U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

Let’s get Digital! Updated Digital Identity Guidelines are Here!

By: Ryan Galluzzo, Connie LaSalle and Andrew Regenscheid

Share

Digiteal Identity Guidelines
Credit: NIST

Today is the day! Digital Identity Guidelines, Revision 4  is finally here...it’s been an exciting journey and NIST is honored to be a part of it. 

What can we expect?

Serving as a culmination of a nearly four-year collaborative process that included foundational research, two public drafts, and about 6,000 individual comments from the public, Revision 4 of Special Publication 800-63, Digital Identity Guidelines, intends to respond to the changing digital landscape that has emerged since the last major revision of this suite, published in 2017. 

The guidelines presented in Revision 4 explain the process and technical requirements for meeting digital identity assurance levels for identity proofing, authentication, and federation—including requirements for security and privacy, as well as considerations for improved customer experience of digital identity solutions and technology. The guidelines also establish identity management as a cross-functional process involving professionals representing cybersecurity, privacy, usability, program integrity, mission and business units, and other disciplines. Identity risk management in Revision 4 has continued its evolution towards a “team sport” that can more effectively address the needs of the organization and the individuals it seeks to serve.

Revision 4 also includes many substantial content changes, including:

  • Updates to context setting for risk management, reframed risk management processes, and new expectations for greater cross-functional engagement.
  • New recommended continuous evaluation metrics.
  • Expanded fraud requirements and recommendations for identity proofing processes.
  • Restructured identity proofing controls to better define roles and types of identity proofing.
  • Added controls for addressing injection attacks and forged media (e.g., "deep fakes").
  • Integration of syncable authenticators (e.g., synced passkeys).
  • Representation of subscriber-controlled wallets in the federation model.

And…for those of you looking for it, since we know you are out there, changes to the password composition and rotation expectations are also included in the document. All these changes represent an extensive update from NIST SP 800-63 Revision 3—drawing heavily from real-world lessons and innovations.

These guidelines are ultimately intended to make navigating the digital world more secure and convenient by providing a framework to understand online risks and controls that can better protect our critical online services.

Where will we go from here?

Our journey certainly does not end with Revision 4.

As with previous revisions, implementation resources are already in development, and we are exploring concepts such as machine-readable conformance criteria and a Digital Identity Risk Management tool.

While the comment period has closed, we always welcome engagement, feedback, and questions. Email us: dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov)

Quick links | Explore the volumes:

About the author

Ryan Galluzzo

Ryan is the Digital Identity Program Lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology (NIST). In this role he coordinates digital identity projects, initiatives, and efforts to advance NIST’s standards & guidance and drive foundational research to promote innovation in digital identity. He has contributed to multiple NIST Special Publications including NIST SP 800-63 Digital Identity Guidelines. Prior to joining NIST, Ryan was a Specialist Leader at Deloitte & Touche where he spent over 10 years providing cybersecurity and identity management subject-matter insights to multiple federal agencies, including the Internal Revenue Service (IRS), the General Services Administration (GSA), and NIST.

Connie LaSalle

Connie LaSalle leads a team of technologists at NIST whose work is dedicated to advancing research and standardization of cybersecurity and privacy practices across the digital ecosystem. Connie previously represented NIST as a bureau liaison to the Department of Commerce, advising senior leaders on strategy and policy options related to the global standards ecosystem, the Nation’s metrology needs, and critical and emerging technologies, such as digital identity, privacy-enhancing technologies, cybersecurity, AI, blockchain, and the intersection of these topics with U.S. economic and national security interests.

Connie brings several years of industry experience with her to NIST, including management of customer success and product development teams; federal IT consulting; and global tech policy work. Her experience also includes federal service, notably leading several cybersecurity and IT modernization initiatives within the White House Office of Management and Budget and serving as the lead policy advisor to the Chief Information Officer of the U.S. Department of Justice.

Andrew Regenscheid

Andrew Regenscheid is a project lead for applied cryptography within the Computer Security Division at NIST. In his 15 years as part of the Cryptographic Technology Group, Andrew has worked to apply cryptographic algorithms and tools to improve the security of computer platforms, communication protocols, and authentication mechanisms. As the technical lead for the Personal Identity Verification standards program, Andrew is responsible for developing identity management standards and technical guidelines for federal government employees and contractors, while also contributing to NIST’s broader portfolio of digital identity guidance as a coauthor of NIST SP 800-63. 

Comments

Zaw Lwin Htoo on August 2, 2025 10:44 AM

Permalink

NIST Digital

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.
Was this page helpful?