FIPS 201 Evaluation Program Announcements
This is a list of the latest news from the FIPS 201 Evaluation Program.
GSA FIPS 201 Testing Lab Re-opening
POSTED: July 27, 2022
It is our great pleasure to announce the reopening of the FIPS201 Evaluation Program’s compliance testing lab. An email announcing the reopening of the lab was sent out to the community on Wednesday, July 20, 2022.
Due to a recent change in contract vehicles the lab had to physically move to a new location. Even though the distance was not far, the move itself was time consuming. We would like to thank those PACS vendors who took the time to certify their current installations prior to the move, and you may be called upon to verify that everything moved over is in working order. You will be contacted by the lab team if further assistance is needed.
For those of you who have been waiting to submit new applications, or conduct updates, we appreciate your patience. You are now free to send the paperwork to our group email address: fips201ep at gsa dot gov
GSA FIPS 201 Testing Lab Transition Planning
POSTED: May 11, 2022
GSA FICAM Testing Program Vendor:
The current contract with the testing services provider for the GSA FICAM Testing Lab concludes on June 15, 2022. We are working to ensure a smooth transition for all our Vendors as we onboard a new provider.
During the transition period, please note the following:
- Vendor Verification of System Health - We ask that each Vendor schedule an in-person appointment with the Lab prior to June 3, 2022, to verify the health of its installed system. Each Vendor representative may test its system during the visit, but updating software and hardware will not be permitted. The Lab will perform a small number of tests from the FRTC during the visit. Results will be documented, signed by Vendor and Lab representatives, and submitted to GSA. For any Vendor that is unable to go to the Lab in person prior to June 3, 2022, the Lab will issue a status report to GSA reflecting the system’s state as “unknown.” Until an in-person visit with the new Lab provider occurs to establish system status, no new applications will be accepted.
- Testing in Progress - The Lab is making every effort to complete as much testing as possible before we enter the transition phase. Testing for Vendor systems in process will conclude by May 27, 2022.
- New Vendor Applications - Applications received before May 31, 2022, will be reviewed by the existing Lab provider. Applications received after May 31, 2022, will be paused until the new provider is in place.
- System Updates and New Installations - System updates and new installations will not be processed until the new Lab provider is in place.
We will issue an announcement in June detailing next steps in the transition process, including the process of moving existing systems to a new physical location.
PACS APL Application Form Revision
POSTED: April 14, 2022
PACS APL testing form has undergone a major revision. The new testing APL Application form consolidates multiple documents and reduces redundant information across those forms. All submissions for upgrade will only need to submit a completed new APL Application form unless a significant change to architecture requires new FRTC per the lab’s discretion. Submission directions have been updated on the FIPS 201 Evaluation Program page
PACS FRTC v1.4.2 Rev B Released
POSTED: October 15, 2021
PACS FRTC v1.4.2 Rev B has been published and is in effect immediately. This revision includes the following:
- Mobile / Handheld FRTC Test Cases (Section 8) are re-enstated.
- Corrections and clarifications to existing test cases.
The full change log can be found in the FIPS201 FRTC 142 RevB Change Log.pdf document.
PACS FRTC v1.4.2 Update Released
POSTED: March 31, 2021
PACS FRTC v1.4.2 Revision A has been published and is in effect immediately. This update includes optional test cases associated with the following functionalities:
- Secure Messaging (SM)
- On-Card Comparison (OCC)
- Backend Registration for PACS
Additionally, a new testing procedure called the FRTC Express has been published and will be enacted for those solutions that have previously undergone full testing. The FRTC Express is aimed at streamlining testing associated with solution updates. Associated document updates are available on the FIPS 201 Evaluation Program page.
Category Removed from the APL December 2020
POSTED December 11, 2020
The FIPS 201 Evaluation program will be removing card holders (also known as badge holders or electromagnetically opaque sleeves) from the Approved Products List on January 31st, 2021. GSA will no longer accept applications to certify card holders. Card holders and related products are still commercially available off-the-shelf; however, the use of these products is optional and testing is no longer in the best interests of the government.
Please note the removal of this category should not impact any existing acquisitions. Product categories not identified by the Program have no requirement for FIPS 201 conformance and available products should be able to satisfy the agency defined security requirements provided direct testing.
Announcements Older Than Three Years
Category Removed from the APL April 2019
POSTED April 30, 2019
The FIPS 201 Evaluation program has removed the following categories from the Approved Products List. After analyzing the Approved Products List categories, the program found that:
- OCSP Responders are mature. OCSP responders and related products are available as commercial off the shelf products and open source software products. They are part of a stable landscape and vetted thousands of times daily by various relying party applications. It is not in the government’s or commercial best interests to continue to test these products prior to acquisition and/or installation.
- SCVP Client and SCVP Client (without auth) are not widely used in U.S. federal agencies. It is not in the government’s or commercial best interests to continue to maintain testing scenarios for these products.
Please note the removal of these categories should not impact any acquisition. Categories not identified by the program have no requirement for FIPS 201 conformance. Products on the market should be reviewed for adherence to standard U.S. federal cryptographic conformance requirements (i.e., FIPS 140-2) and trade laws (i.e., country of origin and Trade Agreements Act). Products are available to satisfy federal agency’s needs and requirements.
PACS FRTC v1.3.3 Update Released
POSTED February 2, 2018
PACS FRTC v1.3.3 Rev. G has been published and is in effect immediately. Section 2 of the FRTC states that the FRTC is a living document and is expected to be updated over time as new or revised functional requirements are identified. In addition, this document will be updated in accordance with the following schedule:
- A new version will be published no less than one year from issuance of the current version.
- If security or infrastructure risks are identified, an interim release may occur.
