Announcing Issuance of Federal Information Processing Standard (FIPS) 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors, 3502-3504 [2022-01246]
Download as PDF
<![CDATA[
3502
Federal Register / Vol. 87, No. 15 / Monday, January 24, 2022 / Notices
Burden Hours: 24.
Needs and Uses: Collection needed to
obtain information to select applicants
for the Baldrige Executive Fellows
Program, a professional development
fellowship offered by the Baldrige
Performance Excellence Program.
Affected Public: Business, health care,
education, or other for-profit
organizations; health care, education,
and other non-profit organizations; and
individuals.
Frequency: Annually.
Respondent’s Obligation: Voluntary.
This information collection request
may be viewed at www.reginfo.gov.
Follow the instructions to view the
Department of Commerce collections
currently under review by OMB.
Written comments and
recommendations for the proposed
information collection should be
submitted within 30 days of the
publication of this notice on the
following website www.reginfo.gov/
public/do/PRAMain. Find this
particular information collection by
selecting ‘‘Currently under 30-day
Review—Open for Public Comments’’ or
by using the search function and
entering either the title of the collection
or the OMB Control Number 0693–0076.
Sheleen Dumas,
Department PRA Clearance Officer, Office of
the Chief Information Officer, Commerce
Department.
[FR Doc. 2022–01265 Filed 1–21–22; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 211115–0232]
Announcing Issuance of Federal
Information Processing Standard
(FIPS) 201–3, Personal Identity
Verification (PIV) of Federal Employees
and Contractors
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice.
AGENCY:
This notice announces the
Secretary of Commerce’s approval of
Federal Information Processing
Standard (FIPS) Publication 201–3,
Personal Identity Verification (PIV) of
Federal Employees and Contractors.
FIPS 201–3 includes clarifications to
existing text, additional text in cases
where there were ambiguities,
adaptation to changes in the
environment since the publication of
FIPS 201–2, and specific changes
jspears on DSK121TN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
18:11 Jan 21, 2022
Jkt 256001
requested by Federal agencies and
implementers.
FIPS 201–3 is effective on
January 24, 2022.
ADDRESSES: FIPS 201–3 is available
electronically from the NIST website at:
https://csrc.nist.gov/publications/fips.
Comments that were received on the
proposed changes will also be published
electronically at https://csrc.nist.gov/
projects/piv and at https://
www.regulations.gov.
DATES:
FOR FURTHER INFORMATION CONTACT:
Hildegard Ferraiolo, (301) 975–6972,
National Institute of Standards and
Technology, 100 Bureau Drive, Mail
Stop 8930, Gaithersburg, MD 20899–
8930, email: hildegard.ferraiolo@
nist.gov, or Andrew Regenscheid, (301)
975–5155, andrew.regenscheid@
nist.gov.
FIPS 201
establishes a standard for a Personal
Identity Verification (PIV) system
(Standard) that meets the control and
security objectives of Homeland
Security Presidential Directive-12
(HSPD–12). It is based on secure and
reliable forms of identity credentials
issued by the Federal Government to its
employees and contractors. These
credentials are used by mechanisms that
authenticate individuals who require
access to federally controlled facilities,
information systems, and applications.
This Standard addresses requirements
for initial identity proofing,
infrastructure to support
interoperability of identity credentials,
and accreditation of organizations
issuing PIV credentials.
FIPS 201 was issued on 2005 (70 FR
17975) in response to HSPD–12.
Subsequent revisions included FIPS
201–1, published in 2006 and FIPS 201–
2 (version in effect), published in 2013
(78 FR 54626). In consideration of
technological advancements over the
last five years and specific requests for
changes from United States Government
(USG) stakeholders, NIST determined
that a third revision of FIPS 201 was
warranted. NIST received numerous
change requests, some of which, after
analysis and coordination with the
Office of Management and Budget
(OMB) and USG stakeholders, were
incorporated in a proposed draft of FIPS
201–3. Other change requests
incorporated in the draft resulted from
the 2019 Business Requirements
Meeting held at NIST. The meeting
focused on business requirements of
Federal departments and agencies. On
November 3, 2020, a notice was
published in the Federal Register (85
FR 69599), soliciting public comments
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00008
Fmt 4703
Sfmt 4703
on the draft FIPS 201–3. During the
public comment period, a virtual public
workshop was hosted by NIST on
December 9, 2020.
