NIST’s Latest Guidance Bolsters Identity Management

The National Institute of Standards & Technology (NIST) is building on its guidance for zero trust and identity, credential and access management (ICAM) to support federal government’s next stage of cybersecurity.

Guide for Implementing a Zero Trust Architecture

At the end of last year, the agency publicly released the initial draft of the practice guide, Implementing a Zero Trust Architecture, for comment. This latest document outlined best practices from the National Cybersecurity Center of Excellence (NCCoE), which worked with 24 vendors to demonstrate end-to-end zero trust architecture.

“The NCCoE and its collaborators have used commercially available technology in lab environments to build 19 interoperable, open standards-based ZTA implementations that align to the concepts and principles in NIST SP 800-207, Zero Trust Architecture,” according to the document. “The implementations include ZTA approaches for enhanced identity governance, software-defined perimeter, microsegmentation and secure access service edge.”

According to Alper Kerman, cybersecurity engineer and project manager at NCCoE, the guidance outlines the technical information for each sample implementation and serves as a resource for technology implementers by providing models they can replicate. Agencies will save time and money in the future by applying lessons learned from the implementations. 

“In it, we describe how we utilized ICAM capabilities throughout the 19 example lab implementations that we built,” Kerman told GovCIO Media & Research.

Digital Identity Guidelines

Last summer, NIST updated its draft Digital Identity Guidelines following a four-month-long comment period and yearlong external engagement period.

NIST Digital Identity Program Lead Ryan Galluzzo said there are four volumes of the agency’s Special Publication 800-63-4. The first digital identity guidelines cover identity risk management. The second, or Volume A, covers identity proofing and verifications of how you prove an identity. Volume B covers authentication, and Volume C covers federation.

The updated guidance primarily aims to enhance privacy and accessibility throughout the identity-proofing process for individuals seeking government services. Galluzzo said the draft version of the guidelines also lays out requirements for phishing resistant authentication and next steps to improve the guidance.

“We’re more interested in the establishment of an identity, how you authenticate that identity on an ongoing basis and how to effectively convey in a secure manner information about who that identity is,” said Galluzzo at an industry event in Washington, D.C. “Our guidance, the digital identity guidelines, covers everything from public facing access, to public service systems, to back-end access, to higher risk applications like your admin side.”

NIST is working to include additional types of authenticators, such as passkeys and platform-based authenticators. These are embedded within devices and enable cryptographic authentication, which can then be seamlessly integrated into web applications. The agency aims to establish appropriate policies to secure and manage these emerging tools.

“We’re looking at things like syncable authenticators. How can we go get devices? How can we build out a representative identity and access management system that looks like a federal agency?” said Galluzzo. “Then how can we deploy mobile device management software to those devices to be able to help us manage things like syncable authenticators, or things like derived authenticators in a way that allows us to take advantage of their usability features but does not compromise security.”

Galluzzo said NIST wants to replicate the issues federal agencies face and experiment with new technology solutions to inform how the agency can improve its guidance moving forward.

Personal Identity Verification Guidance

NIST is updating its entire suite of personal identity verification (PIV) guidance. Federal employees and contractors primarily use PIVs as credentials to enforce authentication and access controls for zero-trust models in government.

NIST SP 800-217 guidelines for Personal Identity Verification (PIV) Federation and NIST SP 800-157-1 guidelines for Derived PIV Credentials released in November 2024 provide tailored guidance for applying federation controls and alternative authenticators to PIV scenarios.

“We are also finalizing NISTIR 8480 Attribute Validation Services for Identity Management: Architecture, Security, Privacy and Operational Considerations,” Galluzzo told GovCIO Media & Research. “This draft report delves into the architecture, security, privacy and operational considerations surrounding attribute validation services (AVS), offering considerations for government agencies seeking to implement these critical services. AVS can be used to validate specific attributes for access control or identity-proofing scenarios.”

Preparing for the Future Cyber Landscape

NIST is looking to the future technology landscape and developing guidance to secure federal agencies as quantum and artificial intelligence evolve.

Government is bracing for “Q-Day,” when quantum technology will become so advanced that it can crack current encryption methods and threaten the information systems that make up the nation’s digital services and critical infrastructure across sectors. NIST released new quantum standards last year, marking a milestone in the government’s effort to migrate systems to post-quantum cryptography.

Galluzzo told GovCIO Media & Research that he’s seen challenges around ICAM as it relates to post-quantum cryptography — in particular, transitioning authentication mechanisms to upgraded algorithms while not losing backward compatibility needed to support legacy applications and services.

NIST has also been monitoring the evolution of generative AI and deepfakes, which have been used to target identity proofing, Galluzzo added.

“Such attacks, if not detected, can undermine confidence in the issuance and use of authenticators and degrade the ability to detect and prevent identity-based attacks,” said Galluzzo. “Ongoing threats such as phishing of authenticators and — in particular — assertion [or] token theft and forgery. These have been actively exploited to conduct both high scale and highly targeted attacks on U.S. infrastructure.”

NIST has several ICAM initiatives on the horizon, like advancing verifiable digital credentials (VDC).

“Take any physical credential you use in everyday life — your driver’s license, your medical insurance card, a certification or diploma — and turn it into a digital format stored on your smartphone that can be presented and cryptographically verified either online or in person. That’s a verifiable digital credential,” Galluzzo and Bill Fisher, security engineer at NIST’s NCCoE, wrote in a 2024 NIST article.

While VDC is still nascent, NIST is accelerating the adoption of mobile driver’s license standards. Galluzzo said these efforts will eventually move from an initial focus on protecting financial services to government applications and health care services. There is still a lot to learn on how these concepts will fit into existing and emerging online services.

“We are in the process of standing up a lab focused on testing emerging authentication and federation technologies, with a specific emphasis on scaling phishing resistant authenticators such as passkeys and improving our ability to federate PIVs across agencies and organizations,” said Galluzzo. “These, combined with our efforts to complete the Digital Identity Guidelines and the PIV materials, remain the crux of our efforts.”