This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.
Related controls: AU-2, PE-3, SA-4.
References:
OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2].
Related Controls: PE-3.
38North Guidance:
Meets Minimum Requirement:
Accepts Personal Identity Verification (PIV) credentials from other agencies
Electronically verifies Personal Identity Verification (PIV) credentials from other agencies.
Best Practice:
Customers can implement PIV/CAC cards for the FedRAMP environment/application being offered.
System/Application is able to support identity federation through SAML, Oauth, OpenID, etc.
Test the capability of PIV/CAC cards by using test PIV/CAC cards in the FedRAMP environment - https://csrc.nist.gov/projects/piv/nist-piv-test-cards
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Configuration settings for the system/application being offered for the customer environment showing that PIV/CAC cards can be implemented.
Documentation created for implementation processes of PIV/CAC capability implementation for the FedRAMP environment.
CSP Implementation Tips: TBD