This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. [FedRAMP Assignment: (L)(M)(H) Guidance: Include Common Access Card (CAC), ie., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Discussion: Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential.
38North Guidance:
Meets Minimum Requirement:
Accepts Personal Identity Verification (PIV) credentials.
Electronically verifies Personal Identity Verification (PIV) credentials.
Best Practice:
If access cards (PIV or CAC cards) are utilized for logical access, the cards must comply with NIST SP 800-73 (standards for PIV cards).
CAC/PIV should be the responsibility of the customer but the option to add CAC/PIV must be able to be configured if the customer requires it.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of configuration of the application or server being offered that demonstrates CAC/PIV can be configured if required by the customer.
CSP Implementation Tips: TBD