diff --git a/app/models/service_provider.rb b/app/models/service_provider.rb
index c62d65aa661..240ba646986 100644
--- a/app/models/service_provider.rb
+++ b/app/models/service_provider.rb
@@ -42,8 +42,8 @@ def live?
     active? && approved?
   end
 
-  def piv_cac_available?
-    PivCacService.piv_cac_available_for_agency?(agency)
+  def piv_cac_available?(user = nil)
+    PivCacService.piv_cac_available_for_agency?(agency, user&.email)
   end
 
   private
diff --git a/app/presenters/two_factor_options_presenter.rb b/app/presenters/two_factor_options_presenter.rb
index 5ef4a5e360a..60aa9f2e35c 100644
--- a/app/presenters/two_factor_options_presenter.rb
+++ b/app/presenters/two_factor_options_presenter.rb
@@ -43,7 +43,8 @@ def available_2fa_types
 
   def piv_cac_if_available
     return [] if current_user.piv_cac_enabled?
-    return [] unless current_user.piv_cac_available? || service_provider&.piv_cac_available?
+    return [] unless current_user.piv_cac_available? ||
+                     service_provider&.piv_cac_available?(current_user)
     %w[piv_cac]
   end
 end
diff --git a/config/application.yml.example b/config/application.yml.example
index 36728963880..77a0f3c89d9 100644
--- a/config/application.yml.example
+++ b/config/application.yml.example
@@ -255,6 +255,7 @@ production:
   password_pepper: # generate via `rake secret`
   password_strength_enabled: 'true'
   piv_cac_agencies: '["DOD","NGA","EOP"]'
+  piv_cac_agencies_scoped_by_email: '["GSA"]'
   piv_cac_email_domains: '[".mil"]'
   piv_cac_enabled: 'false'
   pkcs11_lib: '/opt/cloudhsm/lib/libcloudhsm_pkcs11.so'
diff --git a/spec/models/service_provider_spec.rb b/spec/models/service_provider_spec.rb
index 6fb3c2def22..663e401de83 100644
--- a/spec/models/service_provider_spec.rb
+++ b/spec/models/service_provider_spec.rb
@@ -70,25 +70,30 @@
   describe 'piv_cac_available?' do
     context 'when the service provider is with an enabled agency' do
       it 'is truthy' do
-        allow(Figaro.env).to receive(:piv_cac_agencies).and_return(
-          [service_provider.agency].to_json
-        )
-        PivCacService.send(:reset_piv_cac_avaialable_agencies)
-
+        allow(PivCacService).to receive(:piv_cac_available_for_agency?).and_return(true)
         expect(service_provider.piv_cac_available?).to be_truthy
       end
     end
 
     context 'when the service provider agency is not enabled' do
       it 'is falsey' do
-        allow(Figaro.env).to receive(:piv_cac_agencies).and_return(
-          [service_provider.agency + 'X'].to_json
-        )
-        PivCacService.send(:reset_piv_cac_avaialable_agencies)
+        allow(PivCacService).to receive(:piv_cac_available_for_agency?).and_return(false)
 
         expect(service_provider.piv_cac_available?).to be_falsey
       end
     end
+
+    context 'when the service provider setting depends on the user email' do
+      let(:user) { build(:user) }
+
+      it 'calls with the user email' do
+        expect(PivCacService).to receive(
+          :piv_cac_available_for_agency?
+        ).with(service_provider.agency, user.email)
+
+        service_provider.piv_cac_available?(user)
+      end
+    end
   end
 
   describe '#encryption_opts' do