NIST SPECIAL PUBLICATION 1800 -12 Derived Personal Identi ty Verification (PIV) Credentials Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guide s (C) William Newhouse Michael Bartock Jeffrey Cichonski Hildegard Ferraiolo Murugiah Souppaya Christopher Brown Spike E. Dog Susan Prince Julian Sexton SECOND DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/building -blocks/piv -credentials NIST SPECIAL PUBLICATION 1800 -12 Derived Personal Identi ty Verification (PIV) Credentials Includes Executive Summary (A); Approach, Architecture, an d Security Characteristics (B); and How -To Guides (C) William Newhouse National Cybersecurity Center of Excellence Information Technology Laboratory Michael Bartock Jeffrey Cichonski Hildegard Ferraiolo Murugiah Souppaya National Institute of Standards and Technology Information Technology Laboratory Christopher Brown Spike E. Dog Susan Prince Julian Sexton The MITRE Corporation McLean, VA August 2018 U.S. Department of Commerce Wilbur Ross , Secretary National Institute of Standards and Technology Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director NIST SPECIAL PUBLICATION 1800 -12A Derived Personal Identi ty Verification (PIV) Credentials Volume A : Executive Summary William Newhouse National Cybersecurity Center of Excellence Information Technology Laboratory Michael Bartock Jeffrey Cichonski Hildegard Ferraiolo Murugiah Souppaya National Institute of Standards and Technology Information Technology Laboratory Christopher Brown Spike E. Dog Susan Prince Julian Sexton The MITRE Corporation McLean, VA August 2018 SECOND DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/building -blocks/piv -credentials DRAFT NIST SP 1800 -12A: Derived Personal Identity Verification (PIV) Credentials 1 Executive Summary ▪ Misuse of identity, especially through stolen passwords, is a primary source for cyber breaches. 1 Enabling stronger processes to recognize a user’s identity is a key component to securing an 2 organization’s information systems. 3 ▪ Access to federal information systems relies on the strong authenti cation of the user with a 4 Person al Identity Verification (PIV) Card . These “smart cards” contain identifying information 5 about the user that enables strong er authentication to federal facilities, information systems, 6 and applications . 7 ▪ Today, access to information systems is increasingly from mobile phones, tablets, and some 8 laptops that lack an integrated smart card reader found in older , stationary computing devices , 9 forci ng organizations to have separate authentication processes for these devices . 10 ▪ Derived PIV Credentials (DPC ) leverage identity proofing and vetting results of current and valid 11 credentials used in PIV Cards by enabling the secure storage of an equivalent credential on 12 devices without PIV Card readers . 13 ▪ The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards 14 and Technology ( NIST ) built a laboratory environment to explore the development of a security 15 architecture that uses commercial ly available technology to manage the life cycle of DPC. 16 ▪ This NIST Cybersecurity Practice Guide demonstrates how organizations can provide multi -factor 17 authentication for users to access PIV-enabled website s and exchange secure d email s—from 18 mobile devices that lack PIV Card readers . 19 CHALLENGE 20 In accordance with Homeland Security Presidential Directive 12 (HSPD -12), the PIV standard was created 21 to enhance national security by providin