With FIPS 201-3 expected to be ratified very soon, many organizations will need to plan updates and enhancements for access to IT systems. This NIST standard specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. One very important update in this third version of the spec is the requirement for federation support so we have brought together some useful resources that will help make sense of this update and to prepare.
The new version introduces an entirely new concept of federated identity for logical access to IT systems; this idea is “normative,” meaning it is not optional. Before, FIPS 201 was largely about physical access. This new version will take it much further into the digital space than it has been before.
FIPS 201-3 Federation Resources:
The first is a survey of the mandated federation requirements. It introduces the actors and their relationship, relating these to other protocols (e.g., in OpenID Connect). It also talks about the various Federation Assurance Levels (FALs) and how to achieve them using OpenID Connect. Assertions and how to transmit them in a safe and secure way is also described. Next, the VoT resource provides a deeper dive into ways of communicating information about the Authenticator Assurance Level (AAL) and Identity Assurance Level (IAL). We also updated our glossary of terms to include those induced by FIPS which also provides a handy list of related definitions and acronyms.
Check these resources out, and prepare now for the update to FIPS 201.