Getting digital identity right can be a challenge—that's why NIST develops guidance, including frameworks and methods, to help agencies and organizations offer privacy-enhancing, secure, interoperable, and easy to use services. NIST guidance is risk-based, enabling organizations to achieve mission goals, deploy services that are appropriate for their systems and users, and simultaneously minimize adverse outcomes. NIST works continually with the community to develop deployable, effective guidance.
NIST aims to support market progress, like the adoption of more effective authentication solutions. The outlook is good: 63% of large organizations are using multi-factor authentication (MFA) across their organization, and 41% of medium-sized businesses plan to implement or expand their MFA deployments in 2017, according to SecureAuth.
The Special Publication (SP) 800-63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes: an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs. SP 800-63 comprises a suite of documents that can be used independently or in concert to meet identity needs.
NIST will work with the community to prepare implementation guidance for the Digital Identity Guidelines. The goal is to give implementers easily deployable guidance and help them meet the requirements.
NISTIR 8062 provides an introduction to the concepts of privacy engineering and risk management for Federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within Federal systems, and the effective implementation of privacy principles. NISTIR 8062 introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. | PDF
The TIG pilots develop innovative technologies and solutions designed to enable more secure, convenient, and privacy-enhancing access to digital services. The pilots’ cross-market use cases have catalyzed and scaled solutions for protecting children’s online privacy, improving veterans’ access to benefits, and securing patients' and providers’ access to electronic health records. Read on for just a few examples of projects supporting digital identity for organizations.
In their NIST pilot, Daon updated its IdentityX authentication technology to a federated, interoperable, standards-based capability designed to offer strong authentication in a manner that improves both security and usability. Daon’s IdentityX solution provides multi-factor authentication on the iOS and Android platforms with the ability to selectively combine a variety of traditional and non-traditional authentication methods of varying strength—voice and face biometrics, device authentication, password, PIN, one-time password, and location—depending on the risk level of the transaction and customer choice.
Internet2 has developed tools to encourage the adoption of privacy-enhancing technology. Their work includes deploying smartphone-based MFA across three major university campuses, establishing a collaborative group to accelerate the adoption of MFA across universities, developing a user-centric privacy management tool, and assessing the current state of anonymous credential technologies.
The pilots aren't about changing everything on their own. It's about a partnership model and an ecosystem approach. One good deployment leads to another, which attracts new innovation, which becomes a virtuous cycle of its own. One of the best ways to foster this is to tell folks what's going right and what's going wrong. For all of our pilots, we require our partners to talk publicly about their successes and failures. For those pilots that work with government partners, we require an independent evaluation to assess the impacts and benefits to constituent services. You can find the report on one of those pilots here, and as other pilots wrap up, we'll be publishing reports on those as well.
The NIST Privacy Engineering Program supports the development of trustworthy systems by applying measurement science and systems engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties. | more
NIST’s Cybersecurity for IoT program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across industry, government, international bodies, and academia, the program aims to cultivate trust and promote U.S. leadership in IoT. | more
Check back soon for upcoming events!