Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FIPS 201 Evaluation Program

The Federal Information Processing Standard 201 (FIPS 201) Evaluation Program (sometimes called the FICAM Testing Program) tests and certifies services and commercial products used in PIV credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs).

For the latest testing news, view the program announcements.

Testing and Certification

We test and certify a variety of products and services such as:

  • Smartcards (secure elements) used in Personal Identity Verification (PIV) and Common Access Card (CAC) credentials
  • Physical access control systems for buildings including readers and infrastructure
  • Service providers who manage, install, or provide hosted solutions for issuance of Personal Identity Verification (PIV) and CAC credentials

If you’re looking for testing procedures related to products not listed above, review the announcements. Over the years, some product testing has been deprecated to eliminate redundancy, or the product categories have become stable and represent general commercial use products.

Product Testing

Product testing is performed by either:

  • Third-party accredited testing labs, OR
  • GSA-managed testing labs

If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the Approved Products List (APL). The APL includes product information, version, date of certification, and special considerations.

Visit the Sell page for more on testing and certification.

Testing Guidance and Documents

Functional requirements for the products are outlined in each test procedure. Review the testing agreements, and the test procedure for your specific product, and submit the agreement and package to fips201ep at

Testing Agreements

Review the testing agreements, and sign and submit the appropriate agreement with your testing package to fips201ep at

Personal Identity Verification Credentials

Derived PIV Credentials

Agencies that wish to issue D-PIV credentials should follow these steps:

  1. Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO)
  2. Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs)
  3. Submit sample D-PIV public certificates for testing or provide results from the Certificate Profile Conformance Tool (CPCT) to fips201ep at

Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials.

Physical Access Control System

GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used to restrict physical access to government facilities.

Review the test procedures, choose one of the application packages, and submit to fips201ep at

PACS Application Package for New Systems or for Updates to Previously Approved Systems

Vendors, please complete the following steps.

If you’re providing an update to a previously approved system, please skip steps 4 and 5.

  1. Review the Product/Service Application Form and Guidance (MS Word, September 2018).
  2. Include one or both of the following, signed by a C- or VP-level individual:
  3. Complete the Applicant Product Equipment List (MS Word, September 2017).
  4. Only for New Systems: Choose from the appropriate topology that best describes your solution:
  5. Only for New Systems: Complete the PACS FRTC Topology Mapping Workbook(XLSX, October 2021) for your topology.
    • When submitting a product that uses an approved or provisionally approved topology, complete the Topology Mapping Workbook, rather than the PDF version, and submit it with your application.
  6. Complete a Topology Mapping Diagram as specified in Section 4.4 in the Approved PACS Topology Mapping Documents above.
  7. Execute the FIPS 201 Evaluation Program – Evaluation Agreement (MS Word, September 2020).
  8. Include the completed form and checklist in theProduct/Service Application Form and Guidancein (1) above.
  9. Include all applicable VPAT statements, UL-294, and FIPS 140-2 listing documents.
  10. Submit all forms to fips201ep at

Test Card Loaners

GSA can loan you test cards to help you pre-test your physical access control system products.