Vendors

Federal agencies require systems and services to be functional, secure, and compatible with other products. The General Services Administration (GSA) supports these requirements through testing and identifying products and services.

• The GSA Federal Acquisition Service issues long-term government-wide contracts that provide federal, state, and local government buyers access to commercial products, services, and solutions at pre-negotiated pricing.

• The GSA Office of Government-wide Policy provides testing and certification services for specific product categories.

In most cases, vendors seeking to sell Identity, Credentialing, and Access Management products or services to the federal government must apply for a Multiple Award Schedule (MAS) Special Item Number (SIN). More information is available below.

Two FIPS 201 product categories require additional testing at a testing facility before applying to the Multiple Award Schedule.

1. Smart card credentials PIV Card Bodies - Products are listed on the GSA FIPS 201 Approved Products List - PIV Cards category.

2. Physical Access Control Systems (PACS) - Products are listed on the GSA FIPS 201 Approved Products List - Physical Access Control System Components category.

Please contact fips201ep@gsa.gov if you have questions regarding product approval.

Four ICAM professional services require additional verification/attestation of capabilities before applying to the Multiple Award Schedule.

1. 541519CSP – Credential Service Provider
2. 541519PKI – Public Key Infrastructure (PKI) Shared Service Providers (PKI SSP)
3. 541519ICAM – Identity, Credential, and Access Management Solutions
4. 541519PIV – HSPD-12 Products and Service Components

Please contact fpki@gsa.gov if you have questions related to professional services.

FIPS 201 Products and Services Approval Process

The GSA FIPS 201 Evaluation Program (EP) evaluates commercial products and services, as defined by the FAR, to be used in PIV credentialing systems and PACS.

We test and evaluate a variety of products and services, such as:

• Smart cards (secure elements) used in Personal Identity Verification (PIV), Personal Identity Verification - Interoperable (PIV-I), and Common Access Card (CAC) credentials are collectively known as PIV Card Bodies.
• Physical access control systems (PACS) for buildings, including readers and infrastructure.

If you’re seeking testing procedures for products not listed above, review the Program Announcements. Over time, some product testing has been discontinued to avoid redundancy, or the product categories have become stable and now represent common commercial use products.

To get product approval for federal use and meet FIPS 201 standards, first identify which category you want to submit for. Then follow the required steps for that category.

PIV Card Body Approval Procedures

For smart card manufacturers or suppliers/vendors seeking to have their product listed on the PIV Card Body Approved Products list, review the documentation and procedures available here: PIV Card Body Approval Procedures

If your product completes the process and the FIPS 201 EP Program Manager recommends it for approval, two things happen.

1. You will receive a signed approval document.

2. Your product will be included on the Approved Products List (APL) under the correct category.

After testing and approval, submit your application to have your product or service listed on the GSA’s Multiple Award Schedule (MAS).

Physical Access Control Systems (PACS)

GSA tests, evaluates, and validates the interoperability of PIV, PIV-I, and CAC credentials with the hardware and software used for physical access control to government facilities. GSA manages testing and certification for PACS as well as annual audit testing of production PIV credentials for federal agencies. Vendors that want to have their products approved for procurement by federal agencies should review the documentation and procedures listed here: Physical Access Control System.

If your product completes the process and the FIPS 201 EP Program Manager recommends it for approval, two things happen.

1. You will receive a signed approval document.

2. Your product will be included on the Approved Products List (APL) under the correct category.

After testing and approval, submit your application to have your product or service listed on the GSA’s Multiple Award Schedule (MAS).

ICAM Professional Services

All ICAM-related Special Item Numbers (SINs) require a technical evaluation.

Professional services involve integrating solutions and assisting agencies in deploying and managing identity, credentialing, and access management systems related to ICAM implementations.

• 541519CSP - Credential Service Provider (CSP), Managed service offering for component or full-service Credential Service Providers (CSPs) that meet the requirements of NIST SP 800-63 Digital Identity Guidelines (current version), to include public-facing and enterprise. The provided capabilities template must be thoroughly completed. Below is a list of relevant documents.

  • Homeland Security Presidential Directive 12 (HSPD-12).

  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63.

  • NIST Federal Information Processing Standard (FIPS) 201: Personal Identity Verification (PIV) of Federal Employees and Contractors.

• 541519PKI - Public Key Infrastructure (PKI) Shared Service Providers (PKI SSP) Program - PKI SSPs shall provide reliable, authenticated, policy-compliant service offerings to support Federally issued Personal Identity Verification (PIV), Personal Identity Verification Interoperable (PIV-I), and associated certificates and cryptographic key service offerings.

Professional services vendors must document their experience in deploying policy-compliant ICAM projects for government agencies.

• 541519ICAM – ICAM Solutions
• 541519PIV – HSPD-12 Products and Service Components

The Certified System Engineer ICAM PACS (CSEIP) is a certification for PACS integration services. It is a required credential to become an approved consultant.

• CSEIP list of certified individuals
• About the CSEIP certification

GSA certifies consulting services and labor categories through Special Item Numbers (SIN) for ICAM or HSPD-12 professional services. Please contact fpki@gsa.gov if you have questions related to professional services.

Get on a GSA Schedule

The GSA MAS Program, also called the “Schedule,” is the premier contract vehicle for the federal government. The MAS Program is a long-term, government-wide contract between commercial suppliers and the federal government. Being awarded a Schedule contract can open doors for your business, but it requires effort and dedication to succeed. First, determine if the Schedule suits your business.

• Sell through GSA MAS – Agencies use the MAS to fulfill their technology products and services needs.