Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Roadmap: NIST Special Publication 800-63-4 Digital Identity Guidelines

Special Publication 800-63, Draft Revision 4

The Draft Fourth Revision of NIST SP 800-63, Digital Identity Guidelines is available for review, and we need your feedback! NIST will accept all input submitted until 11:59pm on April 14, 2023, through the following site: https://csrc.nist.gov/publications/detail/sp/800-63/4/draft.

NIST held a virtual event, Digital Identity Guidelines – Kicking off Revision 4!, on January 12, 2023. Presentation slides are available here.

Background

The rapid proliferation of online services over the past few years has heightened the need for reliable, equitable, secure, and privacy-protective digital identity solutions.

Revision 4 of NIST Special Publication 800-63, Digital Identity Guidelines, intends to respond to the changing digital landscape that has emerged since the last major revision of this suite was published in 2017 — including the real-world implications of online risks. The guidelines present the process and technical requirements for meeting digital identity management assurance levels for identity proofing, authentication, and federation, including requirements for security and privacy as well as considerations for fostering equity and the usability of digital identity solutions and technology.

Taking into account feedback provided in response to our June 2020 Pre-Draft Call for Comments, as well as research conducted into real-world implementations of the guidelines, market innovation, and the current threat environment, this draft seeks to:

  1. Advance Equity: This draft seeks to expand upon the risk management content of previous revisions and specifically mandates that agencies account for impacts to individuals and communities in addition to impacts to the organization. It also elevates risks to mission delivery – including challenges to providing services to all people who are eligible for and entitled to them – within the risk management process and when implementing digital identity systems. Additionally, the guidance now mandates continuous evaluation of potential impacts across demographics, provides biometric performance requirements, and additional parameters for the responsible use of biometric-based technologies, such as those that utilize face recognition.
  2. Emphasize Optionality and Choice for Consumers: In the interest of promoting and investigating additional scalable, equitable, and convenient identify verification options, including those that do and do not leverage face recognition technologies, this draft expands the list of acceptable identity proofing alternatives to provide new mechanisms to securely deliver services to individuals with differing means, motivations, and backgrounds. The revision also emphasizes the need for digital identity services to support multiple authenticator options to address diverse consumer needs and secure account recovery.
  3. Deter Fraud and Advanced Threats: This draft enhances fraud prevention measures from the third revision by updating risk and threat models to account for new attacks, providing new options for phishing resistant authentication, and introducing requirements to prevent automated attacks against enrollment processes. It also opens the door to new technology such as mobile driver’s licenses and verifiable credentials.
  4. Address Implementation Lessons Learned: This draft addresses areas where implementation experience has indicated that additional clarity or detail was required to effectively operationalize the guidelines. This includes re-working the federation assurance levels, providing greater detail on Trusted Referees, clarifying guidelines on identity attribute validation sources, and improving address confirmation requirements.

Roadmap

 Milestone Activity

Projected FYQ Completion

 Notes

Publication of draft SP 800-63-4.

FY 2023 Q1

Stakeholder feedback requested! NIST will accept input until April 14, 2023. All documents can be found here:

https://csrc.nist.gov/publications/detail/sp/800-63/4/draft

NIST workshop for draft SP 800-63-4 changes.

FY 2023 Q2

The workshop was held on January 12, 2023,  from 1-4 pm ET

Presentation slides available here.

Feedback analysis and adjudication.

FY 2023 Q2 - 
FY 2023 Q3

Dependent upon scale of feedback. Determinations on additional drafts will be made at close of comment period

Development of new/revised text for final publication of SP 800-63-4.

FY 2023 Q4

-

FY 2024 Q2

Dependent upon scale of required updates

Publication of final SP 800-63-4.

FY 2024 Q2

 

SP 800-63-3 Implementation Resources

NIST Special Publication 800-63-3, Digital Identity Guidelines, is an umbrella publication that introduces the digital identity model described in the SP 800-63-3 document suite. It frames identity guidelines in three major areas:

  • Enrollment and identity proofing (SP 800-63A),
  • Authentication and lifecycle management (SP 800-63B),
  • Federation and assertions (SP 800-63C).

 In addition to introducing detailed guidelines in these areas, SP 800-63-3 addresses the factors involved in choosing the appropriate Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL) for a given application.

These implementation resources are provided pursuant to OMB Policy Memorandum M-19-17. While these resources reference normative guidelines in the SP 800-63-3 document suite and other documents, these resources are intended as informative implementation guidance and are not normative. These implementation resources provide guidance for SP 800-63-3 in three parts: Part A addresses SP 800-63A, Part B addresses SP 800-63B, and Part C addresses SP 800-63C.

Comments on these resources are welcomed and can be submitted via email to dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov).

 

Milestone Activity

Projected FYQ Completion

 

Notes

Implementation resources posted for SP 800-63A, SP 800-63B, and SP 800-63C at the NIST Identity and Access Management Resource Center

July 1, 2020

Comments, questions and requests may be submitted to the Identity and Access Management Resource Center at

dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov).

Updates to SP 800-63-3 Implementation Resources.

Ongoing

This resource is intended to be an ongoing resource for SP 800-63-3 and  will be updated periodically.

SP 800-63-3 Conformance Criteria

Pursuant to Office of Management and Budget Policy Memorandum M-19-17, the Conformance Criteria present non-normative, informational guidance on all requirements and controls contained in NIST Special Publications (SP) 800-63A Enrollment and Identity Proofing and SP 800-63B Authentication and Lifecycle Management for assurance levels IAL2 and IAL3 and AAL2 and AAL3. The complete set of Conformance Criteria are intended to provide non-normative supplemental guidance to federal agencies and other organizations to facilitate implementation and assessment.

Comments or questions on the Conformance Criteria may be sent to dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov).

 

Milestone Activity

Projected FYQ Completion

 

Notes

Posting of Conformance Criteria for SP 800-63A at IAL2 and IAL3 and SP 800-63B at AAL2 and AAL3 at the NIST Identity Management Resource Center.  

June 2020

Comments, questions and requests may be submitted to Identity and Access Management Resource Center at

dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov).

Updates to SP 800-63A and 800-63B Conformance Criteria.

Ongoing

This resource is intended to be an ongoing resource for SP 800-63-3 and updated periodically.

Posting for SP 800-63C Conformance Criteria for all three assurance levels at the NIST Identity and Access Management Resource Center.

April 26, 2021

Comments, questions and requests may be submitted to the Identity and Access Management Resource Center at

dig-comm [at] nist.gov (dig-comm[at]nist[dot]gov).

 

Created January 22, 2020, Updated March 17, 2023