FIPS 201 Evaluation Program
The Federal Information Processing Standard 201 (FIPS 201) Evaluation Program (sometimes called the FICAM Testing Program) tests and certifies services and commercial products used in PIV credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs).
Program Announcements
Announcements older than four years are removed. Contact us if you have any questions.
The agency procuring the PACS solution is responsible for assessing whether the chosen solution's deployment architecture (e.g., on-site, private cloud, public cloud, etc.) aligns with its security and operational requirements. The Approved 13.01 and 13.02 PACS topologies have been further refined to highlight the Cloud infrastructure, see link: Approved Products - Physical Access Control Systems.
The GSA FICAM Testing Lab in Reston, VA will have limited in-person availability from Monday, December 23, 2024, through Thursday, January 2, 2025. As a result, no appointments will be scheduled during this time. Vendors are kindly asked to schedule any in-person visits by Friday, December 20, 2024, to ensure that lab personnel can accommodate requests and provide assistance before December 23, 2024.
We appreciate your understanding and patience.
Thank you.
In an effort to streamline and accurately capture the components and to allow the same table to be used across multiple forms for the solution being submitted for evaluation, the FIPS 201 Evaluation Program has updated the Equipment Table spreadsheet to be broken out by individual tabs for 13.01 PACS Infrastructure, 13.01 Validation System, 13.01 PACS Readers, 13.02 PACS and Validation Infrastructure and 13.02 PACS Readers. Vendors are requested to use this updated spreadsheet as part of their application submission package moving forward. Please feel free to reach out to fips201ep@gsa.gov with any questions or concerns.
The GSA FICAM Testing Lab located in Reston, VA will be operating on limited in-person availability from December 20, 2023, through January 2, 2024, and as such will not be scheduling any appointments during that period. Vendors are requested to schedule an appointment by December 15, 2023, so that the lab personnel can make every effort to provide availability and assistance before December 20, 2023.
Your patience is greatly appreciated.
Thank you.
The Testing and Evaluation section has been updated to streamline the process and documentation for the FIPS 201 Evaluation Program. The guidance and application documents required for the Physical Access Control Systems (PACS) evaluation have been updated, and clarification for the Personal Identity Verification and Credentials evaluation process has been added.
As requested by the vendor, the Identiv Velocity (APL #10013) with HID Global Validation System for Hirsch-Identiv Velocity (APL #10014) will be moved to the RPL, effective October 16, 2023
The initial version of the FRTC for PACS Alternative Authenticators, version 1.0 has been published for public review and comments under the Physical Access Control System section.
This document will be continuously updated as emerging technology and standards supporting FICAM compliance become available. Please review the document and provide your comments to fips201ep@gsa.gov by November 30, 2023.
It is our great pleasure to announce the reopening of the FIPS201 Evaluation Program's compliance testing lab. An email announcing the reopening of the lab was sent out to the community on Wednesday, July 20, 2022. Due to a recent change in contract vehicles the lab had to physically move to a new location. Even though the distance was not far, the move itself was time consuming. We would like to thank those PACS vendors who took the time to certify their current installations prior to the move, and you may be called upon to verify that everything moved over is in working order. You will be contacted by the lab team if further assistance is needed. For those of you who have been waiting to submit new applications, or conduct updates, we appreciate your patience. You are now free to send the paperwork to our group email address fips201ep@gsa.gov.
GSA FICAM Testing Program Vendor - The current contract with the testing services provider for the GSA FICAM Testing Lab concludes on June 15, 2022. We are working to ensure a smooth transition for all our Vendors as we onboard a new provider.During the transition period, please note the following
- Vendor Verification of System Health - We ask that each Vendor schedule an in-person appointment with the Lab prior to June 3, 2022, to verify the health of its installed system. Each Vendor representative may test its system during the visit, but updating software and hardware will not be permitted. The Lab will perform a small number of tests from the FRTC during the visit. Results will be documented, signed by Vendor and Lab representatives, and submitted to GSA. For any Vendor that is unable to go to the Lab in person prior to June 3, 2022, the Lab will issue a status report to GSA reflecting the system’s state as “unknown.” Until an in-person visit with the new Lab provider occurs to establish system status, no new applications will be accepted.
