FIPS 201 Evaluation Program Announcements
POSTED March 31, 2021
Physical Access Control System (PACS) Functional Requirements Test Cases (FRTC) Update Released
PACS FRTC v1.4.2 Revision A has been published and is in effect immediately. This update includes optional test cases associated with the following functionalities:
- Secure Messaging (SM)
- On-Card Comparison (OCC)
- Backend Registration for PACS
Additionally, a new testing procedure called the FRTC Express has been published and will be enacted for those solutions that have previously undergone full testing. The FRTC Express is aimed at streamlining testing associated with solution updates.
Associated document updates are available on the FIPS 201 Evaluation Program page.
POSTED December 11, 2020
Category Removed from the Approved Products List (APL)
The FIPS 201 Evaluation program will be removing card holders (also known as badge holders or electromagnetically opaque sleeves) from the Approved Products List on January 31st, 2021. GSA will no longer accept applications to certify card holders. Card holders and related products are still commercially available off-the-shelf; however, the use of these products is optional and testing is no longer in the best interests of the government.
Please note the removal of this category should not impact any existing procurements. Product categories not identified by the Program have no requirement for FIPS 201 conformance and available products should be able to satisfy the agency defined security requirements provided direct testing.
POSTED April 30, 2019
Categories Removed from the Approved Products List (APL)
The FIPS 201 Evaluation program has removed the following categories from the Approved Products List. After analyzing the Approved Products List categories,the program found that:
- OCSP Responders are mature. OCSP responders and related products are available as commercial off the shelf products and open source software products. They are part of a stable landscape and vetted thousands of times daily by various relying party applications. It is not in the government’s or commercial best interests to continue to test these products prior to procurement and/or installation.
SCVP Client and SCVP Client (without auth) are not widely used in US federal agencies. It is not in the government’s or commercial best interests to continue to maintain testing scenarios for these products.
Please note the removal of these categories should not impact any procurements. Categories not identified by the program have no requirement for FIPS 201 conformance. Products on the market should be reviewed for adherence to standard US federal cryptographic conformance requirements (i.e. FIPS 140-2) and trade laws (i.e. country of origin and Trade Agreements Act). Products are available to satisfy federal agency’s needs and requirements.
POSTED February 2, 2018
PACS FRTC v1.3.3 Rev. G has been published and is in effect immediately. Section 2 of the FRTC states that the FRTC is a living document and is expected to be updated over time as new or revised functional requirements are identified. In addition, this document will be updated in accordance with the following schedule:
- A new version will be published no less than one year from issuance of the current version.
- If security or infrastructure risks are identified, an interim release may occur.
All new versions are effective immediately. New or revised requirements and their test cases will include an effective date, commensurate with their assigned severity level (see paragraphs 7.1, 7.2, and 7.3.
POSTED June 30, 2018
Removal of Random Number Generated (RNG)-based PIV Cards from the Approved Products List (APL)
In the past, the FIPS 201 Evaluation Program has granted extensions for allowing RNG-based PIV cards to continue being listed on the APL. In alignment with NIST’s decision, the FIPS 201 Evaluation Program has also decided to not grant another extension and has removed all RNG-based PIV cards from the APL and added them to our Removed Products List.
POSTED August 18, 2017
FIPS 201 Evaluation Program Now Testing Derived PIV Credentials
The FIPS 201 Evaluation Program has established the criteria for testing derived PIV credentials. See the FIPS 201 Evaluation Program page for information about the testing process or to submit a credential for testing.
POSTED May 24, 2017
June 30, 2018 Extension for Random Number Generator (RNG)-based PIV Cards
NIST’s PIV Validation Program has provided an extension on migrating away from RNG-based PIV cards to Deterministic Random Bit Generator (DRBG)-based PIV cards.
