FIPS 201 Evaluation Program Announcements
|Card Printer Station||FPKIPA Annual PIV Card Issuer Testing|
|Certificate Validator||Server-based Certificate Validation Protocol Category|
|Cryptographic Module||NIST FIPS 140-2 Validation List|
|Electronic Personalization||FPKIPA Annual PIV Card Issuer Testing|
|Facial Image Capturing Camera||FPKIPA Annual PIV Card Issuer Testing|
|Facial Image Capturing Camera (Middleware)||FPKIPA Annual PIV Card Issuer Testing|
|Graphical Representation||FPKIPA Annual PIV Card Issuer Testing|
|LACS Caching Status Proxy||Server-based Certificate Validation Protocol Category|
|LACS Mobile Transparent Reader||FICAM Playbooks|
|LACS Transparent Reader||FICAM Playbooks|
|PIV Middleware||NIST PIV Middleware Certification List|
|Single Fingerprint Capture Device||FBI Certified Products List (CPL)|
|Template Generator||NIST MINEX Participation Chart|
|Template Matcher||NIST MINEX Participation Chart|
POSTED October 29, 2016
List of Categories Removed from the Approved Products List (APL)
The FIPS 201 Evaluation Program has removed the following categories, displayed in the table to the right, from the Approved Products List. After analyzing the Approved Products List categories, the Program found that:
- Many products on the APL are not for sale anymore
- Most testing and approval procedures were outdated
- Testing was already being conducted by some other Program (NIST, FBI)
Below are some resources that provide information, guidance, or a replacement certification list for some of the removed FIPS 201 categories:
- Guidance through the FICAM Playbooks
- Certified lists through other Programs such as NIST's Personal Identity Verification Program (NPIVP) for PIV Middleware and PIV Card Applications; NIST's Cryptographic Module Validation Program (CMVP) which includes a FIPS 140-2 validation list
- New processes such as the Federal Public Key Infrastructure Policy Authority (FPKIPA) Annual PIV Card Issuer Testing; Production PIV card testing for each agency; conformance testing of the PIV card's internal data, certificate conformance testing, and PACS interoperability testing
Please note the removal of these categories should not impact any procurements. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency's needs/requirements.
POSTED July 11, 2016
PD-VAL Testing Transfer
To increase alignment and efficiency of Federal PKI testing requirements and duties, Federal PKI Path Discovery and Validation (PD-VAL) Testing will be transferred from the FPKI Management Authority to the FIPS 201 Evaluation Program. This will have no impact on vendors currently certified on the PDVAL Product List or Approved Product List.
POSTED June 23, 2016
PIV Cards Using Random Number Generator (RNG) to be Removed from Approved Products List
According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023.
POSTED April 12, 2016
GSA Document Signing Tool
We'd like to announce that the GSA Document Signing Tool (aka PKCS#7 Tool) source code is now available on GitHub . Moving forward, the community may contribute to enhancements, bug fixes, and new features for the GSA Document Signing Tool directly. Community members may clone the source code from the GSA GitHub repository and submit any additions via new branches and pull requests. If you are new to GitHub and need instructions on how to use the GitHub features, please reference the GitHub help page.
If you have any questions, comments, or issues with the GSA Document Signing Tool, feel free to post your comments in the "Issues" section of the GSA Document Signing Tool GitHub site.
As new questions are posted to the "Issues" section, all members in the community may contribute to answering and/or helping with any code enhancements. We encourage community members to actively contribute and share their contributions with everyone.
POSTED June 13, 2014
Tri-interface PIV Cards to be Removed from the Approved Products List
The FIPS 201 Evaluation Program received and analyzed multiple comments on the removal of tri-interface cards from the Approved Products List (APL). To provide further clarification, tri-interface cards refers to PIV cards that have additional non-PIV authentication features such as a mag stripe and 125 kHz antenna. The Program has been asked to remove these types of cards from the APL because they have become an enabler for some buildings to postpone or altogether avoid deploying compliant Physical Access Control Systems (PACS); our intent was to close this loophole. Two years ago, the Program removed transparent readers from the APL to align products with policy and standards by utilizing PKI for PACS and LACS. We are now removing tri-interface cards from the APL so buildings can migrate away from legacy forms of access control and align with policy and directives.
While we received mostly very positive feedback about this decision, we have received feedback that highlighted a number of legitimate use cases that we would be negatively impacting agencies. The Program is going to delay the removal of the tri-interface cards from the APL from 6 to 18 months. In 18 months the FIPS 201 Evaluation Program will no longer test or list tri-interface cards on the APL. Note that PIV Issuers are required to use APL approved card stock, so beginning in 18 months issuance of tri-interface PIV cards will not be allowed.