- Testing in Progress - The Lab is making every effort to complete as much testing as possible before we enter the transition phase. Testing for Vendor systems in process will conclude by May 27, 2022.
- New Vendor Applications - Applications received before May 31, 2022, will be reviewed by the existing Lab provider. Applications received after May 31, 2022, will be paused until the new provider is in place.
- System Updates and New Installations - System updates and new installations will not be processed until the new Lab provider is in place.
We will issue an announcement in June detailing next steps in the transition process, including the process of moving existing systems to a new physical location.
PACS APL testing form has undergone a major revision. The new testing APL Application form consolidates multiple documents and reduces redundant information across those forms. All submissions for upgrade will only need to submit a completed new APL Application form unless a significant change to architecture requires new FRTC per the lab's discretion.
PACS FRTC v1.4.2 Rev B has been published and is in effect immediately. This revision includes the following updates.
- Mobile / Handheld FRTC Test Cases (Section 8) are re-instated.
- Corrections and clarifications to existing test cases.
PACS FRTC v1.4.2 Revision A has been published and is in effect immediately. This update includes optional test cases associated with the following functionalities.
- Secure Messaging (SM)
- On-Card Comparison (OCC)
- Backend Registration for PACS
Testing and Evaluation
We test and evaluate a variety of products and services, such as:
- Smart cards (secure elements) that are used in Personal Identity Verification (PIV), Personal Identity Verification - Interoperable (PIV-I), and Common Access Card (CAC) credentials.
- Physical access control systems for buildings, including readers and infrastructure.
- Service providers who manage, install, or provide hosted solutions for issuing Personal Identity Verification (PIV) and CAC credentials.
If you’re looking for testing procedures related to products not listed above, review the Program Announcements. Over the years, some product testing has been deprecated to eliminate redundancy, or the product categories have become stable and represent general commercial use products.
Product Testing
Product testing is performed by either:
- Third-party accredited testing labs, OR
- GSA-managed testing labs
If the product passes testing and review, the vendor is granted a certification letter, and the product is placed on the Approved Products List (APL). The APL includes product information, version, date of certification, and special considerations.
Visit the Vendors page for more on testing and certification.
Testing Guidance and Documents
The sections below provide the guidance and application documents associated with the testing and evaluation of the various products and services indicated in the Testing and Evaluation section above. Functional requirements for the products are outlined in each test procedure. Review the testing agreements and the test procedure for your specific product and submit the associated agreement and package to fips201ep@gsa.gov.
Physical Access Control System
GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used for physical access control to government facilities.
Review the PACS APL Guidance Documents and PACS Application Package Requirements listed below, choose the application documentation that applies to your solution to be evaluated, and submit it to fips201ep@gsa.gov.
PACS APL Guidance Documents
The documents in this section provide guidance and information necessary for evaluating a PACS solution to be listed on the FIPS 201 Evaluation Program’s Approved Products List (APL) and the criteria followed for the Removed Products List (RPL). It is recommended that the applicant review all the guidance documents listed in this section before submitting the Approved Product List Application Form.
- Approved Product List Application Guidance Document, version 1.1.0 (PDF, Nov 30, 2023) – Provides information and lists of the documents required when submitting a new or upgraded solution for testing and instructions for completing the Approved Product List Application form.
- Removed Products List (RPL) Process Document, v1.0.2 (PDF, April 2022) – If your product has been removed from the APL, review this document for the procedures.
