Date Published: June 2020
Email Comments to:
NIST requests review and comments on the four-volume set of documents: Special Publication (SP) 800-63-3 Digital Identity Guidelines, SP 800-63A Enrollment and Identity Proofing, SP 800-63B Authentication and Lifecycle Management, and SP 800-63C Federation and Assertions. This document set presents the controls and technical requirements to meet the digital identity management assurance levels specified in each volume.
The public comment period ends August 10, 2020. Please submit your comments to dig-comments-RFC@nist.gov. See the Note to Reviewers section below for some specific topics about which NIST is seeking your feedback.
In 2004, NIST published the initial version of SP 800-63, Electronic Authentication Guideline. Subsequently, three revisions have been published, and the latest, revision 3, was published in June 2017. Retitled as Digital Identity Guidelines the document was separated into the current four-volume set (SP 800-63-3, -63A, -63B, and -63C). NIST is requesting comments on the document in response to agency and industry implementations, industry and market innovation and the current threat environment.
Several recent developments suggest this current need for review and comment:
- United States Office of Management and Budget (OMB) Policy Memorandum M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management provides broad policy and direction for federal agencies to enhance identity and access management capabilities for internal and external users. Policy Memo M-19-17 reinforces the direction for federal agencies to implement NIST SP 800-63-3 and specifically directs the Department of Commerce (NIST) to use agency feedback to update the special publication and related guidance.
- The April 2018 update (version 1.1) to the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) refined and expanded the scope of the Identity and Access Control Category to better account for authentication, authorization, and identity proofing, added subcategories for authentication and identity proofing, and retitled the Access Control Category to Identity Management and Access Control (PR.AC) to better represent the scope of the category and corresponding subcategories.
- The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework), published January 2020, is intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. In particular, the Disassociated Processing (CT.DP-P) Category covers outcomes and techniques that could be used for privacy-preserving identity management.
- OMB Policy Memoranda M-20-16, Federal Agency Operational Alignment to Slow the Spread of Coronavirus COVID-19, and M-20-19, Harnessing Technology to Support Mission Continuity, direct federal agencies to replace in-person interactions with online processing and communication to manage citizen service delivery due to circumstances presented by the coronavirus pandemic.
NIST is soliciting public feedback on this Special Publication to identify areas that industry and government deem most significant for revision. We will review all public comments and make them available at the NIST identity and Access Management Resource Center (NIST IAM) website.
Note to Reviewers
Reviewers should feel free to comment and suggest changes and enhancements to the text of all four volumes: SP 800-63-3, 800-63A, 800-63B, and 800-63C. This request for review presents several topics for which NIST is requesting federal agency and industry review and comment for potential changes or additions to the current text. Reviewers may respond to any of these topic areas as they choose. There is no requirement to include any of the topic areas in submitted comments.
NIST is particularly interested in comments and recommendations for the following topics:
- Privacy enhancements and considerations for identity proofing, authentication, and federation, including new developments in techniques to limit linkability and observability for federation.
- Continued use of short message service (SMS) and public switched telephone networks (PSTN) as restricted authentication channels for out-of-band authenticators.
- Security and performance capabilities (e.g., presentation attack detection/liveness testing) for biometric characteristic collection to support Identity Assurance Level 2 remote identity proofing in the areas of identity evidence verification (physical/biometric comparison) or binding of authenticators.
- Capabilities and innovative approaches for remote identity proofing to achieve equivalent assurance as in-person identity proofing.
- Security and privacy considerations and performance metrics for the use of behavioral characteristics as an authentication factor.
- Use of dynamic knowledge-based information for identity verification.
- Capabilities to meet Federation Assurance Level 3 (see SP 800-63C FAQ C03).
- Capabilities and security considerations for verifier impersonation resistance (see SP 800-63B FAQ B04).
- Additional controls and mitigation to address the ongoing evolution of threats such as phishing and automated attacks.