PIV vs CAC (US Federal ID)

PIV vs CAC (Common Access Card)

PIV cards and CAC cards are often discussed together because CACCACIdentityUS DoD identification smart card.Click to view → is PIVPIVIdentityUS federal identity card standard.Click to view →-compliant — but CAC is a stricter, DoD-specific superset of the FIPS 201FIPS 201ComplianceUS federal standard defining PIV smart card specifications.Click to view → PIV standard. Understanding the differences matters for interoperability planning between DoD and civilian federal agencies.

Overview

PIV (Personal Identity Verification, FIPS 201) is the federal standard for secure employee identity credentials, defined by NIST. PIV cards are issued by any US federal agency — civilian (DHS, State, Treasury) or military. The standard specifies minimum credential content: PIV Authentication certificate, Card Authentication certificate, optional Digital Signature and Key Management certificates, CHUID, printed photo, optional fingerprint biometric, and physical security features. The Federal PKI (FPKI) with its Federal Common Policy CA roots all PIV certificates.

CAC (Common Access Card) is the DoD implementation of PIV, plus additional DoD-specific requirements. CAC carries three mandatory certificates (PIV Auth, Email Signing, Email Encryption), a stricter identity proofing process (involving DEERS — Defense Enrollment Eligibility Reporting System), and DoD-specific OIDs and Extended Key Usage values. CAC is issued by Real-Time Automated Personnel Identification System (RAPIDS) stations on military installations. DoD also adds a barcode and magnetic stripe for legacy compatibility with older physical access systems.

Key Differences

• Standard basis: PIV follows FIPS 201 (NIST); CAC follows DoD 1000.25-M (using FIPS 201 as a baseline)
• Issuing authority: PIV issued by any civilian or military federal agency; CAC issued exclusively by DoD via RAPIDS
• Population: PIV covers all federal employees and contractors; CAC is restricted to DoD personnel, reservists, retirees (for some benefits), and eligible DoD contractors
• Certificate count: PIV mandates at least PIV Auth + Card Auth; CAC mandates PIV Auth + Email Sign + Email Encrypt (three minimum)
• Identity proofing: Both require in-person proofing with background investigation; CAC relies on DEERS as the authoritative personnel database
• PKI trust: PIV certificates under FPKI Federal Common Policy CA; CAC under DoD Root CAs (DoD-specific, also cross-certified with FPKI)
• Physical access: Both support CHUID-based door readers; CAC additionally retains magnetic stripe and barcode for older DoD systems
• Interoperability: PIV cards are accepted at some DoD facilities; CAC cards are accepted at civilian federal agencies that trust DoD cross-certification — but some civilian systems reject CAC due to DoD-specific certificate policy OIDs

Use Cases

PIV is used across:

• All civilian federal agencies (DHS, State, Treasury, NASA, etc.)
• Contractor access to civilian federal systems
• HSPD-12 compliance for any agency receiving federal funding
• Federal court system and judiciary identity

CAC is used exclusively in:

• DoD physical access (military bases, ships, aircraft)
• NIPR and SIPR network authentication
• DoD email (DISA-operated systems)
• Defense contractor systems (PIEE, DLA, DCSA portals)
• PX/BX base privilege access and military benefits systems

Verdict

CAC is a strict superset of PIV — every CAC-holder has a PIV-compliant credential, but not every PIV-holder has a CAC. If interoperability between DoD and civilian agencies is required, both credential types need to be in the trust store of the relying party system. For a new federal civilian agency deploying PKI smart card authentication, standard PIV is the correct choice. For DoD-specific access, CAC is mandatory. The two coexist as part of a unified federal identity ecosystem through FPKI cross-certification.