PIV Card Body Approval Procedures
Vendors and Suppliers
If you are looking for the PIV Card Body form required for submitting each of your products, please use the button below to access that form.
Additional required forms can be found on the FIPS 201 Evaluation Program page.
| Status | Version | Date | Comment | Audience |
|---|---|---|---|---|
| Draft | 0.0.1 | 03/21/06 | Document creation. | Limited |
| Draft | 0.1.0 | 03/21/06 | Submitted to GSA for approval. | GSA |
| Draft | 0.1.1 | 05/11/06 | Updated based on GSA feedback | Limited |
| Draft | 0.1.2 | 05/23/06 | Updated based on GSA feedback. | Limited |
| Draft | 0.2.0 | 05/23/06 | Submitted to GSA for approval. | GSA |
| Approved | 1.0.0 | 05/24/06 | Approved by GSA. | Public |
| Revision | 1.0.1 | 06/29/06 | Updated based on feedback from GSA. | Limited |
| Revision | 1.1.0 | 06/29/06 | Submitted to GSA for approval | GSA |
| Revision | 1.1.1 | 06/30/06 | Updated based on feedback from GSA. | Limited |
| Revision | 1.2.0 | 06/30/06 | Submitted to GSA for approval | GSA |
| Approved | 2.0.0 | 06/30/06 | Approved by GSA | Public |
| Revision Revision Revision Revision |
2.0.1 2.1.0 3.2.0 3.3.0 |
09/11/06 9/20/06 10/20/06 11/13/06 |
Revised based on feedback from the Evaluation Program and GSA Submitted to GSA for approval Updated and Submitted to GSA for approval Updated and Submitted to GSA for approval | Limited GSA GSA GSA |
| Revision Revision Revision Approved |
3.4.0 3.5.0 3.6.0 4.0.0 |
12/11/06 01/10/07 01/30/07 02/19/07 |
Updated and Submitted to GSA for approval Updated and Submitted to GSA for approval Updated and Submitted to GSA for approval Approved by GSA | GSA GSA GSA Public |
| Approved Approved Approved |
5.0.0 6.0.0 7.0.0 |
04/02/07 04/26/07 10/31/07 |
Updated with details for the evaluation fees. Updated with details for the upgrade process. Updated to split approval processes from document. Processes can now be found in Suppliers Handbook. | Public Public Public |
| Approved | 8.0.0 | 05/28/08 | Updated card durability requirements. | Public |
| Approved | 9.0.0 | 07/30/08 | Updated acceptance criteria for card durability requirements(Magnetic Stripe and UV light resistance) and clarified sampling sizes. | Public |
| Approved | 10.0.0 | 07/08/11 | Updated evaluation procedures to reflect new NIST SP 800-73-3 requirements | GSA |
| 11.0.0 | 04/24/2023 | Updated title and version of the document from PIV Card ApprovalProcedure, Version 10.0.0 to PIV Card Body Test Procedures, Version 11.0.0 and updated overall document to align with updated procedures and compliance requirements. | Public | |
| 11.0.0 | 04/23/2025 | Converted PDF to Markdown | Public |
1 Introduction
1.1 Overview
The FIPS 201 Evaluation Program (EP) is a federal compliance program administered by the Office of Government-wide Policy (OGP), within the General Services Administration (GSA) agency. The FIPS 201 Evaluation Program (EP) evaluates products and services against the requirements outlined in FIPS 201 and its supporting documents. In addition to test requirements developed to test conformance to the National Institute of Standards and Technology (NIST) specifications, GSA has established interoperability and performance metrics to further determine product suitability. To qualify as an Evaluation Lab (Lab) for the GSA FIPS 201 EP, the laboratory shall have received NIST National Voluntary Laboratory Accreditation Program (NVLAP) accreditation (refer to NIST HB 150-17e2022, Annex D), to perform FIPS 201 conformance testing on products submitted by the suppliers/ vendors. A set of approval procedures have been developed which outline the evaluation criteria, approval mechanisms, and validation test reports to be employed and provided by the Evaluation Laboratory during their evaluation of a Supplier’s product against the requirements for that category.
A Vendor/Supplier desiring to submit a PIV Card body (hereafter referred to as the Product) for evaluation must follow these Approval Procedures, which provide the necessary category-specific details to have a Supplier’s Product evaluated by the EP and placed on the Approved Products List (APL).
1.2 Category Description
The PIV Card is a smart card with contact and contactless interfaces that meet the interface, data format, graphical, and physical requirements outlined in FIPS 201 and SP 800-73.
1.3 Purpose
The purpose of this document is to provide the following information:
- Provide a list of the artifacts, forms and/or documentation that must be submitted bythe Evaluation Lab (Lab) to the FIPS 201 EP as part of the application package submission.
