NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(12)Acceptance of PIV Credentials

Accept and electronically verify Personal Identity Verification-compliant credentials.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

Practitioner Notes

This enhancement requires your systems to accept Personal Identity Verification (PIV) credentials — the smart card standard used by federal agencies (CAC for DoD).

Example 1: Configure Active Directory and your PKI infrastructure to accept CAC/PIV smart card authentication for all Windows logons and application access.

Example 2: Enable PIV certificate-based authentication in Azure AD (Entra ID) so users can authenticate to cloud applications using their government-issued smart card.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts