View this document as: a single page | multiple pages.


This section is informative.

General References

[A-130] OMB Circular A-130, Managing Federal Information as a Strategic Resource, July 28, 2016, available at:

[COPPA] Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. 6501-6505, 16 CFR Part 312, available at:

[EO13985] Executive Order 13985, Executive Order On Advancing Racial Equity and Support for Underserved Communities Through the Federal Government, January 20, 2021, available at:

[DMF] National Technical Information Service, Social Security Death Master File, available at:

[E-Gov] E-Government Act of 2002 (includes FISMA) (P.L. 107-347), December 2002, available at:

[FBCACP] X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA), Version 2.30, October 5, 2016, available at:

[FBCASUP] FBCA Supplementary Antecedent, In-Person Definition, July 16, 2009.

[FEDRAMP] General Services Administration, Federal Risk and Authorization Management Program, available at:

[GPG45] UK Cabinet Office, Good Practice Guide 45, Identity proofing and verification of an individual, November 3, 2014, available at:

[M-03-22] OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, available at:

[M-04-04] OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, December 16, 2003, available at:

[NISTIR8062] NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems, January 2017, available at:

[NIST-Privacy] NIST Privacy Framework, available at:

[NIST-RMF] NIST Risk Management Framework, available at:

[PatriotAct] Patriot Act of 2001, available at:

[PrivacyAct] Privacy Act of 1974 (P.L. 93-579), December 1974, available at:

[RedFlagsRule] 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457, Fair and Accurate Credit Transaction Act of 2003, December 18, 2010, available at:

[Section508] Section 508 Law and Related Laws and Policies (January 30, 2017), available at:


[Canada] Government of Canada, Guideline on Identity Assurance, available at:

[ISO9241-11] International Standards Organization, ISO/IEC 9241-11 Ergonomic requirements for office work with visual display terminals (VDTs) — Part 11: Guidance on usability, March 1998, available at:

[OIDC] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, OpenID Connect Core 1.0 incorporating errata set 1, November, 2014. Available at:

NIST Special Publications

NIST 800 Series Special Publications are available at: <>. The following publications may be of particular interest to those implementing these guidelines.

[SP800-53] NIST Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, September 2020 (includes updates as of Dec. 10, 2020),

[SP800-63] NIST Special Publication 800-63-4, Digital Identity Guidelines, December 2022,

[SP800-63B] NIST Special Publication 800-63B-4, Digital Identity Guidelines: Authentication and Lifecycle Management, December 2022,

[SP800-63C] NIST Special Publication 800-63C-4, Digital Identity Guidelines: Assertions and Federation, December 2022,

[SP800-157] NIST Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, December 2014,