Edit this page

Standards, Policies, and Guidance

Public Law

Federal Information Security Modernization Act (FISMA) of 2014, Public Law No: 113-283.


OMB Circular A-130, “Managing Information as a Strategic Resource”, July 2016.

OMB M-05-24, “Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors”, August 5, 2005.

OMB M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management, May 21, 2019.

E.O. 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, May 11, 2017.

E.O. 13636 and PPD-21 - “DHS Factsheet: Improving Critical Infrastructure Cybersecurity and Critical Infrastructure Security and Resilience”), March 2013.


Federal Acquisition Regulation (FAR).


Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, Version 2.0, Executive Office of the President (EOP) and Federal Chief Information Officers (CIO) Council, December 2, 2011.

Federal Public Key Infrastructure (FPKI) Security Controls Overlay of Special Publication 800-53 Security Controls for PKI Systems, v2.0.0, April 24, 2014.

FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, NIST, February 2004.

FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, NIST, March 9, 2006.

FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, NIST, August 2013.

NIST SP 800-53, Revision 4, Recommended Security Controls for Federal Information Systems and Organizations, April 2013.

NIST SP 800-60, Volume 1, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008.

NIST SP 800-60, Volume II, Revision 1, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008.

NIST SP 800-73-4, Interfaces for Personal Identity Verification, Parts 1 and 2, May 2015 (Updated February 8, 2016).

NIST SP 800-116, Revision 1, Guidelines for the Use of PIV Credentials in Facility Access, June 2018.

NIST SP 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, December 2016.

Guidance and Best Practices

Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide, Interagency Security Council (ISC), December 2015.

Enabling Strong Authentication with PIV Cards: Public Key Infrastructure (PKI) in Enterprise Physical Access Control Systems (E-PACS) Recommended Procurement Language for RFPs, v1.1.0, GSA, February 24, 2015.

PACS Customer Ordering Guide (v2.0), GSA Schedule 84 - Security, Fire, & Law Enforcement, June 2018.

Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS), Interagency Security Committee (ISC), Version 3.1, March 26, 2014.

Personal Identity Verification Interoperability for Issuers, Version 2.0.1, July 27, 2017.

The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard, ISC, 2nd Edition, November 2016.

Other Relevant Publications

“Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control”, Government Accountability Office (GAO), December 20, 2018.