3 Using MyID for FIPS 201-3

The key business processes that are covered by FIPS 201-3 are:

• PIV identity proofing and registration

• PIV card issuance

• PIV card reissuance

• PIV card post-issuance update

• PIV card verification data reset

• PIV card termination

These rules apply to PIV and PIV-I cards. They do not apply to CIV cards or other credential types.

The standards governing PIV were revised in 2022 to address changing technical & business process requirements. MyID has been updated to support the following changes in FIPS-201-3:

• Authenticator types for PIV derived credentials

  The range of authenticator types that can be used for PIV Derived Credentials through the Self-Service Request Portal has been extended to allow a broader range of multi-factor cryptographic devices that meet the requirements for Authenticator Assurance Level (AAL) 2 or 3 as specified in the associated technical standard SP 800-63B. This could include FIDO Tokens, Microsoft Virtual Smart Cards, and Windows Hello for Business in addition to alternative smart cards, USB Tokens and mobile devices.

  See the Setting up the credential profiles for derived credentials section in the Derived Credentials Self-Service Request Portal guide.

• Notification of derived credential requests

  MyID can now generate an email notification to the PIV cardholder when they request PIV Derived Credentials. Depending on configuration, this can use an email address collected from the PIV credential, or the email address stored in MyID which may include information retrieved from a connected directory.

  See the Configuring email notifications section in the Derived Credentials Self-Service Request Portal guide or the Configuring email notifications section in the Derived Credentials Configuration Guide for details.

  MyID can also be configured to block requests for derived credentials if no email address can be located.

  See the Requiring an email address section in the Derived Credentials Self-Service Request Portal guide or the Requiring an email address section in the Derived Credentials Configuration Guide for details.

  Upon canceling devices issued by MyID, an email notification can also be sent to the PIV Cardholder holder to inform them that revocation has taken place.

  See the Editing the cancellation email template section in the Derived Credentials Self-Service Request Portal guide or the Editing the cancellation email template section in the Derived Credentials Configuration Guide.

• Updates to identity document lists

  The list of suitable identity document types that can be captured during PIV Enrollment has been revised in line with changes in FIPS 201-3.

  See section 5.17, Identity documents for details.

• Amendments to card layouts

  Default PIV card layouts in MyID 12.4.0 or later will not include Zone 6F: Portable Data File (PDF) 417 Two-Dimensional Bar Code as it is now deprecated. If you are upgrading from an earlier version of MyID, no modifications are automatically applied to existing layouts in your installation – you must review your use of this element and modify your card layouts as required.

  See section 5.4.1, Updating existing card layouts for details.

• Capturing the client location in MyID audit records

  PIV enrollment may take place across multiple visits, in different locations and may be carried out by different people at each step. To help create a log of activities that have taken place, MyID can now track where an activity took place and capture this information in the MyID audit trail.

  See the Logging the client IP address and identifier and Specifying a custom client identifier sections in the Administration Guide for details.