Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Mapping out our Destination: Responsible Innovation via the NIST Identity Roadmap

RSA Conference week is always a whirlwind. NIST was there front and center last month, and we learned a lot, shared a lot, and made a big announcement during the festivities…

We were excited to announce that NIST’s DRAFT Identity and Access Management Roadmap was released for public comment on Friday, April 14th and that the comment period will be extended to June 16th.

What is the Roadmap?

The Roadmap provides a consolidated view of NIST’s planned identity efforts over the coming years and serves as a vehicle to communicate our priorities. It provides guiding principles, strategic objectives, aligns NIST efforts with nationally-defined priorities, and supports long-term planning of identity and access management (IAM) initiatives. It covers a diverse array of projects including biometric technology evaluation, Mobile Driver’s License, and fraud detection using Privacy Enhancing Technology. It also integrates teams and disciplines from across NIST. 

What are NIST’s IAM Guiding Principles?

In addition to communicating strategic priorities, we are using the roadmap to reinforce the core values that define our efforts. These are represented by five guiding principles that will be imbued in our work, whether it be via guidance, research, or reference implementations:

  1. Enhance privacy and security by integrating confidentiality, integrity, and availability into our efforts alongside the core privacy engineering objectives of predictability, manageability, and disassociability.
  2. Foster equity and individual choice by exploring the diverse socio-technical impacts of identity technology and integrating optionality and flexibility into our work products.
  3. Promote usability and accessibility by assessing the impacts of technology on diverse communities with varying levels of technology access, knowledge, and capabilities.
  4. Enhance interoperability and standardization by creating or contributing to accessible and technically viable standards, guidance, and specifications.
  5. Improve measurement and transparency of identity technology by creating methodologies and metrics that enhance the fundamental understanding of how technologies perform and are open and available to the public.

Taken together, these principles are intended to set the conditions for responsible innovation - the idea of driving towards new technologies and solutions in a manner that is informed by the broader impacts associated with technological change.

What are NIST’s Strategic Objectives?

The Roadmap highlights eight strategic objectives – with numerous planned supporting activities that NIST intends to explore in the coming years:

  1. Accelerate implementation and adoption of mobile driver’s license and user-controlled digital identities
  2. Expand and enhance biometric and identity measurement programs
  3. Promote technologies that enable authoritative attribute validation
  4. Advance secure, private, usable, and equitable identity proofing and fraud mitigation options
  5. Accelerate the use of phishing resistant, modern multi-factor authentication (MFA)
  6. Modernize Federal Personal Identity Verification (PIV) guidance and Infrastructure
  7. Promote greater federation and interoperability of identity solutions
  8. Advance Dynamic Authorization and Access Control Schemes

Each of these objectives are multi-year in nature, with expected collaboration between and across government, academia, and industry— which NIST considers a critically important part of the process (and ultimately, necessary for success). Projects in support of these objectives will run the spectrum from foundational, pre-standardization research to full National Cybersecurity Center of Excellence (NCCoE) Practice Guides (basically, our “how to” resources).

How can I get involved?

You can start by commenting on the roadmap! We published it to gain feedback from the broadest possible spectrum of interested parties. So…please read it, send it to a friend, pass it around your community, and send us your thoughts! To submit your comments email us at digital_identity [at] nist.gov (digital_identity[at]nist[dot]gov) by June 16th, 2023.

You can also follow our work on the IAM Program page, join one of our Communities of Interest at the NCCoE (such as the one for Digital Identities - Mobile Driver’s License), attend our events, or comment on our guidance. For those of you attending Identiverse we will be giving a presentation covering the roadmap with a specific emphasis on our mDL, PIV Modernization, and international interoperability efforts. We look forward to hearing and learning from you all along the way.

About the author

Ryan Galluzzo

Ryan is the Digital Identity Program Lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology (NIST). In this role he coordinates digital identity projects, initiatives, and efforts to advance NIST’s standards & guidance and drive foundational research to promote innovation in digital identity. He has contributed to multiple NIST Special Publications including NIST SP 800-63 Digital Identity Guidelines. Prior to joining NIST, Ryan was a Specialist Leader at Deloitte & Touche where he spent over 10 years providing cybersecurity and identity management subject-matter insights to multiple federal agencies, including the Internal Revenue Service (IRS), the General Services Administration (GSA), and NIST.

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.