PROVIDING A BEST PRACTICE FRAMEWORK FOR DERIVED PERSONAL IDENTITY VERIFICATION (PIV) CREDENTIALS

Discover why NIST NCCOE included MyID PIV credential management as part of their best practice derived PIV solution

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) are the United States’ leading body in providing real world, best practice architectures for federal agencies and companies to overcome specific cybersecurity challenges.

In this use case we look at why NIST NCCoE included MyID PIV credential management as part of their solution. How the overall solution works and the functionality MyID PIV credential management adds.

THE CHALLENGE

With the introduction of a new Federal Information Processing Standard (FIPS), specifically FIPS 201-2; Personal Identity Verification (PIV) of Federal Employees and Contractors, federal government had a new opportunity to take advantage of new technologies for the secure authentication of their employees and contractors.

The original standard (FIPS 201) was published in 2005 and as such was focused on setting multi-factor authentication standards, using public key infrastructure (PKI), for technology in use at that time; largely desktop and laptop computers.

FIPS 201 therefore was focused on users being issued with a PIV smart card to provide common multi-factor authentication via their desktop computers and laptops using in-built or auxiliary smart card readers.

Fast forward to today and the technology landscape has changed significantly – the computing power of mobile phones has changed exponentially while tablets and hybrid computers are all now prevalent alongside new identity form factors like the USB token.

The limitations of PIV smart cards to work with the technology that federal employees of 2020 want to use day-to-day as part of their jobs was plain to see.

To extend the use of PIV systems into mobile devices, tablets, and laptops (without in-built smart card readers), NIST developed technical guidelines on the implementation and life cycle of identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV Card.

NIST published guidelines to indicate how derived PIV credentials would enable the federal sector to leverage proofing and vetting results of current and valid PIV credentials and derive those credentials to other secure technologies for multi-factor authentication, such as mobile devices.

The guidelines are also relevant to many companies, particularly key government suppliers who look to meet federal standards.

THE SOLUTION

To demonstrate how the federal sector and companies could take advantage of derived PIV credentials, NCCoE built two security architectures using commercial technology that enable the issuance of a derived PIV credential to mobile devices that use Federal Identity Credentialing and Access Management shared services.

One option uses a software-only solution, while the second option uses hardware built into many computing devices used today. Both options utilise MyID credential management software.

The environment: Both options resemble a typical enterprise network using commonplace components found in federal agencies and companies across the US; identity repositories, supporting certificate authorities, and web servers.

Product and capabilities: Where possible SaaS or shared service providers (SSPs) that operate under federal policy were leveraged, such as certificate authorities operating in accordance with Federal PKI Policy Authority policy. The advantage of such providers being that federal agencies can avoid the costs associated with ongoing maintenance of such systems.

As the diagram above illustrates, there are multiple components identified in the working solution. At a critical part of the working solution sits MyID credential management.

Here, MyID credential management is central to executing the life-cycle operations; sponsorship, registration, issuance, maintenance, and termination of authentication credentials.

The MyID server platform comprises an application server, a database, and a web server. It provides connectors to infrastructure components such as hardware security modules (HSMs) and PKI, and application programming interfaces (APIs) to enable integration with the organisation’s identity and access management system. For mobile devices, the MyID Identity Agent runs as an app or an SDK embedded into an MDM and interfaces with the MyID server to support iOS and Android mobile devices and credential stores, including the device’s native key store, software key store, and microSD storage.

BENEFITS OF MYID PIV

Operating as an on-premise, hybrid cloud or fully cloud managed solution, MyID PIV software

Optimum security

Configure certificate and device issuance policies, ensuring the right people receive the right digital identities

Process-driven

Features simple, process-driven workflows for helpdesk to issue replacement devices when lost or re-enable locked devices

Easy to manage

Provides a single integrated solution to sponsor, enrol, approve, issue and lifecycle manage users and PIV credentials

Frees up IT

Frees up IT support by enabling employees to collect new certificates to their own devices through a simple self-service application

Full auditability

Maintains full auditability and reporting capabilities – allowing visibility of who issued which digital identities, to which users, and on what device; helping with audits and proof of compliance with federal policy

Ultimate integration flexibility

MyID PIV is developed to work with the IT architecture you already have, minimising impact on your existing environment and speeding up deployment

You can find the full NIST Special Publication 1800-12B; Derived Personal Identity Verification (PIV) Credentials here.

Download the case study

In this resource we look at the National Institute of Standards and Technology (NIST) and National Cybersecurity Center of Excellence (NCCoE) best practice framework for derived personal identity (PIV) credentials. We look at why NIST and NCCoE included MyID PIV credential management as part of their solution. How the overall solution works and the functionality MyID PIV credential management adds.

DOWNLOAD

Want to know more?

MyID PIV is a proven credential management system that is widely deployed across US federal government and companies. From deployments of 500 running up into the millions, MyID PIV is an integral part of FIPS 201 compliant identity and access management solutions.

demo request

Trusted By Governments and Large Enterprises Worldwide

Where protecting systems and information really matters, you will find MyID. Whether its citizen data, aerospace and defence systems, high-value financial transactions, intellectual property or air traffic control, we are proud that many leading organisations around the world choose MyID to protect themselves against data breach and ensure business continuity.