to:

Review theProduct/Service Application Form and Guidance(MS Word, September 2018). Include one or both of the following, signed by a C- or VP-level individual: Product/Service Self-Attestation Form (MS Word, August 2018) Product Series and Licensing Form(MS Word, August 2018). Supply Chain Self-Attestation Form(MS Word, March 2020). Complete the Applicant Product Equipment List (MS Word, September 2017). Choose from the following two topologies that best describes your solution: Approved PACS Topology Mapping Document (PACS 13.01) v1.3.3 Rev. G(PDF, February 2019). Approved PACS Topology Mapping Document (PACS 13.02) v1.3.3 Rev. G (PDF, February 2018). Mobile Handheld Approved Topology Mapping Document (14.02) v1.3.3 Rev. B (PDF, November 2017). When you complete the FRTC Workbook, use the mapping in the workbook, not the mapping inside the Mobile Handheld Topology document. Complete thePACS FRTC v1.3.3 Topology Mapping Workbook (all topologies) Rev. G (XLSM, August 2018)for your topology. When submitting a product that uses an approved or provisionally approved topology, complete the Topology Mapping Workbook, rather than the PDF version, and submit it with your application. This began with FRTC 1.3.3, and is easier to use. Macros must be enabled when opening this workbook for the form to work properly. Check the Errata Page for the current FRTC. Complete a Topology Mapping Diagram as specified in Section 4.4 in the Approved PACS Topology Mapping Documents above. Execute the FIPS 201 Evaluation Program – Evaluation Agreement (PDF, September 2020). Include the completed form and checklist in theProduct/Service Application Form and Guidancein (1) above. Include all applicable VPAT statements, UL-294, and FIPS 140-2 listing documents. Submit all forms to fips201ep@gsa.gov.

PACS Application Package for Updates to Previously Approved Systems

Vendors upgrading previously approved systems with an established topology are required to:

Review theProduct/Service Application Form and Guidancedocument (MS Word, September 2018) Include one or both of the following, signed by a C- or VP-level individual: Product/Service Upgrade Form (MS Word, August 2018) Product Series and Licensing Form (MS Word, August 2018). Supply Chain Self-Attestation Form(MS Word, March 2020). Complete the Applicant Product Equipment List(MS Word, September 2017). Complete the PACS FRTC v1.3.3 Topology Mapping Workbook (all topologies) Rev. G (XLSM, February 2019)2,3for your topology. Execute the FIPS 201 Evaluation Program – Evaluation Agreement (PDF, September 2020). Include the completed form and checklist in theProduct/Service Application Form and Guidancedocument in (1) above. Include all applicable VPAT statements, UL-294 listing, and FIPS 140-2 listing documents. Submit all forms to fips201ep@gsa.gov.

Test Card Loaners

GSA can loan you test cards to help you pre-test your physical access control system products.

PACS Test Card Loaner Process (PDF, November 2019) PACS Test Card Loaner Set Request Form (MS Word, October 2019) – Sign and submit this form to fips201ep@gsa.gov. PACS Test Card User Guide (PDF, January 2019)