NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(12)Acceptance of PIV Credentials

Accept and electronically verify Personal Identity Verification-compliant credentials.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential.

Practitioner Notes

This enhancement requires your systems to accept Personal Identity Verification (PIV) credentials — the smart card standard used by federal agencies (CAC for DoD).

Example 1: Configure Active Directory and your PKI infrastructure to accept CAC/PIV smart card authentication for all Windows logons and application access.

Example 2: Enable PIV certificate-based authentication in Azure AD (Entra ID) so users can authenticate to cloud applications using their government-issued smart card.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts