What federal agencies must get right to deploy derived PIV at scale
Nearly 20 years after the government established the standard for Personal Identity Verification of Federal Employees and Contractors (PIV), the federal mission has outgrown the physical card. The workforce is more distributed, more mobile, and more dependent on devices that no longer support traditional card readers.
Meanwhile, cyber adversaries are accelerating their own capabilities, exploiting credential-based attacks and social engineering at unprecedented speed. In this environment, relying solely on a plastic card as the linchpin of federal identity assurance is no longer tenable.
Derived PIV, extending the trust of the PIV credential to mobile devices, has long been envisioned as the path forward. The National Institute of Standards & Technology has defined the standards, the Office of Management and Budget has mandated phishing-resistant multi-factor authentication across the enterprise, and the zero trust strategy requires authentication that works everywhere an employee does.
Yet despite years of clear policy direction, many agencies still struggle to deploy derived PIV broadly or sustainably. The problem is not the concept — it’s the execution. Without a deliberate blueprint, agencies end up with operational bottlenecks, clumsy workarounds, or exceptions that introduce new vulnerabilities in already strained environments.
To meet federal mandates and mission realities, agencies will need to approach derived PIV with a sharper sense of purpose, grounded in the requirements that matter most for security, speed, and long-term resiliency. Here are seven essentials that determine whether a derived PIV program succeeds.
1. Procurement must move at the speed of mission, not the speed of legacy acquisition.
Federal agencies cannot wait years to deploy a technology designed to secure today’s mobile workforce. Modern procurement pathways — GSA MAS, NASA SEWP, IDIQs, CSOs, and OTAs — exist precisely because traditional Federal Acquisition Regulation cycles often move too slowly for cybersecurity needs. Executive Order 14271 directs agencies toward cost-effective commercial solutions, and that mandate should shape derived PIV acquisition as well.
The question for procurement officers is simple: Does the approach shorten timelines, reduce complexity, and tie spending to measurable performance outcomes such as improving FISMA scores or eliminating password-based authentication? If not, it will not withstand the scrutiny of modern cybersecurity oversight.
2. Security must fully meet phishing-resistant and zero trust requirements.
Derived PIV is not meant to be a “lite” credential. It exists to secure situations where PIV cards cannot, remote sites, field operations, mobile devices, or laptops without card readers. That makes its security bar non-negotiable. EO 14028, OMB M-22-09, and FIPS 201/800-63/800-157 clearly define the requirements: strong identity proofing, secure credential lifecycle management, protection against phishing, and continuous assurance.
If an employee working in a hazardous environment or remote location falls back on passwords because their PIV card is unusable, the agency is both out of compliance and at increased risk. Derived PIV should close security gaps, not create workarounds that weaken federal ICAM.
3. Operational efficiency must reduce the burden on ICAM teams.
Federal identity programs are already stretched. Any derived PIV deployment that requires routine IT intervention, complex provisioning, or specialized endpoint support will fail to scale. Agencies should test one metric above all others: Can the average employee enroll and manage their credential without help?
Actual efficiency is measured by fewer help-desk tickets, shorter credential recovery cycles, and ICAM teams’ ability to focus on strategic functions like governance and compliance. Derived PIV succeeds when it simplifies the identity lifecycle, not when it adds another layer of administrative overhead.
4. Compliance must be inherent, continuous, and auditable.
Because derived PIV touches core federal identity infrastructure, compliance cannot be bolted on later. Agencies must ensure alignment with EO 14028, OMB M-22-09, SP 800-157, SP 800-63, FIPS 201, DAFMAN 17-1304 for Department of Defense components, and relevant CMMC requirements for defense contractors. The operational question is whether every issuance, authentication, revocation, and lifecycle change can be tracked and demonstrated without manual data collection.
In an era of heightened oversight, from IGs, from Congress, and increasingly from Office of the National Cyber Director, derived PIV must produce defensible, automated evidence of compliance. The days of spreadsheet-driven auditing are over.
5. Deployment speed must match the tempo of modern federal operations.
Agencies supporting emergency response, diplomacy, warfighting, public health, and field investigations cannot wait months for secure authentication across mobile and remote users. Derived PIV must support rapid onboarding, cloud-based scale, automation that reduces human intervention, and hybrid or air-gapped environments where cloud isn’t feasible.
Every week an agency delays implementation is another week remote or mobile personnel rely on weaker authentication, and another week adversaries can exploit the gap.
6. Flexibility is essential for the way federal employees actually work.
No two federal missions look alike. Derived PIV must account for visiting personnel, temporary staff, contractors, interagency collaboration, mobile and ruggedized devices, and BYOD scenarios where permitted. It must accommodate varying use cases, without forcing users into rigid workflows that encourage insecure shortcuts.
A credential that does not adapt to the mission will be ignored by the mission. Flexibility is not a convenience feature; it is a security requirement.
7. Integration must work with the ICAM and PKI systems that agencies already have.
The federal government cannot afford mass rip-and-replace identity projects. Derived PIV must integrate seamlessly with existing ICAM platforms, PKI chain of trust, MDM tools, HR and finance systems, and access control environments. When agencies are required to add middleware or engineer bespoke endpoints, costs rise, user adoption drops, and the program loses credibility.
The goal is modernization, not reinvention.
A path forward: Derived PIV as a catalyst for modernization
Federal agencies know what the mandates require: phishing-resistant MFA everywhere, zero trust–aligned identity assurance, secure mobile access, and seamless lifecycle management. But mandates alone do not guarantee execution. Agencies must approach derived PIV as a modernization initiative, one that strengthens mission readiness, reduces cyber risk, and prepares the workforce for an operating environment that increasingly spans devices, locations, and agencies.
When these seven requirements drive decision-making, derived PIV becomes far more than a credentialing project. It becomes a force multiplier for secure federal transformation.
With a clear roadmap, agencies can finally deliver authentication that meets the moment, protecting national missions without slowing them down.
Deena Thomchick is vice president of product at Axiad.