The scope of changes reflected in
FIPS 201–3 include the following:
• Alignment with current NIST
technical guidelines on identity
management, OMB policy guidelines,
and changes in commercially-available
technologies and services.
• Accommodation of additional types
of authenticators through an expanded
definition of Derived PIV credentials.
• Focus on the use of federation to
facilitate interoperability and
interagency trust.
• Addition of supervised remote
identity proofing processes.
• Removal of previously deprecated
Cardholder Unique Identifier (CHUID)
authentication mechanism and
deprecation of the symmetric card
authentication key and visual
authentication mechanisms (VIS).
• Support for secure messaging
authentication mechanism (SM–AUTH).
Comments and questions regarding
the draft were submitted by USG
organizations, private sector
organizations, and private individuals.
NIST made several changes to the draft
FIPS 201–3 based on the public
comments received.
Many commenters asked for
clarification of the text of the Standard
and/or recommended editorial and/or
formatting changes. Other commenters
suggested modifying the requirements
and asked questions concerning the
implementation of the Standard. All of
the suggestions, questions, and
recommendations within the scope of
this FIPS were carefully reviewed, and
changes were made to the Standard,
where appropriate. Some commenters
submitted questions or raised issues that
were related but outside the scope of
this FIPS. Comments that were outside
the scope of this FIPS, but that were
within the scope of one of the related
Special Publications, were deferred for
later consideration in the context of the
revisions to these Special Publications.
The disposition of each comment that
was received has been provided along
with the comments at https://
csrc.nist.gov.
The following is a summary and
analysis of the comments received
during the public comment period, and
NIST’s responses to them:
1. Comment: Some commenters
inquired about the effective date of the
Standard. Commenters also inquired
about the implementation schedule
associated with the changes introduced
in the Standard, once the Standard is in
effect.
E:\FR\FM\24JAN1.SGM
24JAN1
jspears on DSK121TN23PROD with NOTICES1
Federal Register / Vol. 87, No. 15 / Monday, January 24, 2022 / Notices
Response: FIPS 201–3 will be
effective immediately upon final
publication, superseding FIPS 201–2.
The effective date of new and updated
features depends upon the release of
revised NIST Special Publications or the
release of new NIST Special
Publications that will be developed
following the publication of this
Standard. The implementation schedule
may be reflected in NIST’s Special
Publications or may be provided
separately by OMB, as appropriate.
2. Comment: Multiple commenters
asked for clarification of the terms PIV
account and enrollment records.
Response: New terminology was
introduced to define PIV identity
account rather than PIV account. The
PIV identity account is the cardholder’s
identity account for PIV credentials
including derived PIV credentials. It
includes stored or linked contents of
enrollment records.
3. Comment: There were multiple
commenters who asked for guidance on
biometrics and their use in PIV lifecycle
processes. The comments related to the
type of the biometrics on cards and how
long the biometrics were valid.
Response: FIPS 201–3 expands the
use of optional biometric modalities
(e.g., iris) for issuance and maintenance.
The Standard also defines the use of
automated facial comparison algorithm
as a biometric modality. The Standard
maintains the 12-year maximum
lifetime for biometrics since studies
show that the biometric can be matched
for that length of time.
4. Comment: Multiple commenters
had concerns about the requirements for
validating identity source documents
and the requirements for REAL–ID
driver’s licenses.
Response: NIST emphasized that
there are existing requirements to
validate identity source documents to be
genuine, authentic and unexpired.
REAL–ID compliance requirements are
clarified by referring to DHS’s
enforcement guidance.
5. Comment: Commenters had
concerns about the supervised remote
identity proofing processes introduced
in the draft FIPS 201–3. Some
commenters sought greater allowances
for remote proofing such as unstaffed
stations. Clarification was sought on the
intended use of the process,
requirements for staff at remote sites
and the protections applied to remote
stations.
Response: The Standard emphasizes
the need for a staff to maintain the same
level of assurance as in-person
processes and to perform sensitive
protection and maintenance activities at
remote station.
VerDate Sep<11>2014
18:11 Jan 21, 2022
Jkt 256001
6. Comment: Several commenters
requested detailed instructions on
reporting card termination.
Response: The Standard was updated
to reflect termination in the card
management system and in enrollment
records.
7. Comment: Several commenters
requested changes on the management
of derived PIV credentials.