Functional Requirements and Test Cases Guidance Documents:
- PACS Functional Requirements and Test Cases Guidance Document v1.4.2 Rev. C (PDF, November 30, 2023)
- Secure Messaging and On Card Comparison Companion Paper, FRTC version 1.4.2 Rev A (PDF, March 31, 2021)
- FRTC Section 4 Backend Registration and Data Model Companion Paper, FRTC version 1.4.2 Rev A (PDF, March 31, 2021)
- FRTC Express Process Companion Paper, FRTC version 1.4.2 Rev A (PDF, March 31, 2021)
- Approved PACS Topology Mapping Form (PACS 13.01 13.02) PIN Usage Policy Testing Addendum, version 1.3.3 Rev. F (PDF, August 21, 2018) – Review this Addendum for help resetting PIN retry counters and determining the number of remaining PIN retries during Discovery Object testing.
- FRTC for PACS Alternative Authenticators, version 1.0 (PDF, September 26, 2023) – This document will updated continuously as emerging technology and standards supporting FICAM compliance become available. Please review the document and provide your comments to fips201ep@gsa.gov by November 30, 2023.
Topology Guidance Documents:
- Review the following guidance documentation and select from the appropriate topology that best describes your solution:
- Approved PACS Topology Mapping Document (PACS 13.01), version 1.3.3 Rev G (PDF, February 1, 2019).
- Approved PACS Topology Mapping Document (PACS 13.02), version 1.3.3 Rev G (PDF, February 1, 2018).
- Provisionally-Approved Mobile Handheld Validation Reader Topology Mapping Form (MHVR 14.02), version 1.3.3 Rev B (PDF, November 3, 2017). - NOTE: When you complete the FRTC Workbook, use the mapping in the workbook, not the mapping inside the Mobile Handheld Topology document.
- Approved PACS Wireless Reader Topology (PACS 20.01), FRTC version 1.3.3 Rev G (PDF, November 17, 2020).
PACS Application Package Submission Requirements for New Systems or Updates to Previously Approved Systems
All applicants, please complete the following steps:
- Review, complete, and sign the FIPS 201 Evaluation Program PACS Application Package Checklist, v1.1.0 (Mandatory), and ensure all the applicable and mandatory paperwork is submitted along with the application document.
- Complete and sign the Approved Products List Application Form, v1.1.0 (MS Word, November 30, 2023) (Mandatory) – Required for each solution submission, new or upgrade.
- Complete and sign the FIPS 201 Evaluation Program – Evaluation Agreement, version 2.1.0 (MS Word, November 30, 2023) (Mandatory) – Required for each solution submission, new or upgrade.
- List the equipment used for the APL testing in the equipment table linked here – Equipment Table GSA PACS Application v1.3.0 (MS Excel, August 2024) (Mandatory).
- Complete the PACS FRTC Workbook, v1.4.2 Rev B (MS Excel, October 2021) (Mandatory) for your topology.
- Provide a solution Configuration Guide (Mandatory) that includes, at a minimum:
- Screenshots and instructions on configuring the submitted solution to meet the test cases.
- Location of all log files needed to verify that the solution performs the test cases.
- Steps necessary to verify the hardware, software, and firmware of all items listed on the equipment table in the APL application.
- Responses to the Vendor FRTC Questionnaire linked in #13.
- Include the following document when adding a new series or adding a new product to a prior listed series, signed by a C- or VP-level individual:
- Product Series and Exemplar Self-Attestation Form v1.0.0 (MS Word, November 30, 2023) (Mandatory, if applicable).
- Include the following document when licensing an existing product that is already on the GSA PACS Reader APL, signed by a C- or VP-level individual:
- Product Licensing Self-Attestation Form v1.0.0 (MS Word, November 30, 2023) (Mandatory, if applicable).
- Complete and sign the Supply Chain Self-Attestation Form, v1.4.2 (MS Word, March 3, 2020) (Mandatory).
- Include all applicable VPAT statements, https://www.section508.gov/sell/vpat/ (Mandatory, if applicable).