All new versions are effective immediately. New or revised requirements and their test cases will include an effective date, commensurate with their assigned severity level (see paragraphs 7.1, 7.2, and 7.3.
Category Removed from the APL June 2018
POSTED June 30, 2018
In the past, the FIPS 201 Evaluation Program has granted extensions for allowing RNG-based PIV cards to continue being listed on the APL. In alignment with NIST’s decision, the FIPS 201 Evaluation Program has also decided to not grant another extension and has removed all RNG-based PIV cards from the APL and added them to our Removed Products List.
Now Testing Derived PIV Credentials
POSTED August 18, 2017
The FIPS 201 Evaluation Program has established the criteria for testing derived PIV credentials. See the FIPS 201 Evaluation Program page for information about the testing process or to submit a credential for testing.
Extension for Random Number Generator (RNG)-based PIV Cards
POSTED May 24, 2017
NIST’s PIV Validation Program has provided an extension on migrating away from RNG-based PIV cards to Deterministic Random Bit Generator (DRBG)-based PIV cards.
The FIPS 201 Evaluation Program’s Approved Products List (APL) will continue to list RNG-based PIV cards until June 30, 2018.
Categories Removed from the APL October 2016
POSTED October 29, 2016
The FIPS 201 Evaluation Program has removed the following categories, displayed in the table below, from the Approved Products List. After analyzing the Approved Products List categories, the Program found that:
- Many products on the APL are not for sale anymore
- Most testing and approval procedures were outdated
- Testing was already being conducted by some other Program (NIST, FBI)
Below are some resources that provide information, guidance, or a replacement certification list for some of the removed FIPS 201 categories:
- Guidance through the FICAM Playbooks
- Certified lists through other Programs such as NIST’s Personal Identity Verification Program (NPIVP) for PIV Middleware and PIV Credential Applications; NIST’s Cryptographic Module Validation Program (CMVP) which includes a FIPS 140-2 validation list.
- New processes such as the Federal Public Key Infrastructure Policy Authority (FPKIPA) Annual PIV Credential Issuer Testing (PDF) Production PIV credential testing for each agency; conformance testing of the PIV credential’s internal data, certificate conformance testing, and PACS interoperability testing
Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements.
|Card Printer Station||FPKIPA Annual PIV Credential Issuer Testing|
|Certificate Validator||Server-based Certificate Validation Protocol Category|
|Cryptographic Module||NIST FIPS 140-2 Validation List|
|Electronic Personalization||FPKIPA Annual PIV Credential Issuer Testing|
|Facial Image Capturing Camera||FPKIPA Annual PIV Credential Issuer Testing|
|Facial Image Capturing Camera (Middleware)||FPKIPA Annual PIV Credential Issuer Testing|
|Graphical Representation||FPKIPA Annual PIV Credential Issuer Testing|
|LACS Caching Status Proxy||Server-based Certificate Validation Protocol Category|
|LACS Mobile Transparent Reader||FICAM Playbooks|
|LACS Transparent Reader||FICAM Playbooks|
|PIV Middleware||NIST PIV Middleware Certification List|
|Single Fingerprint Capture Device||FBI Certified Products List (CPL)|
|Template Generator||NIST MINEX Participation Chart|
|Template Matcher||NIST MINEX Participation Chart|
Category Removed from the APL June 2016
POSTED June 23, 2016
In-line with the DRBG PIV credential transition plan from NIST, the FIPS 201 Evaluation Program will be removing legacy RNG PIV credential listed on the Approved Products List on July 31, 2017.
According to this transition plan, agencies may continue to procure and issue credentials using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant credentials implementing approved DRBGs as soon as DRBG PIV credential and the compatible credential management software are commercially available. Once issued, these “legacy” RNG PIV credentials may be used until their expiration date – up to June 30, 2023.
GSA Document Signing Tool
POSTED April 12, 2016
We’d like to announce that the GSA Document Signing Tool (aka PKCS#7 Tool) source code is now available on GitHub. Moving forward, the community may contribute to enhancements, bug fixes, and new features for the GSA Document Signing Tool directly. Community members may clone the source code from the GSA GitHub repository and submit any additions via new branches and pull requests. If you are new to GitHub and need instructions on how to use the GitHub features, please reference the GitHub help page.
If you have any questions, comments, or issues with the GSA Document Signing Tool, feel free to post your comments in the “Issues” section of the GSA Document Signing Tool GitHub site.
As new questions are posted to the “Issues” section, all members in the community may contribute to answering and/or helping with any code enhancements. We encourage community members to actively contribute and share their contributions with everyone.
Category Removed from the APL June 2014
POSTED June 13, 2014
The FIPS 201 Evaluation Program received and analyzed multiple comments on the removal of tri-interface credentials from the Approved Products List (APL). To provide further clarification, tri-interface credentials refers to PIV credentials that have additional non-PIV authentication features such as a mag stripe and 125 kHz antenna. The Program has been asked to remove these types of credentials from the APL because they have become an enabler for some buildings to postpone or altogether avoid deploying compliant Physical Access Control Systems (PACS); our intent was to close this loophole. Two years ago, the Program removed transparent readers from the APL to align products with policy and standards by utilizing PKI for PACS and LACS. We are now removing tri-interface credentials from the APL so buildings can migrate away from legacy forms of access control and align with policy and directives.
While we received mostly very positive feedback about this decision, we have received feedback that highlighted a number of legitimate use cases that we would be negatively impacting agencies. The Program is going to delay the removal of the tri-interface credentials from the APL from 6 to 18 months. In 18 months the FIPS 201 Evaluation Program will no longer test or list tri-interface credentials on the APL. Note that PIV Issuers are required to use APL approved credential stock, so beginning in 18 months issuance of tri-interface PIV credentials will not be allowed.