Response: The Standard clarifies
processes and terms regarding the
issuance or binding of derived PIV
credentials to PIV identity accounts.
The updates to the Standard include
requirements and guidance on reissuance and post-issuance management
of Public Key Infrastructure (PKI) and
non-PKI derived PIV credentials.
8. Comment: Some commenters asked
that FIPS 201–3 include periodic
privacy impact assessments on all PIV
related systems.
Response: The Standard was updated
to require periodic review of Privacy
Impact Assessment.
9. Comment: Several commenters
raised concerns related to the
requirement for the PIV Card to enforce
a blacklist of disallowed PINs. They did
not feel the technology was available to
enable cards to maintain the blacklist
and to provide automated enforcement
of selected PINs.
Response: The Standard removed the
requirement due to the complexity of
enforcing a blacklist by the PIV Card.
Instead, the Standard specifies that the
card holder be guided to select a strong
PIN that is not easily guessable or
commonly used.
10. Comment: Some commenters
asked to maintain use of the magnetic
stripe and not deprecate it in this
version of the Standard.
Responses: NIST confirmed the
deprecation of the magnetic stripe in
this version of the Standard with
potential removal in a future revision.
Use of the magnetic stripe is still
allowed during the deprecation phase
but it should begin to be phased out.
11. Comment: Some commenters had
concerns on the removal of Legacy PKI.
Some commenters asked NIST to clarify
how a cross-certified PKI will operate as
agencies transition away from Legacy
PKI implementations. Others asked that
Legacy PKI use to remain in the
Standard.
Response: The Standard was revised
to allow departments and agencies that
operate their own PKIs to issue digital
signature and key management
certificates according to agencyspecified certificate policies as an
alternative to the Federal PKI Common
Policy Framework policies referenced
by FIPS 201–3. To facilitate greater
PO 00000
Frm 00009
Fmt 4703
Sfmt 4703
3503
interoperability and consistency of
issuance practices across agencies, the
next revision of FIPS 201 will require
the use of the specified FPKI policies.
12. Comment: Several commenters
asked to either reconsider removal of
the CHUID authentication mechanism
or clarify the effective date.
Response: The CHUID authentication
mechanism was deprecated in the prior
revision of the Standard and is
designated for removal in this revision.
NIST concluded that removal of CHUID
authentication is necessary at this time
and will become effective when this
version of the Standard is approved.
OMB will provide additional
implementation guidance as necessary.
13. Comment: A few commenters
asked that SYM–CAK not be deprecated
because it is still supported in some
implementations.
Response: Even though SYM–CAK
has been deprecated in this version, its
use is not prohibited. However, support
will be removed in the next revision of
the Standard.
14. Comment: Commenters indicated
that the Physical Assurance Level (PAL)
concept for facility access was not
consistent with assurance levels in NIST
SP 800–63B.
Response: The Authenticator
Assurance Levels (AAL) described in
NIST SP 800–63B are specific to
network-based authentication, not
authentication for facility access. As a
result, the final version of the Standard
has removed the concept of PAL and
disassociated assurance levels from
NIST SP 800–63–B for facility access.
Instead, authentication mechanisms are
described independently from SP 800–
63B for facility access.
15. Comment: Multiple commenters
expressed concern that the description
of assurance levels for logical access at
local workstations was not consistent
with the AALs defined in NIST SP 800–
63B.
Response: The AALs described in
NIST SP 800–63B are specified for
network-based authentication, not local
authentication to workstations. As such,
the final version of the Standard
describes assurance levels for logical
access to local workstations
independently from the SP 800–63Bdefined AALs.
16. Comment: Several commenters
asked for a more detailed description of
the operation of Federated IdPs.
Response: IdP terminology was
updated to better align with the rest of
the document. Secure operation of IdPs
will be covered by updates to SP 800–
79.
17. Comment: A commenter asked
that the use of stable identifiers be
E:\FR\FM\24JAN1.SGM
24JAN1
3504
Federal Register / Vol. 87, No. 15 / Monday, January 24, 2022 / Notices
included in FIPS 201–3 to support
interoperability among federal agencies.
Response: The new Special
Publication for Federation, SP 800–217,
will describe processes for linking PIV
identity accounts to relying party
services in interoperable and extensible
manners.
18. Comment: A commenter asked
that there be a discussion about the
direct use and the federated use of PIV
credentials.
