NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-4(10)Use of Approved PIV Products

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.

Practitioner Notes

For systems requiring Personal Identity Verification (PIV), only use products that are on the GSA FIPS 201 Approved Products List. This ensures the products properly implement the PIV standard.

Example 1: When procuring smart card readers, card management systems, or physical access control systems for PIV use, verify the product is listed on the GSA FIPS 201 Approved Products List at idmanagement.gov before purchasing. Include APL listing as a mandatory procurement requirement.

Example 2: For logical access control, verify that your PKI certificates and authentication infrastructure support PIV credentials. In Windows environments, configure Group Policy for smart card authentication and test PIV card login against your Active Directory Certificate Services infrastructure.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment