A Note on progress…NIST’s Digital Identity Guidelines.

5 months ago AndyC

In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4.

In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4. As part of that session, we committed to providing further information on the status of each volume going forward. In fulfillment of this commitment, we wanted to offer a quick update on where we stand.

Our goal remains to have the next version of each volume out by the Spring of 2024. With our gratitude for the robust and substantive engagement we received during the comment period, at this time we would like to announce that all four volumes of Special Publication 800-63-4 will have a second public comment period, which will last at least 45 days.

  • NIST SP 800-63 Base Volume. We are making substantive changes to the volume including updating the digital identity model to account for “Issuer, Holder, Verifier” frameworks of digital identity, new content around continuous evaluation metrics, and updates to the digital identity risk management processes.
  • NIST SP 800-63 A: Identity Proofing and Enrollment. We received over 1,500 comments on this volume alone. Based on this feedback, we are making updates to IAL1 to better balance user burden and security, modifying how we frame the different types of identity proofing, and providing an additional discussion of fraud detection and mitigation approaches.
  • NIST SP 800-63B: Authentication and Lifecycle Management. Updates to this volume largely relate to NIST’s approach to synched authenticators (e.g., passkeys) and account recovery. We are also adding a new authenticator type to account for emerging credential types. While these changes are not overwhelming in their volume, they constitute changes of sufficient substance to warrant a second public review.  
  • NIST SP 800-63C: Federation and Assertions. We will be adding a new section to cover the presentation of Mobile Driving Licenses (mDLs) and verifiable credentials. This section will also provide basic security requirements for “digital wallets” that store and convey documents and identity information. 

To get the full rundown from our August session, you can find the video feed and materials here: Digital Identity What’s Next for NIST? If you have questions or comments about the current Guidelines (Revision 3) or the draft volumes (Revision 4) you can send all inquiries to dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov).

Happy holidays, and be on the lookout for additional updates in the new year (including updates to our Identity Management Roadmap)!

~The Digital Identity Guidelines Team

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two

1 day ago AndyC

Take A Tour! NIST Cybersecurity Framework 2.0: Small Business Quick Start Guide

3 days ago AndyC
Coffee with the Council Podcast: Help Shape the Future of Payment Security as a PCI SSC Participating Organization

Coffee with the Council Podcast: Help Shape the Future of Payment Security as a PCI SSC Participating Organization

4 days ago AndyC
Resource Guide: Earn Continuing Professional Education Credits Through the Council

Resource Guide: Earn Continuing Professional Education Credits Through the Council

1 week ago AndyC

Giving NIST Digital Identity Guidelines a Boost: Supplement for Incorporating Syncable Authenticators

2 weeks ago AndyC
PCI DSS v4: What’s New with Self-Assessment Questionnaires

PCI DSS v4: What’s New with Self-Assessment Questionnaires

1 month ago AndyC

You may have missed

LockBit published data stolen from Simone Veil hospital in Cannes

LockBit published data stolen from Simone Veil hospital in Cannes

4 hours ago AndyC

Friday Squid Blogging: Squid Purses

4 hours ago AndyC
Monash Health data caught up in attack on records digitisation provider

Monash Health data caught up in attack on records digitisation provider

10 hours ago AndyC
Russia-linked APT28 and crooks are still using the Moobot botnet

Russia-linked APT28 and crooks are still using the Moobot botnet

10 hours ago AndyC

My TED Talks – Schneier on Security

10 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.