IAMRoadmapIAMRoadmap
Back to Compliance
IAM Framework

NIST 800-63

Digital Identity Guidelines

United States / Global
Effective: June 22, 2017
Updated: August 21, 2024

Overview

NIST Special Publication 800-63 provides technical requirements for federal agencies implementing digital identity services. It covers identity proofing, authentication, and federation at different assurance levels (IAL, AAL, FAL). While designed for federal use, it has become a global reference for digital identity best practices.

IAM Requirements

Identity Proofing (800-63A)

  • IAL1: No identity proofing required
  • IAL2: Remote or in-person identity proofing with evidence validation
  • IAL3: In-person identity proofing with physical verification
  • Document collection, validation, and verification processes

Authentication (800-63B)

  • AAL1: Single-factor authentication
  • AAL2: Two different authentication factors required
  • AAL3: Hardware-based authenticator with verifier impersonation resistance
  • Authenticator lifecycle management
  • Session management requirements

Federation (800-63C)

  • FAL1: Bearer assertion with asymmetric signature
  • FAL2: Bearer assertion with asymmetric signature or encryption
  • FAL3: Holder-of-key assertion with asymmetric signature
  • Assertion format and protocol requirements

Authenticator Types

  • Memorized secrets (passwords)
  • Look-up secrets (recovery codes)
  • Out-of-band devices (SMS, push)
  • Single/Multi-factor OTP devices
  • Single/Multi-factor cryptographic devices

Compliance Checklist

1
Determine required assurance levels for each application
2
Select appropriate identity proofing methods
3
Implement compliant authenticators
4
Establish credential lifecycle management
5
Implement session management controls
6
Deploy federation services where needed
7
Document identity and authentication policies
8
Implement privacy protections
9
Conduct regular assessments
10
Train staff on digital identity requirements

Penalties for Non-Compliance

Required for federal agencies; no direct penalties for private sector but increasingly referenced in regulations

Quick Facts

Region
United States / Global
Effective Date
June 22, 2017
Enforcing Body
National Institute of Standards and Technology (NIST)

Related Certifications

Related Vendors

Related Solutions

Resources

Official Website

Related Regulations & Frameworks

Zero Trust

Global

Zero Trust Architecture (NIST 800-207)

Back to All Compliance