4.3 Configuring MyID for non-Federal issuers (PIV-I and CIV)

You can issue PIV, PIV-I and CIV smart cards in the same MyID installation. However there are some differences in how MyID should be configured, and methods used for adding user data.

It is also possible to issue other non-PIV credential types, such as certificates for mobile devices, Microsoft Virtual Smart Cards or software certificates from the same system.

4.3.1 PIV support levels

The following table describes each PIV support level that can be achieved with MyID, and describes some of the difference between each.

PIV support level

Description

User data entry method

In PIV

In core

FIPS 201 PIV

Use of PIV card technology for federal agencies following FIPS 201 requirements. Agency code is present but not 9999. Specific PKI requirements for trust to the federal bridge.

Note: You must ensure any additional processes required for identity proofing and registration take place, in accordance with FIPS-201 guidelines where applicable, before marking the user record as User Data Approved.

LDAP, PIV Lifecycle API, or Manual

Yes

No

PIV-I

Use of PIV card technology for associates or contractors to Federal agencies. Agency code is 9999. Specific PKI requirements for trust to the federal bridge.

LDAP, PIV Lifecycle API, or Manual

Yes

No

CIV – with CHUID or Applet personalization

Use of PIV card technology, where the format and source of the CHUID and PIV applet data is the same as PIV or PIV‑I. PIV Attributes required for card issuance. Agency code is 9999. No specific PKI requirements.

LDAP, PIV Lifecycle API, or Manual

Yes

No

Custom CIV

The format or source of the CHUID and PIV applet data is different to PIV or PIV-I. PIV attribute values on card may be hard coded to predetermined values.

As Project Requirement

No

Yes*

CIV – certificates only

Use of PIV card technology, with no CHUID or PIV applet data personalization. No PIV attributes required.

LDAP, Core Lifecycle API or Manual

Yes

Yes

Non-PIV

Not using PIV card technology. No PIV attributes required.

LDAP, Core Lifecycle API or Manual

Yes

Yes

* With CIV module installed. Further customization may be needed.

Due to differing requirements between PIV, PIV-I and CIV there are some additional aspects of configuration and user data that must be considered.

4.3.2 Issuing cards to the correct users

You must ensure that FIPS 201 PIV and PIV-I cards can only be issued to genuine PIV Applicants who have been through all the relevant enrollment business processes in accordance with FIPS 201.

You must set up the credential profiles for FIPS 201 to require that the user account has the Require user data to be approved option set. This ensures that only user accounts who have been through appropriate processes for enrollment and verification (managed using an external system such as an IDMS) can receive FIPS 201 PIV cards.

You must make sure that FIPS 201 PIV certificate policies and printed card layouts are only assigned to credential profiles that have the Require user data to be approved option set.

You must restrict the roles that are permitted to issue and receive the FIPS 201 PIV and PIV-I credential profiles; you can request cards using the MyID GUI in addition to the Lifecycle API – the available profiles for selection are restricted based on the roles held by the current operator requesting the card, and the person selected to receive the card.

4.3.3 Maintaining multiple populations in a single system

Separation between PIV, PIV-I and CIV card holders can be achieved by registering each Non-Federal Issuer as a separate Group within MyID. Operator access to each group can be controlled using Scope rules, and if necessary ‘Administrative Groups’. Further information about these features can be found in the Scope and security and Administrative groups sections of the Administration Guide.

Security may be extended further by creating specific roles for each Group, and restricting roles that can belong to the group to those that can issue, manage or be issued PIV-I or CIV cards. Credential profiles for PIV-I or CIV cards can then also be restricted to these roles. This will ensure the role separation that is required to distinguish cards issued using the FIPS 201 process and those that are PIV‑I or CIV.

The following diagram illustrates a recommended configuration for an installation supporting issuance of PIV and PIV-I cards:

4.3.4 Adding applicants

The method you use to add applicants to MyID depends on the type of user.

Note: If you attempt to issue cards where the credential profile in MyID uses a data model that requires PIV attributes, but the attributes are not present on the user account, card issuance will fail.

4.3.5 Operator permissions

You must ensure that applicants with PIV attributes can be administered only by operators who have been permitted to do so.

User accounts that hold the PIV Applicant role (as set at import) cannot be edited using the Edit Person screen. Instead, you can use the PIV applicant editing screens. See section 5.15, Editing PIV applicants for details.

PIV attributes are visible in View Person and during card issuance and management operations.

If access to these records is to be limited, you can set group and scope restrictions to control access to user accounts. By putting PIV applicants in a specific group or group hierarchy, you can limit access to these applicants based on MyID scope restrictions. If access to these users is needed by operators outside of this group hierarchy, you can use the Administrative Groups feature to assign access.

4.3.6 Business rules

Specific business rules that apply to FIPS 201 PIV, PIV-I and CIV cardholders that will not affect other users managed by MyID:

4.3.7 Authentication

As non-PIV and CIV may have no requirement for the user to register biometric data, you must ensure that authentication settings are configured appropriately to provide the required levels of security in self service operations.

4.3.8 Summary of requirements for PIV-I and CIV

When issuing PIV-I and CIV cards, make the following changes: