Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A new look at levels of assurance

Spring is a great time for change, and here at the NSTIC NPO, we like to think we’re always ready for change. When we catch wind of a change in the world of online identity, we like to prepare early. We also like to think we listen to our stakeholders. The message has come through clear and simple: four levels of assurance simply aren’t enough. We’ve heard you, and we’re ready for change. It’s a good thing, too, because we’ve recently heard a rumor of a possible new memorandum coming out of OMB and, because we prepared early, we know exactly what we have to do. If the early indications are accurate, OMB’s M-15-15 will redefine the way we do online authentication. Just as its predecessor OMB M-04-04 defined the four levels of assurance, M-15-15 is responsive to the needs of government for e-authentication and creates a workable framework understandable to all. Today we’re responding to the call for M-15-15 and its 15 levels of assurance. Without further ado, we think our multi-stakeholder approach to establishing these levels has really hit the mark: Level 1: The stranger Level 2: Meh Level 3: Not if you were the last credential on earth Level 4: Dude. Dude. DUDE. Level 5: I’m never gonna let you in Level 6: Reasonable confidence subject is not wearing a cape Level 7: A bear? Oh don’t apologize, I get it all the time Level 8: 4realz? Level 9: I hope you are I hope you are I hope you are Level 10: I think therefore you are Level 11: I am what I am and that’s all that I am Level 12: I think you are I think you are I think you are Level 13: Identity matrix Level 14: Abso-freakin-lutely Level 15: Totes McGoats Industry response to this effort has been fantastic and we thank our partners for their efforts. World-renowned identity guru Ian Glazer says, “Sure, sometimes you need to know whether someone is a fictional character or an actual carbon-based entity, but it’s just not important whether it’s Darth Vader or Little Bo Peep. That’s why we needed level 6, and that’s exactly what we got. Way to go, NIST.” Kim Sutherland, plenary chair of the IDESG, was more concerned about higher levels of assurance. “The old approach just didn’t have the quantitative depth that we needed for our work. With the new level 13, we can finally conduct the matrix multiplication necessary to properly authenticate in today’s complex risk environment. I can’t thank NIST enough.” Just doin’ our jobs, ma’am. Follow the NSTIC NPO on Twitter for the latest updates.


Whomever at NIST/NSTIC had the idea to post this today deserves a raise :)
I don't know who posted this but I enjoyed the humor. . . :)
The former Pop Band Milli Vanilli recorded the song "Girl, don't you know it's true" and I find the reference to be in good faith with Identity Verification. Now, we have #POTUS making #CyberSanctions and that means NIST hit the target for the future. IMO, that's part of the scope within NIST and I'm glad the challenges have been met. If a measure of thought was placed on new Identity Verifications standards, it could be said that "Humans need protection from themselves and other Humans". While not a popular statement, it's fitting in regards to current Internet activity.

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.