FIPS 201 Evaluation Program

The FICAM testing program tests and certifies services and commercial products used in credentialing systems, physical access control systems, and public key infrastructures. In standards and documents, this is sometimes also called the Federal Information Processing Standard 201 (FIPS 201) Evaluation Program.

Testing and Certification
Testing Guidance and Documents

View the latest program announcements.

Testing and Certification

We test and certify a variety of products and services such as:

Smartcards (secure elements) used in Personal Identity Verification (PIV) and Common Access Card (CAC) credentials;
Physical access control systems for buildings including readers and infrastructure;
Certificate validation products including online certificate status protocol (OCSP) and server-based certificate validation protocol (SCVP) clients/servers; and
Service providers who manage, install, or provide hosted solutions for issuance of Personal Identity Verification (PIV) and CAC credentials.

If you are looking for the testing procedures for products not listed above, review the announcements. Over the years, some product testing has been deprecated to eliminate redundancy or the product categories have become stable and represent general commercial use products.

Product Testing

Product testing is performed by either:

Third-party accredited testing labs; or
GSA-managed testing labs

All materials and testing results are reviewed by the Director of the Program. If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the Approved Products List (APL). Information shared on the APL includes product information, version, date of certification and special considerations.

Visit the Sell page for more on testing and certification.

Testing Guidance and Documents

Functional requirements for the products are outlined in each test procedure. Review the testing agreements, the test procedure for your specific product, and submit the agreement and package to fips201ep@gsa.gov.

Testing Agreements

Review the testing agreements, and sign and submit the appropriate agreement with your testing package to fips201ep@gsa.gov.

FIPS 201 Evaluation Program – Lab Services Agreement (PDF, February 2015) – The formal agreement to enter into testing, signed by the vendor and the government official.
Reseller Acknowledgement Form (MS Word, September 2014) – If you are reselling another product, this must be disclosed and the signed agreement submitted.
Product/Service Upgrade Form (MS Word, April 2017) – If you are only upgrading, submit this form.
Removed Products List (RPL) Process Document (PDF, June 2014) – If your product has been removed from the APL, review this document for the procedures.

Personal Identity Verification (PIV) Credentials

Annual PIV Credential Issuer (PCI) Testing Application Form (MS Word, November 2017) – If you are an agency or organization applying for your annual Audit for Federal Public Key Infrastructure (FPKI), submit this form to fips201ep@gsa.gov with available dates and times to visit the GSA testing labs.
Personal Identity Verification (PIV) Credential (PDF, January 2010) – The test procedures used by the independent, third-party labs to test card stock.

Derived PIV (D-PIV) Credentials

Annual Derived PIV Credential Issuer (DPCI) Testing Application Form (MS Word, September 2017) – If you are an agency or organization that currently issues D-PIV credentials and need to complete credential testing for your annual FPKI audit, submit this form to fips201ep@gsa.gov.
Agencies or organizations that wish to issue D-PIV credentials should follow these steps:
1. 1. Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO).
  2. Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs).
  3. Submit the Annual DPCI Testing Application Form (linked above) to fips201ep@gsa.gov.
  4. Submit sample D-PIV credentials for testing.
Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials.

Badge Holders

Electromagnetically Opaque Sleeve (Badge Holder) Approval and Test Procedure (PDF, February 2014) – Review the test procedures, and contact one of the third-party labs to schedule testing.

Physical Access Control System (PACS)

GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used to restrict physical access to government facilities. Review the test procedures, choose one of the application packages, and submit to fips201ep@gsa.gov.

PACS Functional Requirements and Test Procedures, v1.3.3 (PDF, April 24, 2018)
PACS FRTC PIN Usage Policy Addendum – v1.3.3 (PDF, April 24, 2018)¹

PACS Application Package

Review and complete the Product or Service Application Form and Guidance (MS Word, April 24, 2018)
Execute the FIPS 201 Evaluation Program – Lab Services Agreement (PDF, February 2015)
Include one of the following, signed by a C- or VP-level individual:
- Product or Service Self-Attestation Form – v1.3.3 (MS Word, April 24, 2018)
- Product/Service Upgrade Form – v1.3.3 (MS Word, April 24, 2018)
- Product Series and Licensing Self-Attestation Form – v2.0.1 (MS Word, September 8, 2017)
Complete the Applicant Product Equipment List – v1.3.3 (MS Word, September 8, 2017)
Choose from the following four topologies that best describes your solution and complete the Topology Mapping Workbook (all Topologies) – v1.3.3 (XLSM, April 24, 2018)²for your topology:
- Approved PACS Topology Mapping Form (PACS 13.01) – v1.3.3 (PDF, April 24, 2018)
- Approved PACS Topology Mapping Form (PACS 13.02) – v1.3.3 (PDF, April 24, 2018)
Submit all forms and equipment list to fips201ep@gsa.gov.

GSA can loan you test cards to help you pre-test your physical access control system products.

PACS Test Card Loaner Process (PDF, June 2014)
PACS Test Card Loaner Set Request Form (MS Word, June 2014) – Sign and submit this form to fips201ep@gsa.gov.
PACS Test Card User Guide (PDF, May 2014)

Server-Based Certificate Validation Protocol (SCVP)

GSA is currently developing new testing procedures for SCVP testing. The testing will focus on testing SCVP servers using a GSA SCVP client test harness.

¹ The PACS FRTC PIN Usage Policy Addendum is provided to assist with resetting PIN retry counters and determining the number of remaining PIN retries during Discovery Object testing.

² When submitting a product that uses an approved or provisionally approved topology, complete the Topology Mapping Workbook and submit it with your application rather than the PDF version. This is new with FRTC 1.3.3 and should be easier to use. Editing, macros and content must be enabled when opening this workbook in order for the form to work properly.

Page Reviewed/Updated: June 15, 2018