- Document the requirements that apply to the PIV Card body evaluation.
- Specify the evaluation criteria along with their approval mechanisms that the Evaluation Labs will use to verify compliance of the Product against the requirements that apply to this category.
2 Application Package Contents
The Application Package Contents include the artifacts, documentation, and the product itself that need to be submitted by the Evaluation Lab to perform validation. The Application Package Contents for this category include the following:
- The Product itself.
- (a) The vendor should deliver the product to the Lab (address found at https://www.idmanagement.gov/vendors/) using a secure delivery method requiring receipt acknowledgement (e.g., FedEx, UPS, hand delivery)
- (b) The Lab should deliver the Product to the FIPS 201 EP at 1893 Metro Center Dr., Ste 228, Reston, VA 20190 using secure delivery methods requiring receipt acknowledgement (e.g., FedEx, UPS, hand delivery).
- Completed and signed “PIV Card APL Evaluation Program Application Form” (link: https://www.idmanagement.gov/fips201/, under PIV Card Body Application Package Requirements)
- Completed and signed “FIPS 201 Evaluation Program Lab Services Agreement_v3.0.0” (link: https://www.idmanagement.gov/fips201/, under PIV Card Body Application Package Requirements)
- Completed and signed “FIPS 201 Evaluation Program Attestations to Federal Acquisition Regulations related to the Trade Agreement Act” (link: https://www.idmanagement.gov/fips201/, under PIV Card Body Application Package Requirements)
- Completed and signed “FIPS 201 Evaluation Program Attestation Form for PIV Card Body Approval_v1.0” (link: https://www.idmanagement.gov/fips201/, under PIV Card Body Application Package Requirements)
- A Vendor/ Lab Test Data Report, which provides test results showing that the Product complies with the requirements indicated in Section 3.1, Table 1 of this document and as indicated against the tests conducted in the FIPS 201 Evaluation Program Attestation Form for PIV Card Body Approval_v1.0. The Lab is required to develop test methods for conformance testing as required by the FIPS 201 EP and validate that the test methods developed comply with the requirements set forth by the International Organization Standardization (ISO) 17025 for Testing and Calibration laboratories to
verify the effectiveness of the testing method to produce valid results. In this regard, the Supplier/ Lab is expected to develop and document the test procedures used to determine how the Product was tested to conclude that it met all requirements to be compliant. In addition, the following will be provided as part of the Supplier/Vendor Documentation Review and Certification:
- All necessary Supplier/Vendor documentation providing proof that the Product complies with the category-specific requirements (as outlined in Section 3.1, Table 1) and complies with the evaluation criteria in Section 3.2.1 for the category which has Supplier documentation review as its approval mechanism. Examples of specific documentation include: user guides, technical specifications, white papers, sample cards, etc.
- Official Certification documentation from the appropriate entity (e.g., NIST) indicating the Product’s conformance to the tested requirements of FIPS 201. Specific reference to the exact type of certification necessary can be found in the Certification section found in Section 3.2.3 of this document.
3 Evaluation Procedure for PIV Card Body Testing
3.1 Requirements
To approve the Product as conformant to the requirements of FIPS 201, it, at a minimum, must comply with all the requirements listed below. The approval mechanism column describes the Lab’s technique to evaluate compliance with that particular requirement.
| Identifier # | Requirement Description | Source | Approval Mechanism |
|---|---|---|---|
| PIV-C.1 | The PIV Card body shall comply with the physical characteristics and durability described in FIPS 201. | FIPS 201-3, Section 4.1.3 | Supplier/Vendor Documentation Review |
| PIV-C.2 | The PIV Card body structure shall consist of card material(s) that satisfy the card characteristics described in ISO/IEC 7810. | FIPS 201-3 Section 4.1.3 | Supplier/Vendor Documentation Review |
| PIV-C.3 | The PIV Card body shall comply with characteristics as described in ISO/IEC 10373. | FIPS 201-3, Section 4.1.3 | Supplier/Vendor Documentation Review |
| PIV-C.4 | The PIV Card body shall comply with characteristics described in ISO/IEC 7816 for contact cards. | FIPS 201-3, Section 4.1 | Supplier/Vendor Documentation Review |
| PIV-C.5 | The PIV Card body shall comply with characteristics described in ISO/IEC 14443 for contactless cards. | FIPS 201-3, Section 4.1 | Supplier/Vendor Documentation Review |
| PIV-C.6 | The PIV Card shall contain a contact and a contactless ICC interface. | FIPS 201-3, Section 4.1.3 | Supplier/Vendor Documentation Review |
| PIV-C.7 | The card body structure shall consist of card material(s) that satisfy the test methods in American National Standards Institute (ANSI)322. | FIPS 201-3, Section 4.1.3 | Supplier/Vendor Documentation Review |
| PIV-C.8 | The ANSI 322 test methods tests shall be used to evaluate card material durability and performance. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.9 | The ANSI 322 tests shall include the card flexure test. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.10 | The ANSI 322 tests shall include the card static stress test.FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report | |
