Washington, DC - Download the Latest Draft Cybersecurity Practice Guide:

What's the guide about?

The Federal Government relies on PIV cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems. PIV cards require a smart card reader that is typically integrated in desktop and laptop computers. Increasingly, employees are performing work on mobile devices, such as cell phones and tablets, which lack smart card readers. External readers are available, but they are an additional cost and cumbersome to use. As a result, the mandate to use PIV systems has pushed for new means to extend into mobile devices the same security policies as those used on desktop and laptop computers.

 The NCCoE has demonstrated a feasible security platform based on federal PIV standards that use Derived PIV Credentials (DPC) in a manner that meets security policies. This example implementation is documented as a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a DPC system with standards-based cybersecurity technology. This practice guide helps organizations to meet authentication standards and provide users access to the information they need using the devices they prefer without having to purchase expensive and cumbersome external smart card readers. Mobile device users are authenticated through secure cryptographic authentication exchanges using a public key infrastructure (PKI) with credentials derived from a PIV card helping to ensure that strict security policies are met.

Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity.

The full draft practice guide is also available for download in PDF or web viewing.