by Sarbari Gupta
Between 2017 and 2023 the world changed dramatically. Technology altered the digital landscape and cybersecurity concerns heightened.
In keeping with its responsibility for developing information security standards and guidelines, the National Institute of Standards and Technology (NIST) deemed it time to revisit its Special Publication (SP) 800-63 “Digital Identity Guidelines,” as it has done several times since the document was first published in June 2004. These guidelines underwent a third revision in 2017, morphing into a four-volume suite. December 2022 marked the issuance of the initial public draft of the fourth revision for public comment.
This SP 800-63-4 update couldn’t be more timely, necessary or thoughtful. Clearly, the technical requirements for federal agencies implementing digital identity services needed revision after nearly six years. Moreover, as comments to a pre-draft of this document highlighted, this iteration needed to advance equity as well as address the topics of optionality and consumer choice, deterrence of fraud and advanced threats, and implementation lessons learned.
The technical requirements for federal agencies implementing digital identity services needed revision after nearly 6 years.
It’s noteworthy that NIST is exercising a bit of specificity in regard to the comments it hopes to receive from the public. NIST specifically seeks feedback focusing on Identity Proofing and Enrollment, Risk Management, Authentication and Life Cycle Management, and Federation and Assertions.
Here are just a few specifics on what NIST seeks by topic:
NIST also posits some general questions regarding the perceived need for additional guidance and unclear text, among other concerns. Interested parties can find the initial public draft here. The full text on all five comment request areas can be found in the section titled “Note to Reviewers.” NIST was quick to extend its request for comments to all four draft volumes of the suite.
NIST asks that all comments be submitted to digcomments@nist.gov by 11:59 pm ET on March 24, 2023. Notably, after NIST review, all comments will be available on the NIST Identity and Access Management website.
# # #
The development of the initial public draft was an intensive undertaking. The contents reflect the cumulative effort of all those who have worked on NIST SP 800-63 iterations in the past as well as the eight collaborators, including me and my colleague Diana Proud-Madruga, who contributed to the current revision. I’m proud to have participated in the effort and pleased with what we achieved.