The FIPS 201 Evaluation Program’s Approved Products List (APL) will continue to list RNG-based PIV cards until June 30, 2018.
|Card Printer Station||FPKIPA Annual PIV Credential Issuer Testing|
|Certificate Validator||Server-based Certificate Validation Protocol Category|
|Cryptographic Module||NIST FIPS 140-2 Validation List|
|Electronic Personalization||FPKIPA Annual PIV Credential Issuer Testing|
|Facial Image Capturing Camera||FPKIPA Annual PIV Credential Issuer Testing|
|Facial Image Capturing Camera (Middleware)||FPKIPA Annual PIV Credential Issuer Testing|
|Graphical Representation||FPKIPA Annual PIV Credential Issuer Testing|
|LACS Caching Status Proxy||Server-based Certificate Validation Protocol Category|
|LACS Mobile Transparent Reader||FICAM Playbooks|
|LACS Transparent Reader||FICAM Playbooks|
|PIV Middleware||NIST PIV Middleware Certification List|
|Single Fingerprint Capture Device||FBI Certified Products List (CPL)|
|Template Generator||NIST MINEX Participation Chart|
|Template Matcher||NIST MINEX Participation Chart|
POSTED October 29, 2016
List of Categories Removed from the Approved Products List (APL)
The FIPS 201 Evaluation Program has removed the following categories, displayed in the table to the right, from the Approved Products List. After analyzing the Approved Products List categories, the Program found that:
- Many products on the APL are not for sale anymore
- Most testing and approval procedures were outdated
- Testing was already being conducted by some other Program (NIST, FBI)
Below are some resources that provide information, guidance, or a replacement certification list for some of the removed FIPS 201 categories:
- Guidance through the FICAM Playbooks
- Certified lists through other Programs such as NIST’s Personal Identity Verification Program (NPIVP) for PIV Middleware and PIV Credential Applications; NIST’s Cryptographic Module Validation Program (CMVP) which includes a FIPS 140-2 validation list
- New processes such as the Federal Public Key Infrastructure Policy Authority (FPKIPA) Annual PIV Credential Issuer Testing (MS Word); Production PIV credential testing for each agency; conformance testing of the PIV credential’s internal data, certificate conformance testing, and PACS interoperability testing
Please note the removal of these categories should not impact any procurements. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements.
POSTED June 23, 2016
PIV Credentials Using Random Number Generator (RNG) to be Removed from Approved Products List
According to this transition plan, agencies may continue to procure and issue credentials using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant credentials implementing approved DRBGs as soon as DRBG PIV credential and the compatible credential management software are commercially available. Once issued, these “legacy” RNG PIV credentials may be used until their expiration date – up to June 30, 2023.
POSTED April 12, 2016
GSA Document Signing Tool
We’d like to announce that the GSA Document Signing Tool (aka PKCS#7 Tool) source code is now available on GitHub. Moving forward, the community may contribute to enhancements, bug fixes, and new features for the GSA Document Signing Tool directly. Community members may clone the source code from the GSA GitHub repository and submit any additions via new branches and pull requests. If you are new to GitHub and need instructions on how to use the GitHub features, please reference the GitHub help page.
If you have any questions, comments, or issues with the GSA Document Signing Tool, feel free to post your comments in the “Issues” section of the GSA Document Signing Tool GitHub site.
As new questions are posted to the “Issues” section, all members in the community may contribute to answering and/or helping with any code enhancements. We encourage community members to actively contribute and share their contributions with everyone.
POSTED June 13, 2014
Tri-interface PIV Credentials to be Removed from the Approved Products List
The FIPS 201 Evaluation Program received and analyzed multiple comments on the removal of tri-interface credentials from the Approved Products List (APL). To provide further clarification, tri-interface credentials refers to PIV credentials that have additional non-PIV authentication features such as a mag stripe and 125 kHz antenna. The Program has been asked to remove these types of credentials from the APL because they have become an enabler for some buildings to postpone or altogether avoid deploying compliant Physical Access Control Systems (PACS); our intent was to close this loophole. Two years ago, the Program removed transparent readers from the APL to align products with policy and standards by utilizing PKI for PACS and LACS. We are now removing tri-interface credentials from the APL so buildings can migrate away from legacy forms of access control and align with policy and directives.
While we received mostly very positive feedback about this decision, we have received feedback that highlighted a number of legitimate use cases that we would be negatively impacting agencies. The Program is going to delay the removal of the tri-interface credentials from the APL from 6 to 18 months. In 18 months the FIPS 201 Evaluation Program will no longer test or list tri-interface credentials on the APL. Note that PIV Issuers are required to use APL approved credential stock, so beginning in 18 months issuance of tri-interface PIV credentials will not be allowed.