Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Roadmap: NIST Special Publication 800-63-3 Digital Identity Guidelines

Special Publication 800-63 Revision 4

NIST Special Publication (SP) 800-63-3 Digital Identity Guidelines was published in June 2017 and federal agencies and industry have now had over 2 year of experience in assimilating, adopting and implementing the controls and requirements of the 4-volume set – SP 800-63-3, SP 800-63A Enrollment and Identity Proofing, SP 800-63B Authentication and Lifecycle Management, and SP 800-63C Federation and Assertions. SP 800-63-3 represented a major change from the previous version of these guidelines (SP 800-63-2) and advanced new approaches for componentization, assurance levels, authenticators, federation, and privacy considerations. There has been widespread interest, analysis and adoption by industry and international standards organizations of SP-800 63-3 for its concepts, guidance, control requirements, and risk-based approach to identity management. Further, agency and industry experience in implementation of the guidelines have resulted in identifying aspects of the guidelines that would be enhanced through additional guidance and issues that have proven to be challenging for implementers. NIST has been collecting questions and issues identified by agencies and industry. When answers to questions are developed, they are posted on a Frequently Asked Questions (FAQ) page found at https://pages.nist.gov/800-63-FAQ/ while open issues are captured at https://github.com/usnistgov/800-63-3/issues. NIST continues to invite submissions to both of these forums.

OMB Policy Memo M-19-17 assigned the Department of Commerce the responsibility to use agency feedback to enhance SP 800-63-3. This presents the opportunity to open SP 800-63-3 to a broader review and issues discussion. NIST issued a formal request for review and comment on the current four-volume set for SP 800-63-3 on June 8, 2020. The comment period will remain open for comments until August 10, 2020. Comments may be submitted to: dig-comments-RFC@nist.gov

 

Milestone Activity

Projected FYQ Completion

 

Notes

Publication of Errata (2nd set) for SP 800-63-3.

Published 3/02/2020

Errata publication provided editorial corrections to SP 800-63-3 text.

Publication of Request for Comments for revisions to SP 800-63-3.

6/08/2020

60-day public comment period. Comment period will remain open until August 10, 2020.

Comment analysis and issues posting to GitHub.

FY 2020 Q4 – 2021 Q1

 

Issues discussion on GitHub

FY 2021 Q2-3

 

NIST workshop of SP 800-63-4 issues.

FY 2021 Q1-2

As needed.

Public preview draft SP 800-63-4

FY 2021 Q3

As needed. Timeframe for draft and final Revision 4 would be accelerated in preview draft step is not needed.

Public preview draft comment analysis and issues posting and discussion on GitHub.

FY 2021 Q4

As needed.

Publication of draft SP 800-63-4.

FY 2022 Q1

 

Publication of final SP 800-63-4.

FY 2022 Q3

Milestones and projected timeframes based on actual schedule for SP 800-63-3 revision.

SP 800-63-3 Implementation Resources

NIST Special Publication 800-63-3Digital Identity Guidelines, is an umbrella publication that introduces the digital identity model described in the SP 800-63-3 document suite. It frames identity guidelines in three major areas:

  • Enrollment and identity proofing (SP 800-63A),
  • Authentication and lifecycle management (SP 800-63B),
  • Federation and assertions (SP 800-63C).

 In addition to introducing detailed guidelines in these areas, SP 800-63-3 addresses the factors involved in choosing the appropriate Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL) for a given application.

These implementation resources are provided pursuant to OMB Policy Memorandum M-19-17. While these resources reference normative guidelines in the SP 800-63-3 document suite and other documents, these resources are intended as informative implementation guidance and are not normative. These implementation resources provide guidance for SP 800-63-3 in three parts: Part A addresses SP 800-63A, Part B addresses SP 800-63B, and Part C addresses SP 800-63C.

Comments on these resources are welcomed and can be submitted via email to dig-comments@nist.gov.

 

Milestone Activity

Projected FYQ Completion

 

Notes

Implementation resources posted for SP 800-63A, SP 800-63B, and SP 800-63C at the NIST Identity and Access Management Resource Center

July 1, 2020

Comments, questions and requests may be submitted to the Identity and Access Management Resource Center at

dig-comments@nist.gov.

Updates to SP 800-63-3 Implementation Resources.

Ongoing

This resource is intended to be an ongoing resource for SP 800-63-3 and  will be updated periodically.

SP 800-63-3 Conformance Criteria

Pursuant to Office of Management and Budget Policy Memorandum M-19-17, the Conformance Criteria present non-normative, informational guidance on all requirements and controls contained in NIST Special Publications (SP) 800-63A Enrollment and Identity Proofing and SP 800-63B Authentication and Lifecycle Management for assurance levels IAL2 and IAL3 and AAL2 and AAL3. The complete set of Conformance Criteria are intended to provide non-normative supplemental guidance to federal agencies and other organizations to facilitate implementation and assessment.

Comments or questions on the Conformance Criteria may be sent to dig-comments@nist.gov.

 

Milestone Activity

Projected FYQ Completion

 

Notes

Posting of Conformance Criteria for SP 800-63A at IAL2 and IAL3 and SP 800-63B at AAL2 and AAL3 at the NIST Identity Management Resource Center.  

June 2020

Comments, questions and requests may be submitted to Identity and Access Management Resource Center at

dig-comments@nist.gov.

Updates to SP 800-63A and 800-63B Conformance Criteria.

Ongoing

This resource is intended to be an ongoing resource for SP 800-63-3 and updated periodically.

Posting for SP 800-63C Conformance Criteria for all three assurance levels at the NIST Identity and Access Management Resource Center.

FY 2021 Q1

Comments, questions and requests may be submitted to the Identity and Access Management Resource Center at

dig-comm@nist.gov.

 

Created January 22, 2020, Updated October 23, 2020