Response: The Standard explains both
the direct and the federated use of PIV
credentials. Of the two approaches, the
Standard recommends the use of
federation protocol as the primary
means to accept and process PIV
credentials from other agencies.
FIPS 201–3 is available electronically
from the NIST website at: https://
csrc.nist.gov/publications/fips.
Authority: 15 U.S.C. 278g–3; HSPD–12
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2022–01246 Filed 1–21–22; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[RIN 0648–BI59]
Atlantic Highly Migratory Species;
Supplement to Draft Amendment 14 to
the 2006 Consolidated Atlantic Highly
Migratory Species Fishery
Management Plan; Meeting of the
Atlantic Highly Migratory Species
Advisory Panel
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of availability of
supplement to Draft Amendment 14;
request for comments; notice of public
webinars/conference calls.
AGENCY:
NMFS announces the
availability of a supplement to Draft
Amendment 14 to the 2006
Consolidated Atlantic Highly Migratory
Species (HMS) Fishery Management
Plan (FMP). Draft Amendment 14 is
being undertaken to revise the
mechanism or ‘‘framework’’ used in
establishing quotas and related
management measures for Atlantic
shark fisheries. The revised framework
would modify the procedures followed
in establishing the acceptable biological
catch (ABC) and annual catch limits
(ACLs) for Atlantic sharks and the
process used to account for carryover or
jspears on DSK121TN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
18:11 Jan 21, 2022
Jkt 256001
underharvests of quotas. NMFS
provides details for application of the
tiered ABC control rule and reopens the
comment period on the ABC control
rule for Atlantic HMS shark fisheries
and Amendment 14 will not make
changes to the current quotas or other
management measures. Any operational
changes to HMS fishery management
measures as a result of Amendment 14
will be considered in future
rulemakings, as appropriate. NMFS will
hold a half-day HMS Advisory Panel
(AP) meeting on this topic in February
2022. The intent of the HMS AP meeting
is to discuss the ABC control rule for
Atlantic HMS shark fisheries and collect
comments regarding the application of
the tiered ABC control rule. The
meeting is open to the public.
DATES: Written comments must be
received by March 10, 2022. The AP
meeting webinar and conference call
will be held from 8 a.m. to 11 a.m. on
Friday February 11, 2022. NMFS will
hold one public hearing via webinar on
supplement to Draft Amendment 14 will
be held from 2 p.m. to 4 p.m. on
February 23, 2022. For specific
information see the SUPPLEMENTARY
INFORMATION section of this document.
ADDRESSES: Electronic copies of the
Supplement to Draft Amendment 14 to
the 2006 Consolidated HMS FMP may
be obtained on the internet at: https://
www.fisheries.noaa.gov/action/
amendment-14-2006-consolidated-hmsfishery-management-plan-shark-quotamanagement.
You may submit comments on this
document, identified by NOAA–NMFS–
2019–0040, via the Federal eRulemaking Portal. Go to
www.regulations.gov, enter NOAA–
NMFS–2019–0040 into the search box,
click the ‘‘Comment Now!’’ icon,
complete the required fields, and enter
or attach your comments.
Instructions: Comments sent by any
other method, to any other address or
individual, or received after the end of
the comment period, may not be
considered by NMFS. All comments
received are a part of the public record
and will generally be posted for public
viewing on www.regulations.gov
without change. All personal identifying
information (e.g., name, address, etc.),
confidential business information, or
otherwise sensitive information
submitted voluntarily by the sender will
be publicly accessible. NMFS will
accept anonymous comments (enter
‘‘N/A’’ in the required fields if you wish
to remain anonymous).
The HMS AP meeting will be
accessible via conference call and
webinar. Conference call and webinar
PO 00000
Frm 00010
Fmt 4703
Sfmt 4703
access information are available at:
https://www.fisheries.noaa.gov/event/
february-2022-hms-advisory-panelmeeting.
Participants are strongly encouraged
to log/dial in 15 minutes prior to the
meeting. NMFS will show the
presentations via webinar and allow
public comment during identified times
on the agenda.
FOR FURTHER INFORMATION CONTACT: Guy
DuBeck (Guy.DuBeck@noaa.gov) or
Karyl Brewster-Geisz (Karyl.BrewsterGeisz@noaa.gov) by email, or by phone
at (301) 427–8503 for information on the
supplement to Draft Amendment 14.
