NIST’s National Cybersecurity Center of Excellence (NCCoE) recently released a second draft of the NIST Cybersecurity Practice Guide SP 1800-12 Derived Personal Identity Verification (PIV) Credentials. The new draft document is available online, and feedback and public comment will be accepted through October, 1, 2018
Although the PIV and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector, both are relevant to mobile device users in the commercial sector using smart card-based credentials as well
This document is part of the NCCoE’s effort to address the challenge of derived PIV credentials through collaboration with members of the information technology (IT) community, including vendors of cybersecurity solutions.
In the early days of the PIV program, authentication was required on desktops and laptops using integrated smart card readers. “Today, the proliferation of mobile devices that do not have integrated smart card readers complicates PIV credentials and authentication,” explains the NCCoE. Derived PIV Credentials can enable organizations to authenticate individuals using mobile devices.
The Practice Guide demonstrates a security platform that leverages identity proofing and vetting results of current and valid PIV credentials to enable two-factor authentication to information technology systems via mobile devices.
Although the PIV and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector, both are relevant to mobile device users in the commercial sector using smart card-based credentials as well.
The NCCoE reference design includes the following capabilities:
- authenticate users of mobile devices using secure cryptographic authentication exchanges
- provide a feasible security platform based on Federal Digital Identity Guidelines
- utilize a public key infrastructure (PKI) with credentials derived from a PIV card
- support operations in a PIV, PIV-Interoperable (PIV-I), and PIV-Compatible (PIV-C) environments
- issue PKI-based derived PIV credentials at levels of assurance (LoA) 3
provide logical access to remote resources hosted either in a data center or the cloud.
Participating vendors include Entrust Datacard, IBM, Intel, Intercede, MobileIron, Verizon and VMWare.