GAITHERSBURG, Md. — The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has drafted updated guidelines to help the nation combat fraud and cybercrime while fostering equity and preserving fundamental human rights. The guidelines support risk-informed management of people’s personas online — their “digital identities” — often required to engage in everyday digital transactions from banking to ordering groceries.
“These guidelines are intended to help organizations manage risks related to digital identity and get the right services to the right people while preventing fraud, preserving privacy, fostering equity and delivering high-quality, usable services to all,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “We are actively seeking feedback not only from technical specialists, but also from advocacy and community engagement groups that have insight into the potential impacts these technologies can have on members of underserved communities and marginalized groups.”
Comments on this draft publication are due by March 24, 2023. To submit comments, download the comments template and email the completed form to dig-comments [at] nist.gov.
“The updated draft guidelines released today play a critical role in supporting the administration’s governmentwide efforts to strengthen identity verification for government systems used by the American public while balancing privacy, equity and accessibility. Identity verification is a front door to federal services and benefits, and it should provide security assurance while enabling access for intended beneficiaries, particularly those from underserved communities and marginalized groups,” said Jason Miller, deputy director for management at the Office of Management and Budget. “This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines.”
The draft publication, formally titled Digital Identity Guidelines (NIST Special Publication 800-63 Revision 4), covers technical requirements for establishing and authenticating digital representations of real-life people — such as employees of a government contractor or members of the general public. The draft guidelines aim to help organizations manage risks associated with digital interactions while making it easier for individuals to use digital identities successfully, including when applying for government services. They also include privacy requirements and offer considerations for fostering equity and the usability of digital identity solutions, as well as their supporting technologies and processes, placing the risks faced by individuals accessing services alongside risks to the organizations that operate those services.
“NIST’s draft revision supports the significant, ongoing governmentwide efforts to ensure the integrity of federal digital identity systems while balancing privacy, equity and accessibility,” said Miller, “including the White House’s Initiative on Identity Theft Prevention and Public Benefits.” The draft guidelines do not address situations wherein a person is accessing a physical location such as a building, though the authors do note that some digital identities may be used in both digital and in-person scenarios.
NIST is accepting comments on the multivolume draft until March 24, 2023. NIST will host a virtual workshop on Jan. 12, 2023, to provide details on the major changes to the guidelines and the comment process. Interested parties can register online to attend. This will be the first step in a robust engagement process to gain feedback from public and private sector organizations, technology and professional services providers, academia, civil society, advocacy groups and many others on how to improve the draft guidance and achieve a more competitive, secure, private and inclusive identity ecosystem. Among several topics that NIST intends to address, a significant portion of the organization’s engagement efforts will be dedicated to exploring emerging and alternative methods of identity verification, including technologies that do not rely upon facial recognition.
As with the previous version (Revision 3) of Digital Identity Guidelines, the draft publication comprises four volumes. The base volume provides the underlying risk management processes. The three subsequent volumes elaborate on what the authors call digital identity’s major aspects — proofing, authentication and federation. Identity proofing establishes that a subject is a specific person. Authentication, in part, determines the validity of the means used to claim a digital identity. Federation allows identity information to be shared across systems in support of authentication.
New additions to the draft include:
- An updated section on use of biometric information for identity proofing, including performance and testing requirements;
- Authentication methods that are more resistant to phishing attacks, which commonly support fraud, identity theft and other contemporary cyberattacks;
- An updated set of recommendations on how to share and exchange identity information about a user between different systems, for example when using a previously registered email address to sign into a different website.
The draft describes a process for identifying, assessing and managing digital identity risks that aligns with the NIST Risk Management Framework (RMF). The publication expands upon the RMF by outlining how equity and usability should be incorporated into digital identity risk management. Equity refers to consistent, impartial treatment of all individuals, and the draft revision is intended to expand the guidance and considerations for organizations to manage digital identity systems in ways that work for everyone — in particular those individuals and communities whose needs, capabilities and preferences have not been adequately accounted for in the past.
NIST requests that respondents download the comments template and email the completed template form to dig-comments [at] nist.gov before the March 24, 2023, deadline. NIST will review all comments and make them publicly available on the NIST Identity and Access Management Resource Center (NIST IAM).