Peter Cooper (Peter.Cooper@noaa.gov)
at (301) 427–8503 for information
regarding the HMS AP meeting.
SUPPLEMENTARY INFORMATION: Atlantic
HMS fisheries are managed under the
dual authority of both the MagnusonStevens Fishery Conservation and
Management Act (Magnuson-Stevens
Act; 16 U.S.C. 1801 et seq.) and the
Atlantic Tunas Convention Act (ATCA;
16 U.S.C. 971 et seq.). The 2006
Consolidated Atlantic HMS Fishery
Management Plan (2006 Consolidated
HMS FMP) and its amendments are
implemented by regulations at 50 CFR
part 635.
The Magnuson-Stevens Act requires
that any FMP or FMP amendment be
consistent with 10 National Standards
(NS). Specifically, NS1 requires
‘‘conservation and management
measures shall prevent overfishing
while achieving, on a continuing basis,
the optimum yield from each fishery for
the United States fishing industry.’’ In
2016, NMFS revised the NS1 guidelines
to improve, streamline, and enhance
their utility for managers and the public
and to facilitate compliance with the
requirements of the Magnuson-Stevens
Act and provide management flexibility
in doing so (81 FR 71858; October 18,
2016). The revisions addressed a range
of issues, such as providing guidance on
options to phase in changes to catch
limits and carry over unused quota from
one year to the next. On September 24,
2020, NMFS announced the availability
of Draft Amendment 14 to the 2006
Consolidated HMS FMP (85 FR 60132)
that considered revisions to the
mechanism or ‘‘framework’’ used in
establishing quotas and related
management measures in Atlantic shark
fisheries, considering the revised
guidance. The current framework was
established in Amendment 3 to the 2006
Consolidated HMS FMP. The revised
framework would incorporate for
potential use several optional fishery
management tools in the revised NS1
guidelines.
E:\FR\FM\24JAN1.SGM
24JAN1
]]>Agencies
[Federal Register Volume 87, Number 15 (Monday, January 24, 2022)]
[Notices]
[Pages 3502-3504]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-01246]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 211115-0232]
Announcing Issuance of Federal Information Processing Standard
(FIPS) 201-3, Personal Identity Verification (PIV) of Federal Employees
and Contractors
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces the Secretary of Commerce's approval of
Federal Information Processing Standard (FIPS) Publication 201-3,
Personal Identity Verification (PIV) of Federal Employees and
Contractors. FIPS 201-3 includes clarifications to existing text,
additional text in cases where there were ambiguities, adaptation to
changes in the environment since the publication of FIPS 201-2, and
specific changes requested by Federal agencies and implementers.
DATES: FIPS 201-3 is effective on January 24, 2022.
ADDRESSES: FIPS 201-3 is available electronically from the NIST website
at: https://csrc.nist.gov/publications/fips. Comments that were
received on the proposed changes will also be published electronically
at https://csrc.nist.gov/projects/piv and at https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Hildegard Ferraiolo, (301) 975-6972,
National Institute of Standards and Technology, 100 Bureau Drive, Mail
Stop 8930, Gaithersburg, MD 20899-8930, email:
[email protected], or Andrew Regenscheid, (301) 975-5155,
[email protected].
SUPPLEMENTARY INFORMATION: FIPS 201 establishes a standard for a
Personal Identity Verification (PIV) system (Standard) that meets the
control and security objectives of Homeland Security Presidential
Directive-12 (HSPD-12). It is based on secure and reliable forms of
identity credentials issued by the Federal Government to its employees
and contractors. These credentials are used by mechanisms that
authenticate individuals who require access to federally controlled
facilities, information systems, and applications. This Standard
addresses requirements for initial identity proofing, infrastructure to
support interoperability of identity credentials, and accreditation of
organizations issuing PIV credentials.
FIPS 201 was issued on 2005 (70 FR 17975) in response to HSPD-12.
Subsequent revisions included FIPS 201-1, published in 2006 and FIPS
201-2 (version in effect), published in 2013 (78 FR 54626). In
consideration of technological advancements over the last five years
and specific requests for changes from United States Government (USG)
stakeholders, NIST determined that a third revision of FIPS 201 was
warranted. NIST received numerous change requests, some of which, after
analysis and coordination with the Office of Management and Budget
(OMB) and USG stakeholders, were incorporated in a proposed draft of
FIPS 201-3. Other change requests incorporated in the draft resulted
from the 2019 Business Requirements Meeting held at NIST. The meeting
focused on business requirements of Federal departments and agencies.
