Mobility

NIST releases new guidelines for deploying PIV credentials to mobile devices

iPhone 5

The National Institute for Standards and Technology has released new guidelines for public comment regarding Derived Personal Identity Verification credentials.

The draft Special Publication (SP) 800-157, released March 7, defines technical specifications for implementing and deploying Derived PIV credentials to smartphones, tablets, iPads and other mobile devices.

The draft guidelines are essentially the government’s response to the challenges encountered in authenticating mobile devices.

While the Federal Information Processing Standard 201 developed in the mid-2000s created a common set of credentials that is used government-wide, mobile devices don’t have integrated smart card readers to provide the same kind of authentication. Some agencies use a combination of a PIV card and separate card readers for mobile device authentication, and others might use near field communication to read PIV cards from NFC-enabled mobile devices.

SP 800-157 addresses the latter option, in which a derived token is deployed directly on an agency-issued mobile device.

“SP 800-157 does not address use of the PIV Card with mobile devices, but instead provides an alternative to the PIV Card in cases in which it would be impractical to use the PIV Card,” the guidelines state. “Instead of the PIV Card, SP 800-157 provides an alternative token, which can be implemented and deployed directly on mobile devices (such as smart phones and tablets).” This is the  “derived PIV credential.” NIST said the “use of a different type of token greatly improves the usability of electronic authentication from mobile devices to remote IT resources.”

The derived credential is viewed by many as an important milestone in government in terms of maximizing the effectiveness of mobile technology, and NIST guidance combined with industry feedback will play a key role in its creation and potentially in shaping future mobile polices.

“Even though we’ve been patiently waiting for the NIST document, that is only one step that needs to occur for derived credential,” said Mark Norton, a senior engineer at the Defense Department. Norton was one of several panelists who spoke at the Federal Mobile Computing Summit on March 7 in Washington.

“There are many things that need to fall into place,” Norton added.

The public comment period runs through April 21. 

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected