web stats

NIST expands digital ID options for credentials used to access federal sites

NIST updates FIPS 201 personal identity credential standard
The standard now goes beyond physical ID cards to include electronic tokens and one-time passwords. Credit: N. Hanacek/NIST

The National Institute of Standards and Technology (NIST) has increased the number of acceptable types of credentials that federal agencies can permit as official digital identity. This is part of the latest update to Federal Information Processing Standard (FIPS) 201, ensuring that federal employees and contractors have a broader set of modern options for accessing facilities and electronic resources.

The increase is part of the latest update to FIPS 201, which specifies the credentials that can be used by federal employees and contractors to access federal sites. The update, formally titled FIPS 201-3: Personal Identity Verification (PIV) of Federal Employees and Contractors, also allows for remote identity proofing and issuing, in addition to doing so in-person as was previously required. 

We have expanded the set of credentials that can be used for gaining access to federal facilities and also for logging onto workstations and other IT resources. It’s not all about PIV cards anymore.

Hildegard Ferraiolo, NIST computer scientist

The preceding FIPS standard, version 201-2, came out in 2013 and specified credentials embedded on Personal Identity Verification cards as the primary means for authentication, with limited exceptions for credentials designed for mobile devices that lacked PIV card readers. Millions of PIV cards have been issued to federal employees. 

The 201-3 update, the result of a regular review cycle, still specifies that PIV cards can be used but now offers additional options. It keeps the standard aligned with the most recent federal policies, including the Office of Management and Budget’s Memorandum M-19-17 on identity, credential and access management. It also ensures that the standard reflects current technological capabilities and needs, Ferraiolo said.

It has become important to provide more flexibility to agencies in choosing credentials to use for authentication. Not all laptop computers are available with built-in PIV card slots, for example, and often, there are cloud-based applications that don’t use public-key infrastructure that PIV cards provide. For these situations, we need alternatives.

Hildegard Ferraiolo

The new options are a subset of credentials that are specified in NIST SP 800-63-3, a multivolume publication on digital identity. Branches of the government will have a richer set of multifactor credentials for different devices — including, for example, FIDO (Fast ID Online) tokens and one-time passwords (OTP).

With the revision milestone now complete, the focus for NIST has shifted to providing additional guidelines and implementation details, Ferraiolo said. NIST is currently in the process of updating guidelines for the expanded set of Personal Identity Verification (PIV) credentials in Revision 1 of NIST SP 800-157. Additionally, to ensure that different credentials are interoperable across different agencies, a concept known as “federation,” NIST will provide guidelines in NIST SP 800-217.

Ferraiolo said these and other NIST publications associated with FIPS 201-3 would be updated in coming months. 

For more information, see the complete FIPS update, which is available online.Information technologyCybersecurityIdentity and access managementFederal information standards (FIPS) and Standards.