On November 3, 2020, a notice was published in the Federal Register (85
FR 69599), soliciting public comments on the draft FIPS 201-3. During
the public comment period, a virtual public workshop was hosted by NIST
on December 9, 2020.
The scope of changes reflected in FIPS 201-3 include the following:
Alignment with current NIST technical guidelines on
identity management, OMB policy guidelines, and changes in
commercially-available technologies and services.
Accommodation of additional types of authenticators
through an expanded definition of Derived PIV credentials.
Focus on the use of federation to facilitate
interoperability and interagency trust.
Addition of supervised remote identity proofing processes.
Removal of previously deprecated Cardholder Unique
Identifier (CHUID) authentication mechanism and deprecation of the
symmetric card authentication key and visual authentication mechanisms
(VIS).
Support for secure messaging authentication mechanism (SM-
AUTH).
Comments and questions regarding the draft were submitted by USG
organizations, private sector organizations, and private individuals.
NIST made several changes to the draft FIPS 201-3 based on the public
comments received.
Many commenters asked for clarification of the text of the Standard
and/or recommended editorial and/or formatting changes. Other
commenters suggested modifying the requirements and asked questions
concerning the implementation of the Standard. All of the suggestions,
questions, and recommendations within the scope of this FIPS were
carefully reviewed, and changes were made to the Standard, where
appropriate. Some commenters submitted questions or raised issues that
were related but outside the scope of this FIPS. Comments that were
outside the scope of this FIPS, but that were within the scope of one
of the related Special Publications, were deferred for later
consideration in the context of the revisions to these Special
Publications. The disposition of each comment that was received has
been provided along with the comments at https://csrc.nist.gov.
The following is a summary and analysis of the comments received
during the public comment period, and NIST's responses to them:
1. Comment: Some commenters inquired about the effective date of
the Standard. Commenters also inquired about the implementation
schedule associated with the changes introduced in the Standard, once
the Standard is in effect.
[[Page 3503]]
Response: FIPS 201-3 will be effective immediately upon final
publication, superseding FIPS 201-2. The effective date of new and
updated features depends upon the release of revised NIST Special
Publications or the release of new NIST Special Publications that will
be developed following the publication of this Standard. The
implementation schedule may be reflected in NIST's Special Publications
or may be provided separately by OMB, as appropriate.
2. Comment: Multiple commenters asked for clarification of the
terms PIV account and enrollment records.
Response: New terminology was introduced to define PIV identity
account rather than PIV account. The PIV identity account is the
cardholder's identity account for PIV credentials including derived PIV
credentials. It includes stored or linked contents of enrollment
records.
3. Comment: There were multiple commenters who asked for guidance
on biometrics and their use in PIV lifecycle processes. The comments
related to the type of the biometrics on cards and how long the
biometrics were valid.
Response: FIPS 201-3 expands the use of optional biometric
modalities (e.g., iris) for issuance and maintenance. The Standard also
defines the use of automated facial comparison algorithm as a biometric
modality. The Standard maintains the 12-year maximum lifetime for
biometrics since studies show that the biometric can be matched for
that length of time.
4. Comment: Multiple commenters had concerns about the requirements
for validating identity source documents and the requirements for REAL-
ID driver's licenses.
Response: NIST emphasized that there are existing requirements to
validate identity source documents to be genuine, authentic and
unexpired. REAL-ID compliance requirements are clarified by referring
to DHS's enforcement guidance.
5. Comment: Commenters had concerns about the supervised remote
identity proofing processes introduced in the draft FIPS 201-3. Some
commenters sought greater allowances for remote proofing such as
unstaffed stations. Clarification was sought on the intended use of the
process, requirements for staff at remote sites and the protections
applied to remote stations.
Response: The Standard emphasizes the need for a staff to maintain
the same level of assurance as in-person processes and to perform
sensitive protection and maintenance activities at remote station.
6. Comment: Several commenters requested detailed instructions on
reporting card termination.
Response: The Standard was updated to reflect termination in the
card management system and in enrollment records.
7. Comment: Several commenters requested changes on the management
of derived PIV credentials.
