FIPS 201 Evaluation Program
The Federal Information Processing Standard 201 (FIPS 201) Evaluation Program (sometimes called the FICAM Testing Program) tests and certifies services and commercial products used in PIV credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs).
Program Announcements
Announcements older than four years are removed. Contact us if you have any questions.
It is our great pleasure to announce the reopening of the FIPS201 Evaluation Program's compliance testing lab. An email announcing the reopening of the lab was sent out to the community on Wednesday, July 20, 2022. Due to a recent change in contract vehicles the lab had to physically move to a new location. Even though the distance was not far, the move itself was time consuming. We would like to thank those PACS vendors who took the time to certify their current installations prior to the move, and you may be called upon to verify that everything moved over is in working order. You will be contacted by the lab team if further assistance is needed. For those of you who have been waiting to submit new applications, or conduct updates, we appreciate your patience. You are now free to send the paperwork to our group email address fips201ep at gsa dot gov.
GSA FICAM Testing Program Vendor - The current contract with the testing services provider for the GSA FICAM Testing Lab concludes on June 15, 2022. We are working to ensure a smooth transition for all our Vendors as we onboard a new provider.During the transition period, please note the following
- Vendor Verification of System Health - We ask that each Vendor schedule an in-person appointment with the Lab prior to June 3, 2022, to verify the health of its installed system. Each Vendor representative may test its system during the visit, but updating software and hardware will not be permitted. The Lab will perform a small number of tests from the FRTC during the visit. Results will be documented, signed by Vendor and Lab representatives, and submitted to GSA. For any Vendor that is unable to go to the Lab in person prior to June 3, 2022, the Lab will issue a status report to GSA reflecting the system’s state as “unknown.” Until an in-person visit with the new Lab provider occurs to establish system status, no new applications will be accepted.
- Testing in Progress - The Lab is making every effort to complete as much testing as possible before we enter the transition phase. Testing for Vendor systems in process will conclude by May 27, 2022.
- New Vendor Applications - Applications received before May 31, 2022, will be reviewed by the existing Lab provider. Applications received after May 31, 2022, will be paused until the new provider is in place.
- System Updates and New Installations - System updates and new installations will not be processed until the new Lab provider is in place.
We will issue an announcement in June detailing next steps in the transition process, including the process of moving existing systems to a new physical location.
PACS APL testing form has undergone a major revision. The new testing APL Application form consolidates multiple documents and reduces redundant information across those forms. All submissions for upgrade will only need to submit a completed new APL Application form unless a significant change to architecture requires new FRTC per the lab's discretion.
PACS FRTC v1.4.2 Rev B has been published and is in effect immediately. This revision includes the following updates.
- Mobile / Handheld FRTC Test Cases (Section 8) are re-instated.
- Corrections and clarifications to existing test cases.
PACS FRTC v1.4.2 Revision A has been published and is in effect immediately. This update includes optional test cases associated with the following functionalities.
- Secure Messaging (SM)
- On-Card Comparison (OCC)
- Backend Registration for PACS
The FIPS 201 Evaluation Program will be removing card holders (also known as badge holders or electromagnetically opaque sleeves) from the Approved Products List on January 31st, 2021. GSA will no longer accept applications to certify card holders. Card holders and related products are still commercially available off-the-shelf; however, the use of these products is optional and testing is no longer in the best interests of the government.
Please note the removal of this category should not impact any existing acquisitions. Product categories not identified by the Program have no requirement for FIPS 201 conformance and available products should be able to satisfy the agency defined security requirements provided direct testing.
Testing and Certification
We test and certify a variety of products and services such as:
- Smart cards (secure elements) used in Personal Identity Verification (PIV) and Common Access Card (CAC) credentials
- Physical access control systems for buildings including readers and infrastructure
- Service providers who manage, install, or provide hosted solutions for issuance of Personal Identity Verification (PIV) and CAC credentials
If you’re looking for testing procedures related to products not listed above, review the FIPS 201 announcements. Over the years, some product testing has been deprecated to eliminate redundancy, or the product categories have become stable and represent general commercial use products.
Product Testing
Product testing is performed by either:
- Third-party accredited testing labs, OR
- GSA-managed testing labs
If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the Approved Products List (APL). The APL includes product information, version, date of certification, and special considerations.
Visit the Vendors page for more on testing and certification.
Testing Guidance and Documents
Functional requirements for the products are outlined in each test procedure. Review the testing agreements, and the test procedure for your specific product, and submit the agreement and package to fips201ep at gsa.gov.
Testing Agreements
Review the testing agreements, and sign and submit the appropriate agreement with your testing package to fips201ep at gsa.gov.
- FIPS 201 Evaluation Program – Evaluation Agreement (MS Word, September 2020) – The formal agreement to enter into testing, signed by the vendor and the government official.
- Reseller Acknowledgement Form (MS Word, September 2014) – If you are reselling another product, this must be disclosed and the signed agreement submitted.
- Approved Product List Application Guidance Document (PDF, April 2022) – Provides a checklist of which documents are required when submitting a new or upgraded solution.
