NIST Releases New Cybersecurity Practice Guide for Mobile Devices

The National Institute of Standards and Technology (NIST) is excited to announce the latest draft of Special Publication 1800-12: Derived Personal Identity Verification (PIV) Credentials in now available.

This latest draft incorporates comments on the previous draft NIST Cybersecurity Practice Guide and expands the scope to include issuing Derived PIV Credentials (DPC) to manage mobile devices using Identity, Credentials, and Access Management (ICAM) shared services.

NIST welcomes your comments and feedback, which can be supportive or critical and may include suggestions of changes or additions that you believe will improve the project.

What’s this guide about?

The federal government relies on PIV Cards to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems.

Example of a Personal Identity Verification (PIV) Smart Card (Courtesy of HID Global)
Example of a Personal Identity Verification (PIV) Smart Card (Courtesy of HID Global)

These “smart cards” contain identifying information about the user that enables strong authentication.

However, a smart card requires a smart card reader that is typically integrated into only desktop and laptop computers.

Access to information systems is increasingly from mobile phones, tablets, and a growing number of laptops that lack integrated readers, forcing organizations to have separate authentication processes for these devices.

As a result, the mandate to use PIV systems has created the need for new means to extend into mobile devices the same security policies as those used on desktop and laptop computers with integrated readers.

The National Cybersecurity Center of Excellence (NCCoE), together with several technology vendors, have developed cybersecurity guidance that demonstrates how federal agencies can use standards-based, commercially available cybersecurity technologies to establish multi-factor authentication that meets today’s PIV standards for information systems and websites accessed by mobile devices that lack PIV Card readers.

These example implementations are documented in a NIST Cybersecurity Practice Guide, a how-to handbook that presents instructions to implement a Derived PIV Credentials (DPC) system that pushes an authentication credential into an agency-provided mobile device leveraging existing PIV systems that are already compliant with security policies.

The second draft’s reference architectures use an enterprise Credential Management System to issue credentials to a software container and hardware container to provide a convenient and secure means to authenticate a user’s identity.

Although the PIV program and the NCCoE Derived PIV Credentials Project are aimed primarily at the federal sector’s needs, both are relevant to mobile device users in the commercial sector that use smart card-based credentials or other means of authenticating identity.

(Learn More about how PIV card delivers an integrated authentication solution for standards-compliant identity and credential management. Courtesy of HID Global and YouTube.)

The NCCoE reference design includes the following capabilities:

  • Authenticate users of mobile devices using secure cryptographic authentication exchanges
  • Provide a feasible security platform based on Federal Digital Identity Guidelines
  • Utilize a public key infrastructure (PKI) with credentials derived from a PIV card
  • Support operations in a PIV, PIV-Interoperable (PIV-I), and PIV-Compatible (PIV-C) environments
  • Issue PKI-based derived PIV credentials at levels of assurance (LoA) 3
  • Provide logical access to remote resources hosted either in a data center or the cloud

The complete draft practice guide is available for download in PDF or web viewing.

NIST looks forward to receiving your comments on this draft guide regarding the approach, the architectures, and possible alternatives.

The comment period is open through October 1, 2018.

Comments will be made public after review and can be submitted anonymously. 

Submit comments online or via email to piv-nccoe@nist.gov.

(See an illustrated guide to learn more about NIST’s mission and its impact on our daily lives. Courtesy of the National Institute of Standards and Technology and YouTube.)

Learn More…

HID Global in the 2018 ‘ASTORS’ Homeland Security Awards Program

  • HID Global

    • Gold ‘ASTORS’ Award Winner
    • HID PIV (Personal Identity Verification)
    • Best Integrated Security Management Solution

AST focuses on Homeland Security and Public Safety Breaking News, the Newest Initiatives and Hottest Technologies in Physical & IT Security, essential to meeting today’s growing security challenges.

2017 ASTORSThe 2018 ‘ASTORS’ Homeland Security Awards Program, is organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, Border Security, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

2018 ASTORS

Over 100 distinguished guests from National, State and Local Governments, and Industry Leading Corporate Executives from companies allied to Government, gathered from across North America and the Middle East to be honored from disciplines across the Security Industry in their respective fields which included:

  • The Department of Homeland Security
  • U.S. Customs and Border Protection
  • The Department of Justice
  • The Security Exchange Commission
  • State and Municipal Law Enforcement Agencies
  • The Royal Canadian Mounted Police
  • Leaders in Private Security

Nominations are now being accepted for the 2018 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.

American Security Today will be holding the 2018 ‘ASTORS’ Awards Presentation Luncheon to honor Nominees, Finalists and Winners in November 2018, in New York City.

To Learn More about the ‘ASTORS’ Homeland Security Awards Program, see 2017 ‘ASTORS’ Homeland Security Award Winners Honored at ISC East.

Click here to learn more about HID PIV or please visit the HID Global website to view their full line of offerings at https://www.hidglobal.com/.

The 2017 ‘ASTORS’ Homeland Security Awards Presentation Luncheon
The 2017 ‘ASTORS’ Homeland Security Awards Presentation Luncheon

For ‘ASTORS’ Sponsorship Opportunities and More Information on the AST 2018 ‘ASTORS’ Homeland Security Awards Program, please contact Michael Madsen, AST Publisher at: mmadsen@americansecuritytoday.com or call 732.233.8119 (mobile) or 646-450-6027 (office).