Response: The Standard clarifies processes and terms regarding the
issuance or binding of derived PIV credentials to PIV identity
accounts. The updates to the Standard include requirements and guidance
on re-issuance and post-issuance management of Public Key
Infrastructure (PKI) and non-PKI derived PIV credentials.
8. Comment: Some commenters asked that FIPS 201-3 include periodic
privacy impact assessments on all PIV related systems.
Response: The Standard was updated to require periodic review of
Privacy Impact Assessment.
9. Comment: Several commenters raised concerns related to the
requirement for the PIV Card to enforce a blacklist of disallowed PINs.
They did not feel the technology was available to enable cards to
maintain the blacklist and to provide automated enforcement of selected
PINs.
Response: The Standard removed the requirement due to the
complexity of enforcing a blacklist by the PIV Card. Instead, the
Standard specifies that the card holder be guided to select a strong
PIN that is not easily guessable or commonly used.
10. Comment: Some commenters asked to maintain use of the magnetic
stripe and not deprecate it in this version of the Standard.
Responses: NIST confirmed the deprecation of the magnetic stripe in
this version of the Standard with potential removal in a future
revision. Use of the magnetic stripe is still allowed during the
deprecation phase but it should begin to be phased out.
11. Comment: Some commenters had concerns on the removal of Legacy
PKI. Some commenters asked NIST to clarify how a cross-certified PKI
will operate as agencies transition away from Legacy PKI
implementations. Others asked that Legacy PKI use to remain in the
Standard.
Response: The Standard was revised to allow departments and
agencies that operate their own PKIs to issue digital signature and key
management certificates according to agency-specified certificate
policies as an alternative to the Federal PKI Common Policy Framework
policies referenced by FIPS 201-3. To facilitate greater
interoperability and consistency of issuance practices across agencies,
the next revision of FIPS 201 will require the use of the specified
FPKI policies.
12. Comment: Several commenters asked to either reconsider removal
of the CHUID authentication mechanism or clarify the effective date.
Response: The CHUID authentication mechanism was deprecated in the
prior revision of the Standard and is designated for removal in this
revision. NIST concluded that removal of CHUID authentication is
necessary at this time and will become effective when this version of
the Standard is approved. OMB will provide additional implementation
guidance as necessary.
13. Comment: A few commenters asked that SYM-CAK not be deprecated
because it is still supported in some implementations.
Response: Even though SYM-CAK has been deprecated in this version,
its use is not prohibited. However, support will be removed in the next
revision of the Standard.
14. Comment: Commenters indicated that the Physical Assurance Level
(PAL) concept for facility access was not consistent with assurance
levels in NIST SP 800-63B.
Response: The Authenticator Assurance Levels (AAL) described in
NIST SP 800-63B are specific to network-based authentication, not
authentication for facility access. As a result, the final version of
the Standard has removed the concept of PAL and disassociated assurance
levels from NIST SP 800-63-B for facility access. Instead,
authentication mechanisms are described independently from SP 800-63B
for facility access.
15. Comment: Multiple commenters expressed concern that the
description of assurance levels for logical access at local
workstations was not consistent with the AALs defined in NIST SP 800-
63B.
Response: The AALs described in NIST SP 800-63B are specified for
network-based authentication, not local authentication to workstations.
As such, the final version of the Standard describes assurance levels
for logical access to local workstations independently from the SP 800-
63B-defined AALs.
16. Comment: Several commenters asked for a more detailed
description of the operation of Federated IdPs.
Response: IdP terminology was updated to better align with the rest
of the document. Secure operation of IdPs will be covered by updates to
SP 800-79.
17. Comment: A commenter asked that the use of stable identifiers
be
[[Page 3504]]
included in FIPS 201-3 to support interoperability among federal
agencies.
Response: The new Special Publication for Federation, SP 800-217,
will describe processes for linking PIV identity accounts to relying
party services in interoperable and extensible manners.
18. Comment: A commenter asked that there be a discussion about the
direct use and the federated use of PIV credentials.
Response: The Standard explains both the direct and the federated
use of PIV credentials. Of the two approaches, the Standard recommends
the use of federation protocol as the primary means to accept and
process PIV credentials from other agencies.
FIPS 201-3 is available electronically from the NIST website at:
https://csrc.nist.gov/publications/fips.
Authority: 15 U.S.C. 278g-3; HSPD-12
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2022-01246 Filed 1-21-22; 8:45 am]
BILLING CODE 3510-13-P
