Hi All,
NIST just published for comment NIST SP 800-79r3: Guidelines for the Authorization of PIV Card and Derived PIV Credential Issuers
In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the issuance and use of Personal Identity Verification (PIV) Credentials, including the credentials on PIV Cards and the derived PIV credentials on alternate form factors. NIST Special Publication (SP) 800-79 has subsequently been revised to align with FIPS 201 and is now available for public comment.
The initial public draft (ipd) of SP 800-79r3 (Revision 3), Guidelines for the Authorization of PIV Card and Derived PIV Credential Issuers, provides appropriate and useful guidelines for assessing the reliability of PIV Card and derived PIV credential issuers. The major changes for this revision encompass:
• Updates to issuer controls based on Revision 3 of FIPS 201, specifically to:
o Add controls for supervised remote identity proofing
o Account for the inclusion of PIV identity accounts
• Updates to issuer controls for derived PIV credentials based on SP 800-157r1, Guidelines for Derived PIV Credentials, specifically to add controls for non-PKI-based credentials issued at authentication assurance level (AAL) 2 or 3
• Updates to issuer controls based on the adjudicative guidelines update for PIV credential eligibility issued by the Office of Personnel Management (OPM)
The comment period for SP 800-79r3 ipd is open through January 29, 2024. See the publication details https://csrc.nist.gov/pubs/sp/800/79/r3/ipd for a copy of the draft. We encourage you to use the comment template provided there and submit comments and inquiries to [email protected].
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------