- Include all relevant UL-294 listing documents (Mandatory, if applicable).
- Include all applicable FIPS 140-2/140-3 listing documents (Mandatory, if applicable).
- The vendors must submit the ISO 7816 and ISO 14443 test reports for new PIV PACS Readers. If the vendor has determined that the reports contain company-sensitive information, they may complete and sign the Vendor Self-Attestation Form for ISO/IEC Test Reports, confirming ISO/IEC 7816 conformance to satisfy FRTC Test Case # 7.07.09 and ISO/IEC 10373-6:2020 and ISO/IEC 10373-6:2020/Amd.1:2022 conformance to satisfy FRTC Test Case # 7.07.10.
- Respond to the Vendor FRTC Questionnaire, v1.1.0 (Mandatory).
- Submit all completed forms to fips201ep@gsa.gov.
Personal Identity Verification Credentials
- Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020) – If you are an agency or organization submitting for Annual PCI Review, submit this application form signed along with all the testing artifacts listed below to fips201ep@gsa.gov; two testing options are available:
- In-person Lab Testing - testing organizations can provide available dates and times to visit the GSA FIPS 201 lab when sending in their signed application form OR
- Remote Testing - testing organizations can leverage the tools listed below and email the outputs generated and card images to fips201ep@gsa.gov.
All applicants must provide the following required artifacts as part of the Annual PCI review:
- High-resolution front and back images of the PIV/PIV-I card being tested.
- Outputs generated by leveraging the following tools: Card Conformance Tool (CCT), Certificate Profile Conformance Tool, KSJavaAPI, and the SP 800-73-4-based Test Runner(Optional).
If you do not receive a confirmation email acknowledging the receipt of your Test Results Package within 24 hours of submission, please follow up promptly with the FIPS 201 Evaluation Program (EP) team at fips201ep@gsa.gov, ensuring that the follow-up email does not include any attachments. Timely follow-up helps confirm the successful receipt of your Test Results Package and prevents potential delays in processing your annual evaluation.
Derived PIV Credentials
Agencies that wish to issue D-PIV credentials should follow these steps:
- Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO).
- Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs).
- Submit sample D-PIV public certificates for testing or provide results from the Certificate Profile Conformance Tool (CPCT) to fips201ep@gsa.gov.
Upon successful completion of DPCI testing, the agency or organization will be approved to issue D-PIV credentials
PIV Card Body
- Personal Identity Verification (PIV) Card Body Approval Procedures, V 11.0 (PDF, April 2023) – indicates the approval procedures, outlines the evaluation criteria, approval mechanisms, and validation test reports to be employed and provided by the Evaluation Laboratory based on their evaluation of a vendor/ supplier’s PIV Card body (product), to be provided to the FIPS 201 EP for evaluation to be placed on the Approved Products List (APL).
All applicants, please complete the following steps:
- Review the Personal Identity Verification (PIV) Card Body Approval Procedures v11.0 (PDF, April 2023) – outlining the approval procedures and evaluation criterion for getting the PIV Card body (Product) on the APL and Section 2 Application Package
- Provide the Product itself (see Section 2) of the Personal Identity Verification (PIV) Card Body Approval Procedures v11.0 (PDF, April 2023)
- Complete and provide the PIV Card APL Evaluation Program Application Form (Word, April 2023) – Required for each product submission.
- Complete and provide the FIPS 201 Evaluation Program Lab Services Agreement, V3.0.0 (PDF) – Required for each product submission.
- Complete and provide the FIPS 201 Evaluation Program Attestations to Federal Acquisition Regulations related to the Trade Agreement Act v3.3 – Required for each product submission.
- Complete and provide the FIPS 201 Evaluation Program Attestations Form for PIV Card Body Approval v1.0 – Required for each product submission.
Test Card Loaners
GSA can loan you test cards to help you pre-test your physical access control system products.
