July 17, 2024


The Internet Generation

NIST Updates FIPS 201 Personal Identity Credential Standard

NIST has increased the range of satisfactory forms of credentials that federal agencies can permit as official electronic identity, component of the newest update to Federal Details Processing Regular (FIPS) 201. The normal now goes over and above actual physical ID playing cards to include electronic tokens and just one-time passwords.

The animated image shows a montage of a fingerprint, an electronic token and an ID card.

Graphic credit: N. Hanacek/NIST

To make sure that federal personnel have a broader established of contemporary possibilities for accessing facilities and digital resources, the National Institute of Expectations and Engineering (NIST) has enhanced the selection of acceptable sorts of credentials that federal businesses can allow as formal digital identity.

The improve is section of the hottest update to Federal Information Processing Standard (FIPS) 201, which specifies the qualifications that can be made use of by federal staff and contractors to accessibility federal web sites. The update, formally titled FIPS 201-3: Private Identification Verification (PIV) of Federal Employees and Contractors, also allows for distant id proofing and issuing, in addition to performing so in-man or woman as was earlier essential.

“We have expanded the set of credentials that can be employed for getting accessibility to federal amenities and also for logging onto workstations and other IT resources,” reported Hildegard Ferraiolo, a NIST personal computer scientist. “It’s not all about PIV playing cards any more.”

The previous FIPS normal, variation 201-2, arrived out in 2013 and specified credentials embedded on PIV playing cards as the principal suggests for authentication, with confined exceptions for qualifications made for cell equipment that lacked PIV card audience. Millions of PIV cards have been issued to federal employees.

The 201-3 update, the final result of a common evaluation cycle, however specifies that PIV cards can be employed but now provides additional alternatives. It keeps the typical aligned with the most current federal insurance policies, which include the Place of work of Management and Budget’s Memorandum M-19-17 on id, credential and entry administration. It also ensures that the normal displays existing technological capabilities and demands, Ferraiolo mentioned.

“It has become crucial to provide much more adaptability to companies in deciding on qualifications to use for authentication,” she reported. “Not all laptop computer systems are available with crafted-in PIV card slots, for instance, and frequently, there are cloud-based purposes that really don’t use public-crucial infrastructure that PIV cards give. For these scenarios we will need alternatives.”

The new options are a subset of credentials that are specified in NIST SP 800-63-3, a multivolume publication on electronic identity. Branches of the authorities will have a richer established of multifactor qualifications for distinctive products — like, for instance, FIDO (Rapid ID On the internet) tokens and 1-time passwords (OTP).

With the revision milestone now finish, the emphasis for NIST has shifted to giving extra guidelines and implementation specifics, Ferraiolo reported. NIST is at this time in the approach of updating pointers for the expanded established of PIV qualifications in Revision 1 of NIST SP 800-157. Furthermore, to be certain that different credentials are interoperable throughout different agencies, a strategy recognised as “federation,” NIST will offer guidelines in NIST SP 800-217.

Ferraiolo mentioned these and other NIST publications related with FIPS 201-3 would be current in coming months.

For extra details, see the finish FIPS update, which is out there on-line.

Resource: NIST