FAR 4.1302—Acquisition of approved products and services for personal identity verification.
Plain-English Summary
FAR 4.1302 tells agencies how to acquire personal identity verification (PIV) products and services that comply with FIPS PUB 201, the federal standard for identity credentials and related components used for secure access. It covers the basic requirement to buy only approved PIV products and services, the preferred acquisition path through GSA Federal Supply Schedule 70, Special Item Number (SIN) 132-62 for HSPD-12 Product and Service Components, and the alternative process when agencies do not use that schedule route. It also addresses what agencies must do to ensure compliance when buying outside the GSA schedule, including certifying that products and services meet applicable federal standards, ensuring interoperability and lifecycle conformance, and maintaining a written plan for ongoing conformance. In practice, this section is about preventing agencies from buying incompatible or noncompliant identity verification solutions that could undermine security, interoperability, or long-term support. It matters to contracting officers, program offices, and acquisition teams because PIV purchases often involve hardware, software, services, and integration support that must work together across the federal environment. The section also points users to the government’s identity management resources for additional guidance.
Key Rules
Buy only approved PIV items
Agencies must purchase only personal identity verification products and services that are approved to comply with FIPS PUB 201. This is the baseline rule and applies regardless of how the acquisition is structured.
Use Schedule 70 when available
Agencies may acquire approved PIV products and services through GSA Federal Supply Schedule 70, SIN 132-62, using the ordering procedures in FAR subpart 8.4. This is the expressly identified acquisition path in the rule.
Verify compliance outside the schedule
If the agency does not use the GSA Schedule 70 route, it must ensure the products and services are approved as compliant with FIPS PUB 201. The agency cannot rely on the acquisition method alone; it must confirm the items themselves are compliant.
Certify federal standards met
For non-schedule acquisitions, the agency must certify that the procured products and services meet all applicable federal standards and requirements. This places an affirmative validation duty on the acquiring organization.
Ensure interoperability and lifecycle conformance
The agency must ensure the components will interoperate and remain conformant with applicable federal standards throughout their lifecycle. This means compliance is not just a point-in-time purchase requirement; it must be sustained over time.
Maintain a written conformance plan
The agency must keep a written plan for ensuring ongoing conformance with applicable federal standards for the lifecycle of the components. This documentation supports oversight, maintenance, and future compliance checks.
Use identity management resources
The section directs users to the identity management website for more information. This signals that agencies should consult current technical and policy guidance when planning or managing PIV acquisitions.
Responsibilities
Agency
Purchase only approved PIV products and services; use GSA Schedule 70 SIN 132-62 when appropriate; if buying outside that channel, ensure compliance with FIPS PUB 201, verify federal standards are met, confirm interoperability and lifecycle conformance, and maintain a written ongoing conformance plan.
Contracting Officer
Structure the acquisition to obtain only approved PIV products and services, select the proper ordering or contracting vehicle, and ensure the file reflects the required compliance checks, certifications, and documentation when the schedule route is not used.
Program/Technical Office
Define the required PIV functionality, validate that proposed products and services meet applicable federal standards, assess interoperability with existing systems, and support the written lifecycle conformance plan.
Vendor/Contractor
Provide only products and services that are approved and compliant with FIPS PUB 201, supply evidence of conformance and interoperability, and support continued compliance over the lifecycle of the components.
Practical Implications
This section is a compliance gate for identity credentialing purchases: agencies should not treat PIV items like ordinary IT buys, because the products must meet specific federal standards and interoperability expectations.
The GSA Schedule 70 SIN 132-62 path is the simplest route when available, but it does not eliminate the need to ensure the selected items are actually approved and suitable for the agency’s environment.
A common pitfall is focusing only on initial certification and ignoring lifecycle support; agencies must plan for updates, replacements, and continued conformance over time.
Another risk is buying components that individually appear compliant but do not work together in the agency’s operational environment, so interoperability testing and documentation matter.
Contract files should show the basis for compliance, especially when the acquisition does not use the schedule route, because the rule requires affirmative agency assurance and a written plan.
Official Regulatory Text
(a) In order to comply with FIPS PUB 201, agencies must purchase only approved personal identity verification products and services. (b) Agencies may acquire the approved products and services from the GSA, Federal Supply Schedule 70, Special Item Number (SIN) 132-62, HSPD-12 Product and Service Components, in accordance with ordering procedures outlined in FAR subpart 8.4 . (c) When acquiring personal identity verification products and services not using the process in paragraph (b) of this section, agencies must ensure that the applicable products and services are approved as compliant with FIPS PUB 201 including- (1) Certifying the products and services procured meet all applicable Federal standards and requirements; (2) Ensuring interoperability and conformance to applicable Federal standards for the lifecycle of the components; and (3) Maintaining a written plan for ensuring ongoing conformance to applicable Federal standards for the lifecycle of the components. (d) For more information on personal identity verification products and services see http://www.idmanagement.gov .