- Removed Products List (RPL) Process Document (PDF, April 2022) – If your product has been removed from the APL, review this document for the procedures.
Personal Identity Verification Credentials
- Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020) – If you are an agency or organization applying for your Annual Review Audit for the Federal Public Key Infrastructure (FPKI), submit this form to fips201ep at gsa.gov; two testing options are available:
- In-person Lab Testing - testing organizations can provide available dates and times to visit the GSA FIPS 201 lab when sending in their application form, or
- Remote Testing - testing organizations can leverage the Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT), SP 800-73-4-based Test Runner, and the KSJavaAPI to generate artifacts to be sent along with the testing application form.
- Personal Identity Verification (PIV) Card Body Approval Procedures, V 11.0 (PDF, April 2023) – approval procedures that outline the evaluation criteria, approval mechanisms, and validation test reports to be employed and provided by the Evaluation Laboratory based on their evaluation of a vendor/ supplier’s PIV Card body (product), to be provided to the FIPS 201 EP for evaluation to be placed on the Approved Products List (APL).
PIV Card Body Application Package Requirements
All applicants, please complete the following steps:
- Review the Personal Identity Verification (PIV) Card Body Approval Procedures v11.0 (PDF, April 2023) – outlining the approval procedures and evaluation criterion for getting the PIV Card body (Product) on the APL and Section 2 Application Package
- Provide the Product itself (see Section 2) of the Personal Identity Verification (PIV) Card Body Approval Procedures v11.0 (PDF, April 2023)
- Complete and provide the PIV Card APL Evaluation Program Application Form (Word, April 2023) – Required for each product submission.
- Complete and provide the FIPS 201 Evaluation Program Lab Services Agreement, V3.0.0 (PDF) – Required for each product submission.
- Complete and provide the FIPS 201 Evaluation Program Attestations to Federal Acquisition Regulations related to the Trade Agreement Act v3.3 – Required for each product submission.
- Complete and provide the FIPS 201 Evaluation Program Attestations Form for PIV Card Body Approval v1.0 – Required for each product submission.
Derived PIV Credentials
Agencies that wish to issue D-PIV credentials should follow these steps:
- Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO)
- Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs)
- Submit sample D-PIV public certificates for testing or provide results from the Certificate Profile Conformance Tool (CPCT) to fips201ep at gsa.gov.
Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials.
Physical Access Control System
GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used to restrict physical access to government facilities.
Review the test procedures, choose one of the application packages, and submit to fips201ep at gsa.gov.
- PACS Functional Requirements and Test Cases v1.4.2 Rev. B (PDF, October 2021)
-
PACS FRTC PIN Usage Policy Addendum (PDF, August 2018)
- Review this Addendum for help resetting PIN retry counters, and determining the number of remaining PIN retries during Discovery Object testing.
PACS Application Package for New Systems or for Updates to Previously Approved Systems
All applicants, please complete the following steps:
- Review the - Approved Product List Application Guidance Document (PDF, April 2022) – Instructions for completing the Approved Product List Application Form.
- Complete the Approved Product List Application Form (Word, April 2022) – Required for each solution submission, new or upgrade.
- Provide the equipment table from the Approved Product List Application as a separate file. Equipment Table GSA PACS Application v0.1 (XLSX, February 2023)
- Reseller Acknowledgement Form (MS Word, September 2014) – If you are reselling another product, this must be disclosed, and the signed agreement submitted.
- Include the following document when adding a new series, or adding new product to a prior listed series, signed by a C- or VP-level individual:
- Provide a solution configuration guide that includes, at a minimum:
- Screenshots and instructions on configuring the submitted solution to meet the test cases.
- Location of all log files needed to verify the solution is performing the test cases.
- Steps necessary to verify the hardware, software, and firmware of all items listed on the equipment table in the APL application.
- Complete the additional documentation
- Review the following documentation and select from the appropriate topology that best describes your solution:
- Approved PACS Topology Mapping Document (PACS 13.01) (PDF, February 2019)
- Approved PACS Topology Mapping Document (PACS 13.02) (PDF, February 2018)
- Mobile Handheld Approved Topology Mapping Document (14.02) (PDF, November 2017)
- When you complete the FRTC Workbook, use the mapping in the workbook, not the mapping inside the Mobile Handheld Topology document.
- Approved PACS Wireless Reader Topology Mapping Document (PACS 20.01) (PDF, November 2020)
- Complete the PACS FRTC Topology Mapping Workbook (XLSX, October 2021) for your topology.
- Complete the FIPS 201 Evaluation Program – Evaluation Agreement (MS Word, September 2020).
- Include all applicable VPAT statements, UL-294, and FIPS 140-2/140-3 listing documents.
- Submit all completed forms to fips201ep at gsa.gov.
Test Card Loaners
GSA can loan you test cards to help you pre-test your physical access control system products.
- PACS Test Card Loaner Process (PDF, November 2019)
- PACS Test Card Loaner Set Request Form (MS Word, October 2019) – Sign and submit this form to fips201ep at gsa.gov.
- PACS Test Card User Guide (PDF, January 2019)