FIPS 201 Approved Product List

This page is for program managers and acquisition professionals looking for approved products for physical access control systems and PIV cards. This page also contains the removed products list.

If you think this page is missing something, contact us to ask a question.

How To Purchase

Visit the Buy Page to view FICAM products, services and purchasing guidance.

Approved Products - 13.01 and 13.02 Topology

The Physical Access Control System (PACS) products listed under the “Approved” section below have met the security and functional requirements set by GSA’s FIPS 201 Evaluation Program, and have been approved for use by the Federal Government. The agency deploying the solution is responsible for verifying that the deployment architecture (e.g., on-site, private cloud, public cloud, etc.) meets the agency’s security requirements, such as FedRAMP. Note that the Approved PACS Products below are grouped by either 13.01 or 13.02 topologies and indicated as Cloud infrastructure where appropriate:

• 13.01 Topology – end-to-end systems that integrate components from three categories: PACS Infrastructure, Validation System, and PIV PACS Reader.
• 13.02 Topology – end-to-end systems that integrate the first two components (PACS Infrastructure and Validation System) into a PACS Validation Infrastructure, which is then integrated with the third component category (PIV PACS Reader).

Approved 13.01 Topology PACS Products

Approved 13.01 Cloud Topology PACS Products

Note: The agency deploying the solution is responsible for verifying that the deployment architecture (e.g., on-site, private cloud, public cloud, etc.) meets the agency’s security requirements, such as FedRAMP.

Approved 13.02 Topology PACS Products

Approved 13.02 Cloud Topology PACS Products

Note: The agency deploying the solution is responsible for verifying that the deployment architecture (e.g., on-site, private cloud, public cloud, etc.) meets the agency’s security requirements, such as FedRAMP.

PACS Readers

NOTE: PACS readers are approved as part of a complete solution. The list below represents the readers that have been tested and verified as part of a solution (e.g., Infrastructure + Validation Engine + Reader). Each of the linked approval letters lists the approved reader types, associated APL#, and tested PACS solution.

• Allegion Schlage Smart Card Readers
• ASSA ABLOY integrated Signo Readers
• ASSA ABLOY integrated pivCLASS Readers
• Gallagher T Series PIV Readers
• HID pivCLASS Series Readers
• HID Signo Series Readers
• Identiv uTrust Series Readers
• IDFACTORS Readers
• Innometriks Cheetah Series Readers
• Veridt Series Readers
• XTec X Series Readers
• WaveLynx Technologies Readers

PACS Solutions Awaiting Approval

Cycle 2 and 3 updates are moved to the front of the test queue once they are installed. While between cycles, solutions may not appear here.

Approved Products - PIV Smart Cards

The Personal Identity Verification (PIV) cards listed below are approved for FICAM implementation under the FIPS 201 Evaluation Program. They are blank PIV cards that are available for purchase. A PIV service provider will personalize these blank cards for federal agencies and contractors. PIV service providers are required to use PIV cardstock from the Approved Products List (APL).

If you do not see a card below, it’s possible it’s on the Removed Product List.

Please note:

• Tri-Interface cards are not approved for federal government PIV or CAC card use, so agencies should not procure them. They are listed on the APL for industry-only acquisition.
• Manufacturers may call Tri-Interface cards by different names (for example, Dual Hybrid). The prohibited feature of Tri-Interface cards is a prox interface (a 125 kHz antenna).
• Agencies should procure only cards validated by the NIST Personal Identity Verification Program (NPIVP).

Approved PIV Cards

Legacy PIV Cards

The FIPS 201 Evaluation Program no longer approves the purchase of legacy PIV cards. Any cardstock designated as "legacy" is placed on this legacy list for three (3) years and then placed on the Removed Product List for three (3) years. However, some federal agencies still need to procure the legacy cardstock while upgrading existing systems. Agencies must stop using cardstock on the legacy list by June 30, 2027.

Legacy PIV cards include the following:

Agencies procuring cardstock from the legacy list assume all risks associated with its use.

If your agency needs to purchase cardstock from this legacy list, you must submit an Assumption of Risk Memorandum (memo) from the agency Chief Information Officer(s) to the General Services Administration (GSA). The memo must contain the following information:

• Acknowledgment of the assumption of all associated security risks;
• Acknowledgment of non-compliance with NIST standards;
• A transition plan specifying major milestones to achieve full compliance by the 2027 deadline and
• Implications resulting from non-compliance with federal policy related to this purchase.

Submit the memo to GSA’s Associate Administrator for Government-wide Policy (OGP) (regardless of the vehicle used in the acquisition). If using the GSA Multiple Award Schedule as the acquisition vehicle, submit a copy of the memo to the Commissioner of GSA’s Federal Acquisition Service.

Note: GSA will provide the Office of the Federal Chief Information Officer (OFCIO) at the Office of Management and Budget (OMB) with copies of all memos submitted.

Removed Product List

The FIPS 201 Evaluation Program’s Removed Products List (RPL) displays products and services that were once on the Approved Products List but are no longer approved for government procurement. Due to security concerns, products on the RPL are not recommended for government acquisition. Products will be removed from the RPL 3 years after the removal date.