Welcome to the NIST SP 800-63-3 Public Draft!
The work represented here is reflective of what NIST has learned about industry innovation, new threats, and an evolving landscape of federal digital services. We have heard and learned so much from this summer’s public preview phase, past public comment periods, public workshops, and feedback from NIST’s ongoing work such as NSTIC pilots and NCCoE industry collaborations.
A quick summary
We know that many of you visited and commented during the public preview, but for those that missed it, here’s a quick list of the biggest changes we’ve made since Rev 2, but you’ll need to dig into the documents (yes, documentS) too:
|All Documents||1. Decoupled LOA into its component parts
2. Included privacy requirements
3. Included usability considerations
|SP 800-63A||1. Overhauled allowable identity proofing processes
2. Expanded options for in-person proofing
|SP 800-63B||1. Revamped password guidance
2. Removed insecure authenticators (aka tokens)
3. Expanded allowable use of biometrics
|SP 800-63C||1. Added new federation requirements and recommendations
2. Removed cookies as an assertion type
3. Modernized examples
And, thanks to the feedback we received during the public preview, we also introduced the following changes:
|All Documents||Renamed SP 800-63 to “Digitial Identity Guidelines”|
|SP 800-63-3||Provided decision trees to assist agencies in the selection of assurance levels|
|SP 800-63A||Included guidance for digital identity evidence to be supplied to prove physical identity|
|SP 800-63B||1. Added Verifier Compromise Resistance (i.e., is my secret safe?)
2. Added Authentication Intent (i.e., it really was me, not malware, attempting to authenticate)
3. Refined biometrics requirements
4. Clarified and improved requirements and limitations of SMS-based OTP
|SP 800-63C||Reduced Federation Assurance Levels from 4 to 3|
Ok, “Why GitHub?” you ask. GitHub has been a mainstay of the development and standards communities for many years now, serving as a space for collaborative interaction, the primary medium for evolving open source software, and an essential component in most coders’ toolkits. It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.
Second, as a platform, GitHub has many unique characteristics that make it attractive as a place to develop this special publication. From its ability to support broad engagement, to excellent version control, and multiple avenues for collecting and receiving input, GitHub is a robust forum suited for drafting the 800-63-3 suite.
Overall, NIST believes GitHub is the right tool for the job. Agencies, the private sector, other organizatoins, and individuals are STRONGLY encouraged to collaborate with the team and other public participants via GitHub issues. See this page for details on how to submit a comment to us. We want collaboration to occur in the open to the greatest extent possible. While we appreciate and will accept email, comment matrices, and general feedback during this phase, we prefer specific recommendations through GitHub on how we can improve the product. We thank you in advance for your efforts to keep this process streamlined for the editors.
That said, our use of GitHub is additive to the existing open and transparent process that NIST already follows. If you don’t have access to GitHub, or just don’t want to use it, fear not. We will maintain our tradition of offering PDF versions, a comment matrix, and email-based comments - see this page for more details. However, GitHub remains where we will do our work, so any comments sent to our email address will be posted online with organizational attribution. This allows us to manage the documents in a single place and remain transparent with the entire community.
So have at it! We’re really excited about the changes we’ve made and we hope you will be too!
Source information, current standards, and public comments received through May 2015 can be found here.
You can find links to each volume of draft SP 800-63-3 below.