NIST Digital Identity Guidelines take a giant leap forward

NIST SP 800-63 delivers new format and clearer guidelines to better serve agencies

With the first significant update since 2013, NIST 800-63-3 brings a modern and flexible approach to digital identity that serves the mission needs agencies are facing today.

NIST SP 800-63-3 Digital Identity Guidelines, previously called the Electronic Authentication Guidelines (NIST SP 800-63-2), provide agencies with modernized technical guidance regarding the digital authentication of users to federal networked systems. These guidelines primarily focus on agency services that interact with non-federal workers, such as citizens accessing benefits or private sector partners accessing collaboration spaces. Internal agency systems accessed by employees and contractors are also covered. This guidance applies to all transactions that require digital identity or authentication regardless of the constituency. Transactions associated with national security systems are not covered.

Digital Identity Guidelines

NIST SP 800-63-3 is now a suite of four documents, designed to provide digital identity guidance that is modern and flexible and enables organizations and agencies to employ standards-based, component identity solutions to meet specific mission needs. The document suite includes the following:

  1. SP 800-63 Digital Identity Guidelines
  2. SP 800-63A Enrollment & Identity Proofing
  3. SP 800-63B Authentication & Lifecycle Management
  4. SP 800-63C Federation and Assertions

NIST SP 800-63-3 replaces Levels of Assurance (LOA) with the concept of individual components of digital authentication assurance, supporting independent treatment of authentication strength and confidence in an individual’s claimed identity. Each represents an ordinal value to be assigned to the three distinct pieces of identity flow. Values are assigned based on risk profiles and risk appetite. To help organization assess and apply the individual components listed below, a risk assessment methodology is included in the guidelines.

  • Identity Assurance Level (IAL): the identity proofing process and the binding between one or more authenticators and the records pertaining to a specific subscriber
  • Authenticator Assurance Level (AAL): the authentication process, including how additional factors and authentication mechanisms can impact risk mitigation
  • Federation Assurance Level (FAL): the assertion used in a federated environment to communicate authentication and attribute information to a RP

These changes simplify and clarify guidance, better align with commercial solutions, promote international interoperability, and focus on outcomes to promote innovation and deployment flexibility. The removal of LOAs and differentiating identity proofing from authentication from federation enables latitude in designing, building, consuming, and procuring identity technology.

Important changes affect authentication mechanisms including the removal of email as a valid channel for authenticators and the recommendation to no longer use SMS for multi-factor authentication (MFA). NIST SP 800-63B provides guidelines for implementing more robust MFA solutions that enhance security when accessing an organizations network portal.

Organizations attempting to select appropriate digital identity services can lean on the direction from NIST SP 800-63-3 for risk assessment guidance that supplements the NIST Risk Management Framework (RMF), the Federal Information Security Modernization Act (FISMA) of 2014 and other guidelines.

NOTE: Federal agencies that provide services to citizens will be impacted by these updates as they must comply with OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies, which calls on guidance from NIST SP 800-63 for analysis of appropriate assurance levels when implementing authentication mechanisms.

TalaTek Security Risk Assessment Services can help evaluate your existing digital identity services. Our team of experts has experience helping clients meet the requirements of security and risk controls and frameworks, including FISMA and NIST. We understand the fundamentals required to build a sound risk & identity management program and can help your organization define the risk appetites, profiles and processes for the foundation of your digital identity program. Whether you’re just getting started or looking to enhance an existing program, TalaTek can help identify the appropriate digital identity services and implement identity, authenticator, and federation assurance levels based on your unique risk profile.

To learn more about how TalaTek can help you achieve your risk & identity management goals contact us today

5 + 1 =