U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

A Note on progress…NIST’s Digital Identity Guidelines.

By: Ryan Galluzzo, David Temoshok, Andrew Regenscheid and Connie LaSalle

Share

In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4. As part of that session, we committed to providing further information on the status of each volume going forward. In fulfillment of this commitment, we wanted to offer a quick update on where we stand.

Our goal remains to have the next version of each volume out by the Spring of 2024. With our gratitude for the robust and substantive engagement we received during the comment period, at this time we would like to announce that all four volumes of Special Publication 800-63-4 will have a second public comment period, which will last at least 45 days.

  • NIST SP 800-63 Base Volume. We are making substantive changes to the volume including updating the digital identity model to account for “Issuer, Holder, Verifier” frameworks of digital identity, new content around continuous evaluation metrics, and updates to the digital identity risk management processes.
  • NIST SP 800-63 A: Identity Proofing and Enrollment. We received over 1,500 comments on this volume alone. Based on this feedback, we are making updates to IAL1 to better balance user burden and security, modifying how we frame the different types of identity proofing, and providing an additional discussion of fraud detection and mitigation approaches.
  • NIST SP 800-63B: Authentication and Lifecycle Management. Updates to this volume largely relate to NIST’s approach to synched authenticators (e.g., passkeys) and account recovery. We are also adding a new authenticator type to account for emerging credential types. While these changes are not overwhelming in their volume, they constitute changes of sufficient substance to warrant a second public review.  
  • NIST SP 800-63C: Federation and Assertions. We will be adding a new section to cover the presentation of Mobile Driving Licenses (mDLs) and verifiable credentials. This section will also provide basic security requirements for “digital wallets” that store and convey documents and identity information. 

To get the full rundown from our August session, you can find the video feed and materials here: Digital Identity What’s Next for NIST? If you have questions or comments about the current Guidelines (Revision 3) or the draft volumes (Revision 4) you can send all inquiries to dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov).

Happy holidays, and be on the lookout for additional updates in the new year (including updates to our Identity Management Roadmap)!

~The Digital Identity Guidelines Team

About the author

Ryan Galluzzo

Ryan is the Digital Identity Program Lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology (NIST). In this role he coordinates digital identity projects, initiatives, and efforts to advance NIST’s standards & guidance and drive foundational research to promote innovation in digital identity. He has contributed to multiple NIST Special Publications including NIST SP 800-63 Digital Identity Guidelines. Prior to joining NIST, Ryan was a Specialist Leader at Deloitte & Touche where he spent over 10 years providing cybersecurity and identity management subject-matter insights to multiple federal agencies, including the Internal Revenue Service (IRS), the General Services Administration (GSA), and NIST.

David Temoshok

David Temoshok

David Temoshok currently serves as Senior Advisor Applied Cybersecurity for the National Institute of Standards and Technology. In this capacity, Mr. Temoshok is responsible for the development and implementation of United States national and international standards for secure identity and authentication assurance – including NIST Special Publication 800-63-3 Digital Identity Guidelines and associated international standards to promote secure, privacy-enhancing online services on national and global scales.

Andrew Regenscheid

Andrew Regenscheid is a project lead for applied cryptography within the Computer Security Division at NIST. In his 15 years as part of the Cryptographic Technology Group, Andrew has worked to apply cryptographic algorithms and tools to improve the security of computer platforms, communication protocols, and authentication mechanisms. As the technical lead for the Personal Identity Verification standards program, Andrew is responsible for developing identity management standards and technical guidelines for federal government employees and contractors, while also contributing to NIST’s broader portfolio of digital identity guidance as a coauthor of NIST SP 800-63. 

Image of Connie LaSalle

Connie LaSalle

Connie LaSalle is a Senior Technology Policy Advisor within the NIST IT Lab. Prior to joining NIST, Connie led the Platform Program and Federal Customer Success teams at DC-based startup Virtru. In the years leading up to this role, Connie served as the lead policy advisor to the Chief Information Officer of the U.S. Department of Justice and led several cybersecurity and IT modernization initiatives within the White House Office of Management and Budget. Beyond her government service, Connie brings several years of industry experience with her to NIST and holds a graduate degree in public policy.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.