Mapping out our Destination: Responsible Innovation via the NIST Identity Roadmap

RSA Conference week is always a whirlwind. NIST was there front and center last month, and we learned a lot, shared a lot, and made a big announcement during the festivities…

We were excited to announce that NIST’s DRAFT Identity and Access Management Roadmap was released for public comment on Friday, April 14^th and that the comment period will be extended to June 16^th.

What is the Roadmap?

The Roadmap provides a consolidated view of NIST’s planned identity efforts over the coming years and serves as a vehicle to communicate our priorities. It provides guiding principles, strategic objectives, aligns NIST efforts with nationally-defined priorities, and supports long-term planning of identity and access management (IAM) initiatives. It covers a diverse array of projects including biometric technology evaluation, Mobile Driver’s License, and fraud detection using Privacy Enhancing Technology. It also integrates teams and disciplines from across NIST. 

What are NIST’s IAM Guiding Principles?

In addition to communicating strategic priorities, we are using the roadmap to reinforce the core values that define our efforts. These are represented by five guiding principles that will be imbued in our work, whether it be via guidance, research, or reference implementations:

1. Enhance privacy and security by integrating confidentiality, integrity, and availability into our efforts alongside the core privacy engineering objectives of predictability, manageability, and disassociability.
2. Foster equity and individual choice by exploring the diverse socio-technical impacts of identity technology and integrating optionality and flexibility into our work products.
3. Promote usability and accessibility by assessing the impacts of technology on diverse communities with varying levels of technology access, knowledge, and capabilities.
4. Enhance interoperability and standardization by creating or contributing to accessible and technically viable standards, guidance, and specifications.
5. Improve measurement and transparency of identity technology by creating methodologies and metrics that enhance the fundamental understanding of how technologies perform and are open and available to the public.

Taken together, these principles are intended to set the conditions for responsible innovation - the idea of driving towards new technologies and solutions in a manner that is informed by the broader impacts associated with technological change.

What are NIST’s Strategic Objectives?

The Roadmap highlights eight strategic objectives – with numerous planned supporting activities that NIST intends to explore in the coming years:

1. Accelerate implementation and adoption of mobile driver’s license and user-controlled digital identities
2. Expand and enhance biometric and identity measurement programs
3. Promote technologies that enable authoritative attribute validation
4. Advance secure, private, usable, and equitable identity proofing and fraud mitigation options
5. Accelerate the use of phishing resistant, modern multi-factor authentication (MFA)
6. Modernize Federal Personal Identity Verification (PIV) guidance and Infrastructure
7. Promote greater federation and interoperability of identity solutions
8. Advance Dynamic Authorization and Access Control Schemes

Each of these objectives are multi-year in nature, with expected collaboration between and across government, academia, and industry— which NIST considers a critically important part of the process (and ultimately, necessary for success). Projects in support of these objectives will run the spectrum from foundational, pre-standardization research to full National Cybersecurity Center of Excellence (NCCoE) Practice Guides (basically, our “how to” resources).

How can I get involved?

You can start by commenting on the roadmap! We published it to gain feedback from the broadest possible spectrum of interested parties. So…please read it, send it to a friend, pass it around your community, and send us your thoughts! To submit your comments email us at digital_identity [at] nist.gov (digital_identity[at]nist[dot]gov) by June 16^th, 2023.

You can also follow our work on the IAM Program page, join one of our Communities of Interest at the NCCoE (such as the one for Digital Identities - Mobile Driver’s License), attend our events, or comment on our guidance. For those of you attending Identiverse we will be giving a presentation covering the roadmap with a specific emphasis on our mDL, PIV Modernization, and international interoperability efforts. We look forward to hearing and learning from you all along the way.