| PIV-C.11 | The ANSI322 tests shall include the plasticizer exposure test. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.12 | The ANSI 322 tests shall include the impact resistance test. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.13 | The ANSI 322 tests shall include the card structural integrity test. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.14 | The ANSI 322 tests shall include the card surface abrasion test. FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report | |
| PIV-C-15 | The ANSI 322 tests shall include card temperature and humidity-induced dye migration. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.16 | The ANSI 322 tests shall include card ultraviolet light exposure. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.17 | The ANSI 322 tests shall include the card laundry test. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.18 | The cards shall not malfunction or delaminate after hand cleaning with a mild soap and water mixture. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.19 | The cards shall be subjected to sunlight exposure in accordance with Section 5.12 of ISO 10373 or to ultraviolet and daylight fading in accordance with ANSI 322. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.20 | The card shall be subjected to actual, concentrated, or artificial sunlight to appropriately reflect 2000 hours of southwestern United States sunlight exposure. The tests shall be in accordance with ISO 10373. Concentrated sunlight exposure shall be performed in accordance with G90-17, and accelerated exposure in accordance with G155-2013. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.21 | The card shall be subjected to the ISO 10373 dynamic bending test and shall have no visible cracks or failures after exposure to ISO 10373 or ANSI 322. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.22 | The card shall be 27- to 33-mil thick (before lamination) in accordance with ISO 7810. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.23 | The card material shall allow the production of a flat card in accordance with ISO 7810 after the lamination of one or both sides of the card. | FIPS 201-3, Section 4.1.3 | Vendor/Lab Test Data Report |
| PIV-C.24 | A validation certificate from the NIST Personal Identity Verification Program (NPIVP) detailing that the Product being tested is listed in the PIV Card Application Validation list as conformant as defined in SP 800-73: https://csrc.nist.gov/projects/nist-personal-identity-verification-program/validation-lists/piv-card-application-validation-list | SP 800-73 Appendix A - PIV Data Model | Supplier/Vendor Documentation Review and Certification |
| PIV-C.25 | A validation certificate from The NIST Cryptographic Module Validation Program (CMVP) which validates cryptographic modules to the Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules: https://csrc.nist.gov/projects/cryptographic-module-validation-program | SP 800-73 Appendix A - PIV Data Model | Supplier/Vendor Documentation Review and Certification |
Table 1 - Applicable Requirements
3.2 Evaluation Criteria
This section provides details on the process employed by the Lab for evaluating the Product against the requirements indicated above.
3.2.1 Supplier/ Vendor Documentation Review (PIV-C.1 to PIV-C.7)
The Lab will review the documentation submitted by the Supplier/ Vendor to ascertain the following and provide documentation to support their review:
- The card’s physical characteristics comply with the following:
- ISO 7810
- ISO 10373
- ISO 7816
- ISO 14443
- ICC Interfaces
The card durability and performance tests conform to the ANSI 322 test methods.
3.2.2 Vendor/Lab Test Data Report (PIV-C.8 to PIV-C.23)
As a result of the testing to ensure compliance with the respective standards, the following must be included as part of the Vendor/Lab Test Data report:
- A report generated to ensure that the test performed to evaluate the card characteristics durability and performance comply with the test methods in ANSI 322. These tests shall include card flexure, static stress, plasticizer exposure, impact resistance, card structural integrity, surface abrasion, temperature and humidity-induced dye migration, ultraviolet light exposure, and laundry test. Cards SHALL NOT malfunction or delaminate after hand cleaning with a mild soap and water mixture (FIPS 201-3).
- A sampling of a minimum of four (4) out of five (5) cards, or 80% in case a sampling size of greater than five (5) cards is used, should successfully fulfill the requirement being tested for to ensure that the product passes the particular test.
3.2.3 Certification (PIV-C.25 to PIV-C.26)
The Lab will perform the necessary activities to ensure the authenticity and validity of the certification status for the Product being tested and provide the following:
- A validation certificate from the NIST Personal Identity Verification Program (NPIVP) detailing that the Product being tested is listed in the PIV Card Application Validation list as conformant as defined in SP 800-73: https://csrc.nist.gov/Projects/nist-personal-identity-verification-program/Validation-Lists/piv-card-application-validation-list.
- A validation certificate from The NIST Cryptographic Module Validation Program (CMVP) which validates cryptographic modules to the Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules: https://csrc.nist.gov/projects/cryptographic-module-validation-program.
