NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology / Cybersecurity and privacy

Identity & Access Management

Search Publications

Search Title, Abstract, Conference, Citation, Keyword or Author
  • Published Date
Displaying 26 - 50 of 63

Attribute Considerations for Access Control Systems

June 18, 2019
Author(s)
Chung Tong Hu, David F. Ferraiolo, David Kuhn
Attribute-based access control systems rely upon attributes to not only define access control policy rules but also enforce the access control. Attributes need to be established, issued, stored, and managed under an authority. Attributes shared across

Guide to Attribute Based Access Control (ABAC) Definition and Considerations

February 25, 2019
Author(s)
Chung Tong Hu, David F. Ferraiolo, David R. Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, Karen Scarfone
[Includes updates as of February 25, 2019] This document provides Federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by

Access Control for Emerging Distributed Systems

November 1, 2018
Author(s)
Chung Tong Hu, David R. Kuhn, David F. Ferraiolo
As big data, cloud computing, grid computing, and the Internet of Things reshape current data systems and practices, IT experts are keen to harness the power of distributed systems to boost security and prevent fraud. How can these systems' capabilities be

Guidelines for the Use of PIV Credentials in Facility Access

June 29, 2018
Author(s)
Hildegard Ferraiolo, Ketan L. Mehta, Nabil Ghadiali, Jason Mohler, Vincent Johnson, Steven Brady
This recommendation provides a technical guideline to use Personal Identity Verification (PIV) Cards in facility access; enabling federal agencies to operate as government-wide interoperable enterprises. These guidelines cover the risk-based strategy to

Digital Identity Guidelines [including updates as of 12-01-2017]

December 1, 2017
Author(s)
Paul A. Grassi, James L. Fenton, Michael E. Garcia
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. The guidelines cover identity proofing and

Digital Identity Guidelines: Authentication and Lifecycle Management [including updates as of 12- 01-2017]

December 1, 2017
Author(s)
Paul A. Grassi, Ray A. Perlner, Elaine M. Newton, Andrew R. Regenscheid, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Mary F. Theofanos
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. These guidelines focus on the authentication of

Digital Identity Guidelines: Enrollment and Identity Proofing Requirements [including updates as of 12-01-2017]

December 1, 2017
Author(s)
Paul A. Grassi, Naomi B. Lefkovitz, James L. Fenton, Jamie M. Danker, Yee-Yin Choong, Kristen Greene, Mary F. Theofanos
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the enrollment and

Digital Identity Guidelines: Federation and Assertions [including updates as of 12-01-2017]

December 1, 2017
Author(s)
Paul A. Grassi, Ellen M. Nadeau, Justin P. Richer, Sarah K. Squire, James L. Fenton, Naomi B. Lefkovitz, Jamie M. Danker
This document and its companion documents, SP 800-63, SP 800-63A, and SP 800-63B, provide technical and procedural guidelines to agencies for the implementation of federated identity systems and for assertions used by federations. This publication

Attribute Based Access Control

November 30, 2017
Author(s)
Chung Tong Hu, David F. Ferraiolo, Ramaswamy Chandramouli, David R. Kuhn
Until now, ABAC research has been documented in hundreds of research papers, but not consolidated in book form. This book explains ABAC's history and model, related standards, verification and assurance, applications, and deployment challenges; Specialized

NIST Guidance on Application Container Security

October 25, 2017
Author(s)
Ramaswamy Chandramouli, Murugiah Souppaya, Karen Scarfone
This bulletin summarizes the information found in NIST SP 800-190, Application Container Security Guide and NISTIR 8176, Security Assurance Requirements for Linux Application Container Deployments. The bulletin offers an overview of application container

Application Container Security Guide

September 25, 2017
Author(s)
Murugiah P. Souppaya, John Morello, Karen Scarfone
Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This

Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines

August 29, 2017
Author(s)
Michael E. Garcia, Paul A. Grassi, Kristina G. Rigopoulos, Larry Feldman, Gregory A. Witte
This bulletin outlines the updates NIST recently made in its four-volume Special Publication (SP) 800-63, Digital Identity Guidelines, which provide agencies with technical guidelines regarding the digital authentication of users to federal networked

Verification and Test Methods for Access Control Policies/Models

June 27, 2017
Author(s)
Chung Tong Hu, David R. Kuhn, Dylan J. Yaga
Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties

Digital Identity Guidelines

June 22, 2017
Author(s)
Paul A. Grassi, Michael E. Garcia, James L. Fenton
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. The guidelines cover identity proofing and

Digital Identity Guidelines: Authentication and Lifecycle Management

June 22, 2017
Author(s)
Paul A. Grassi, Elaine M. Newton, Ray A. Perlner, Andrew R. Regenscheid, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen Greene, Mary F. Theofanos
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. These guidelines focus on the authentication of

Digital Identity Guidelines: Enrollment and Identity Proofing Requirements

June 22, 2017
Author(s)
Paul A. Grassi, James L. Fenton, Naomi B. Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen Greene, Mary F. Theofanos
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the enrollment and

Digital Identity Guidelines: Federation and Assertions

June 22, 2017
Author(s)
Paul A. Grassi, Ellen M. Nadeau, Justin P. Richer, Sarah K. Squire, James L. Fenton, Naomi Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen K. Greene
This document and its companion documents, SP 800-63, SP 800-63A, and SP 800-63B, provide technical and procedural guidelines to agencies for the implementation of federated identity systems and for assertions used by federations. This publication

Verification of Resilience Policies that Assist Attribute Based Access Control

March 24, 2017
Author(s)
Chung Tong Hu, Antonios Gouglidis, Jeremy Busby, David Hutchison
Access control offers mechanisms to control and limit the actions or operations that are performed by a user on a set of resources in a system. Many access control models exist that are able to support this basic requirement. One of the properties examined

Resilience and System Level Security

December 20, 2016
Author(s)
Mark L. Badger
One approach for reducing damage caused by software vulnerabilities is to take advantage of emerging systems architecture patterns to strategically improve assurance. Emerging systems architectures embody significant choices about where computation takes

General Methods for Access Control Policy Verification

December 19, 2016
Author(s)
Chung Tong Hu, David R. Kuhn
Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties

Exploring the Next Generation of Access Control Methodologies

November 22, 2016
Author(s)
David Ferraiolo, Larry Feldman, Greg Witte
This bulletin summarizes the information presented in NIST SP 800-178: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications. The publication describes Extensible Access Control Markup Language (XACML) and Next
Was this page helpful?