Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A minor plot twist: Comment period extended for PART of SP 800-63-3

Let’s get this out of the way right up front: this is not an early April Fools Day prank!

Granted, government blogs aren’t the typical medium for getting emotional. But we (Paul and Mike), and the rest of our incredible team at NIST, have truly been moved by the support, encouragement, and engagement you’ve provided as we embarked simultaneously on this major update to the document and – perhaps even bigger – updating our community engagement process to achieve a better result on this document.

We have received your feedback during the open comment period for draft Special Publication (SP) 800-63-3: Digital Identity Guidelines and can’t thank you enough. While we still have many comments to resolve, the feedback we’ve received has been very positive overall. Thanks to your help, we are very close – and will close the comment period as scheduled. Sort of…

But wait, there’s more!

In consultation with the White House Office of Management and Budget, we developed an approach to include normative guidelines to manage digital identity risk directly into SP 800-63-3. Over the years, many of you have asked for a more consistent approach to risk assessment and associated technical risk mitigation guidance. The changes in this update made this request even more important. We’re extremely grateful for our collaborative relationship with OMB, which enabled us to respond to you and better serve agency and industry needs. We believe this change will make digital identity management simpler for agency officials, mission owners, and implementers alike. But – consistent with the approach we’ve taken with this update so far – we need your feedback to know if we got it right. To that end, we are extending the comment period for the 800-63-3 volume only until for 30 days, closing on May 1st.  

a diagram of the four volumes in Special Publication 800-63-3

Let’s summarize:

  • We are closing the comment period as scheduled for 800-63A, 800-63B, and 800-63C. Pending comment resolution, we believe these documents are sufficiently stable to finalize.
  • We’re extending the comment period for the parent volume only, SP 800-63-3, until May 1st.
  • Today, we updated the SP 800-63-3 volume on GitHub and in CSRC. The new version is now available and ready for your feedback.
  • We expect to finalize and issue all four volumes together.
  • We will still adjudicate the comments received on SP 800-63-3, though some will no longer apply to the new version. On GitHub, if you’ve already commented or opened any issue, no need to do so again. Once the issue is closed, we encourage you to check the disposition to make sure we didn’t miss something in the version change.
  • If there are flow-down changes into the other volumes, we’ll address them when SP 800-63-3 stabilizes.
  • If something wild happens (not like wild wild…more like identity management standards wild) we’ll assess whether the flow-down changes warrant reopening other volumes, but we don’t anticipate that happening.

And some special notes on the updated version of SP 800-63-3:

  • We ask that you review this document on its merits and do not comment on potential conflicts with existing guidance; we are working with our federal partners to address any such conflicts before finalizing.

  • This volume now contains both normative and informative sections.
  • We’ve incorporated guidelines for supporting the risk assessment process of digital applications.
  • The entire volume is open for comment.

Please check out the updated parent document — and dig-comments [at] (reach out) to us if you have questions. You can also submit comments the old-fashioned way, via dig-comments [at] (email). Sorry we’re not accepting comments the old-old fashioned way or the old-old-old fashioned way of fax and post, respectively. Though singing telegrams won’t be turned away.

Follow us on Twitter for updates and reminders to submit feedback on SP 800-63-3, as well as to engage with all our other efforts.

About the author

Paul Grassi

Paul Grassi was a Senior Standards and Technology Advisor at the National Institute of Standards and Technology (NIST). He joined NIST in June 2014 to advance and accelerate the development and adoption of identity authentication and authorization related standards and technologies needed to implement the identity ecosystem envisioned in the National Strategy for Trusted Identities in Cyberspace (NSTIC). Mr. Grassi has a broad background in technology and management consulting, and significant experience developing enterprise security strategies and systems, having served a range of Fortune 500 companies, as well as domestic and foreign governments. He is no longer at NIST, but continues to serve the identity community.

Mike Garcia

Mike Garcia is a PhD economist and Federal 100 award winning cybersecurity expert. He currently serves as lead for the Trusted Identities Group at the National Institute of Standards and Technology (NIST), working to catalyze commercial and government adoption of innovative online identity solutions and advancing standards, guidance, and measurement science in identity management.

Mike has focused on cyber economics at NIST since 2011 and was previously with the Department of Homeland Security. He has also worked as a market research manager and software engineer. His dissertation analyzed the conditions that induce firms to invest in preventing data breaches and to report them when they happen.

Related posts


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.