Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Roadmap: NIST Special Publication 800-63-3 Digital Identity Guidelines

Special Publication 800-63 Revision 4

NIST Special Publication (SP) 800-63-3 Digital Identity Guidelines was published in June 2017 and federal agencies and industry have now had over 2 year of experience in assimilating, adopting and implementing the controls and requirements of the 4-volume set – SP 800-63-3, SP 800-63A Enrollment and Identity Proofing, SP 800-63B Authentication and Lifecycle Management, and SP 800-63C Federation and Assertions. SP 800-63-3 represented a major change from the previous version of these guidelines (SP 800-63-2) and advanced new approaches for componentization, assurance levels, authenticators, federation, and privacy considerations. There has been widespread interest, analysis and adoption by industry and international standards organizations of SP-800 63-3 for its concepts, guidance, control requirements, and risk-based approach to identity management. Further, agency and industry experience in implementation of the guidelines have resulted in identifying aspects of the guidelines that would be enhanced through additional guidance and issues that have proven to be challenging for implementers. NIST has been collecting questions and issues identified by agencies and industry. When answers to questions are developed, they are posted on a Frequently Asked Questions (FAQ) page found at https://pages.nist.gov/800-63-FAQ/ while open issues are captured at https://github.com/usnistgov/800-63-3/issues. NIST continues to invite submissions to both of these forums.

OMB Policy Memo M-19-17 assigned the Department of Commerce the responsibility to use agency feedback to enhance SP 800-63-3. This presents the opportunity to open SP 800-63-3 to a broader review and issues discussion. NIST issued a formal request for review and comment on the current four-volume set for SP 800-63-3 on June 8, 2020. The comment period will remain open for comments until August 10, 2020. Comments may be submitted to: dig-comments-RFC [at] nist.gov

 

Milestone Activity

Projected FYQ Completion

 

Notes

Publication of Errata (2nd set) for SP 800-63-3.

Published 3/02/2020

Errata publication provided editorial corrections to SP 800-63-3 text.

Publication of Request for Comments for revisions to SP 800-63-3.

6/08/2020

60-day public comment period. Comment period will remain open until August 10, 2020.

Comment analysis and adjudication. 

FY 2020 Q4 – 2021 Q1

 Completed FY 2021 Q1.

Open issues discussion on GitHub

FY 2021 Q2-3

 Open issues for discussion posted Feb. 15, 2021 at https://github.com/usnistgov/800-63-4/issues. Issues will be open for discussion for 60 days until May 15, 2021.

Development of new/revised draft text for all 4 volumes of SP 800-63-4. FY 2021 Q3-FY 2022 Q1  

Publication of draft SP 800-63-4.

FY 2022 Q2

 Projected 60-day public comment period.

NIST workshop for draft SP 800-63-4 changes. FY 2022 Q2-3  
Comment analysis and adjudication. FY 2022 Q3  
Development of new/revised text for final publication of SP 800-63-4. FY 2022 Q4  

Publication of final SP 800-63-4.

FY 2023 Q1

Milestones and projected timeframes based on actual schedule for SP 800-63-3 revision.

SP 800-63-3 Implementation Resources

NIST Special Publication 800-63-3Digital Identity Guidelines, is an umbrella publication that introduces the digital identity model described in the SP 800-63-3 document suite. It frames identity guidelines in three major areas:

  • Enrollment and identity proofing (SP 800-63A),
  • Authentication and lifecycle management (SP 800-63B),
  • Federation and assertions (SP 800-63C).

 In addition to introducing detailed guidelines in these areas, SP 800-63-3 addresses the factors involved in choosing the appropriate Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL) for a given application.

These implementation resources are provided pursuant to OMB Policy Memorandum M-19-17. While these resources reference normative guidelines in the SP 800-63-3 document suite and other documents, these resources are intended as informative implementation guidance and are not normative. These implementation resources provide guidance for SP 800-63-3 in three parts: Part A addresses SP 800-63A, Part B addresses SP 800-63B, and Part C addresses SP 800-63C.

Comments on these resources are welcomed and can be submitted via email to dig-comments [at] nist.gov ().

 

Milestone Activity

Projected FYQ Completion

 

Notes

Implementation resources posted for SP 800-63A, SP 800-63B, and SP 800-63C at the NIST Identity and Access Management Resource Center

July 1, 2020

Comments, questions and requests may be submitted to the Identity and Access Management Resource Center at

dig-comments [at] nist.gov.

Updates to SP 800-63-3 Implementation Resources.

Ongoing

This resource is intended to be an ongoing resource for SP 800-63-3 and  will be updated periodically.

SP 800-63-3 Conformance Criteria

Pursuant to Office of Management and Budget Policy Memorandum M-19-17, the Conformance Criteria present non-normative, informational guidance on all requirements and controls contained in NIST Special Publications (SP) 800-63A Enrollment and Identity Proofing and SP 800-63B Authentication and Lifecycle Management for assurance levels IAL2 and IAL3 and AAL2 and AAL3. The complete set of Conformance Criteria are intended to provide non-normative supplemental guidance to federal agencies and other organizations to facilitate implementation and assessment.

Comments or questions on the Conformance Criteria may be sent to dig-comments [at] nist.gov.

 

Milestone Activity

Projected FYQ Completion

 

Notes

Posting of Conformance Criteria for SP 800-63A at IAL2 and IAL3 and SP 800-63B at AAL2 and AAL3 at the NIST Identity Management Resource Center.  

June 2020

Comments, questions and requests may be submitted to Identity and Access Management Resource Center at

dig-comments [at] nist.gov.

Updates to SP 800-63A and 800-63B Conformance Criteria.

Ongoing

This resource is intended to be an ongoing resource for SP 800-63-3 and updated periodically.

Posting for SP 800-63C Conformance Criteria for all three assurance levels at the NIST Identity and Access Management Resource Center.

April 26, 2021

Comments, questions and requests may be submitted to the Identity and Access Management Resource Center at

dig-comm [at] nist.gov ().

 

Created January 22, 2020, Updated August 10, 2021