NIST Releases Overhauled Digital Identity Guidelines to Combat Modern Threats

The National Institute of Standards and Technology (NIST) released the updated revision of its flagship digital identity framework in July, emphasizing usability, security and assurance. The updated guidelines reflect changes in how identity is verified, authenticated and federated across digital systems, according to NIST officials.

“We’ve always tried to emphasize the fact that identity has a lot of different competing capabilities,” NIST Digital Identity Program Lead Ryan Galluzzo told GovCIO Media & Research in an interview. “Whether it’s delivering services securely … or it’s delivering services in a way that people can get access to … there is a need to address security, there’s also a need to address things like fraud prevention, but there’s also a need to make sure that you’re deploying usable solutions.”

Moving from ‘Set and Forget’ to a ‘Team Sport’ Approach

Originally published in 2004 and last revised in 2017, SP 800-63 has long served as the federal government’s cornerstone for digital identity assurance. July’s update embeds the competing security and usability considerations directly into the risk management process, Galluzzo said. Instead of simply providing a list of technical requirements, the guidelines now advocate for a “team sport” approach, requiring a multi-disciplinary group of experts to collaboratively make decisions about assurance levels.

“We are recommending people implement it [to] make sure that they’re better part of the process and better part of the risk management process from start to finish,” Galluzzo said.

The guidelines also emphasize continuous improvement in digital identity security management for agencies and organizations. Galluzzo noted a move away from a “set and forget” mentality, where an organization might implement a checklist-based compliance system. The new framework, he said, guides organizations to establish metrics for success rates, pass rates and fraud rates, using this data to continuously evaluate and evolve their identity solutions.

“Just being compliant isn’t sufficient. You need to constantly be understanding and evaluating your environment,” Galluzzo added.

Future-Proofing Guidelines to Keep Pace with Tech

The 2017 guidelines were written before technologies like passkeys and user-controlled wallets were in wide use, he said, and the new guidelines provide clear pathways for agencies to adopt these technologies, which offer superior resistance to phishing attacks and a smoother user experience. Each revision, update and addendum is a way to better understand threats to identity management, Galluzzo added.

“When you’re working in standards development and guidelines development, it can never really adapt as quickly as the actual kind of real-world technologies that you face and threats that you face,” Galluzzo said. “We’re trying to find ways to keep those things updated.”

To combat technology’s fast evolution, Galluzzo said that NIST uses a variety of mechanisms to stay agile and future-proof the guidelines as much as possible. Rather than updating the entire monolithic guideline document every time a new technology or threat emerges, the agency releases supplements and interagency reports. These smaller, more targeted publications allow for a much faster response. Galluzzo cited a supplement on passkeys as a prime example, which enabled agencies to begin exploring the technology long before the full guidelines update was complete.

“We had a lot of folks coming to the table and saying, ‘We’ve got this national strategy for how we implement zero trust. We’re seeing a lot of conversation about things like passkeys and efficient resistance,’” Galluzzo said. “[NIST was] able to put out a supplement, which basically took SP 800-63B and said ‘Here’s how you can use it, here’s how you can apply it, here’s how it can be integrated into your system to help improve the way you deliver security.’”

Bolstering Cross-Government Collaboration

The development of the new guidelines was a collaborative effort, Galluzzo said. NIST conducted a robust public comment period that generated thousands of comments from federal agencies and commercial industries, he added. NIST also engaged directly with several key federal agencies, including the Department of Homeland Security (DHS), the Social Security Administration (SSA), the Internal Revenue Service (IRS) and the General Services Administration (GSA) to ensure that the revised final guidelines would support the broad mission sets of the federal enterprise, Galluzzo said.

“We worked pretty closely with our colleagues at DHS S&T, as they were doing their Remote Identity Verification Technology Demonstration program,” Galluzzo said. “They looked at performance or protective presentation attack detection technology, and they have a very robust testing capability that includes resources that we don’t always necessarily have at our disposal. We worked very closely with them as they advanced their research and use it where we could and where it made sense to help inform…metrics as it applies to different aspects of identity technology.”

Preparing for the Next Wave of Digital Identity Threats

Galluzzo added that the next great digital identity challenge may be non-human identities. The rise of sophisticated software agents and agentic resources acting on behalf of humans will require a new set of controls. The concept of multifactor authentication, for instance, is vastly different when applied to a machine versus a person. NIST is already exploring how existing standards like OAuth and OpenID Connect might be adapted, he said, or if new frameworks will be needed to govern the access and authorization rights of these agents.

“We’re going to have to deal with a whole new world, potentially, of things like agentic resources that are now accessing information,” Galluzzo said. “We’re in the process of exploring a project, ideally within the NCCoE, looking at what are the right controls set to be applied to software agents and that are being deployed, particularly on the enterprise side. How do we think about authorization?”

In the present, the new framework reflects the evolving landscape of digital identity management and responds to growing threats such as identity theft, phishing and fraud, Galluzzo said. By adapting to new technologies and threats, the guidelines are keeping agencies ahead of danger, he added.

“We really wanted to make sure we thought about it, both from [the perspective of] how do we solve for some of the emerging threats, but also, how do we integrate those new technologies that might allow for, a more secure and potentially even improved customer experience overall,” Galluzzo said.