NIST Offers New Guidelines on Identity Management

The National Institute of Standards and Technology (NIST) is updating its Cybersecurity Framework, as we reported in a previous post. Designed to provide a “prioritized, flexible, repeatable, performance-based and cost-effective approach” to managing cybersecurity, the framework has seen broad adoption by organizations worldwide.

NIST issued a draft of version 2.0 in January 2017, incorporating feedback received since the original framework’s publication in February 2014. Version 2.0 offers further guidance on reducing cybersecurity risks, provides tools for cyber supply chain risk management, and clarifies and expands the section on access controls to incorporate identity and access management (IAM) concepts and best practices.

While we applaud NIST’s increased emphasis on IAM in the Cybersecurity Framework, we believe version 2.0 could go further to address the risks associated with digital identities, particularly privileged accounts. However, it seems that NIST has also been busy updating its “Electronic Authentication Guidelines” to reflect dramatic changes in the industry since the document was last revised in 2013. Also known as Special Publication (SP) 800-63, the document is designed to help government agencies assess and mitigate identity-related risks.

Version 3 of SP 800-63 is now called “Digital Identity Guidelines” and comprises a suite of documents covering identity management from initial risk assessment to deployment of federated identity solutions. SP 800-63-3 provides a general overview, while SP 800-63A, 800-63B and 800-63C drill down into various components of IAM, as follows:

  • Identity proofing. Government agencies are faced with the challenge of proving that the employees, contractors, and citizens who interact with government IT systems over open networks are who they claim to be. Traditionally, agencies have relied on hard evidence such as a driver’s license or other government-issued ID. However, the new guidelines give agencies more flexibility to consider digital evidence when appropriate.
  • Authentication. While the 2013 document emphasized traditional username and password combinations, the new version includes a comprehensive discussion of stronger password requirements and multifactor authentication. NIST has also overhauled the section on user account recovery to discourage challenge questions (e.g., father’s middle name) or one-time passwords sent via email or text message.
  • Federation. Recognizing that users often need to be authenticated across multiple systems and agencies, the new guidelines supply greater detail on how to provide trustworthy identity assertions. They also include a section on enhancing the privacy of users.

Traditionally, NIST will issue an update to a publication or standard, accept comments for a prescribed period of time, revise the publication or standard based on those comments, then release the final version. With SP 800-63-3, however, NIST released the draft document on GitHub and collaborated with stakeholders throughout the summer of 2016. More than 74,000 unique visitors came to the site, and contributors submitted more than 1,400 comments. NIST plans to continue the process by engaging with stakeholders to fine-tune the guidance and share lessons learned.

Like the NIST Cybersecurity Framework, SP 800-63 is aimed at federal agencies but can provide value to organizations of all sizes and in every industry sector. Any organization that is looking to improve its IAM systems and processes will be well-served by reviewing the free guidance offered by the experts at NIST.


For more information about the NIST Cybersecurity Framework, please send us an email at (

Leave a Comment