identity (ktsdesign/Shutterstock.com)

NIST's digital identity deadline approaches

In June 2017, the National Institute of Standards and Technology revised its digital identity implementation guidelines in Special Publication 800-63.  By the end of June 2018, all federal agencies will be required to have legacy systems and applications in compliance with the guidelines, David Temoshok, senior policy advisor for applied cybersecurity at NIST's IT Laboratory, said.

The NIST guidelines break up digital identity management into three sections: enrollment and identity proofing, authentication and life cycle management and federation and assertions.

“Each of the [publications] have different requirements that can be difficult to digest,” Temoshok said in a Jan. 31 Digital Government Institute panel discussion. “Implementation guidance is meant to help federal agencies look at the standards in 800-63 to determine what will work or how to comply.”

After his panel, Temoshok told GCN that NIST is happy to consult directly with agencies to provide guidance on how to meet the requirements.

“We were looking to explain the requirements in 800-63 for generic implementations,” Temoshok said.  “It is unlikely that we will be tailoring the guidance specifically to agency missions and policies.”

The controls outlined in the NIST documents are available on GitHub and the NIST website.  NIST is also answering agency questions regarding the documents through published FAQs.

Temoshok said it is possible that federal agencies will need to release requests for proposals to get industry to help with the requirements in 800-63.

The Jan. 31 discussion on NIST SP 800-63 was part of a larger discussion on federal agency security postures based on a survey conducted by Unisys. The survey of 200 government agency employees found nearly two-thirds of respondents see identity management systems as important to the secure operations of their agencies, but only 20 percent are using biometrics to authenticate identity, and just 30 percent use the principle of least privilege to control access.

“Access has been a root cause of recent security breaches making identity access management critical to improve security,” Dave Glantz, director of research services at Market Connections, said when he presented the survey.

As agencies move into a mobile environment, Glantz said security issues become even harder to solve.  The survey urged agencies to explore more automation and integration to solve these security gaps.

Naomi Lefkovitz, senior privacy policy advisor for NIST’s IT Laboratory, said the 800-63 guidelines were updated to bring the agency’s digital identity guidelines “into the modern age.”

“Our levels of assurance were too rigid, so we needed to break apart the identity and authentication [pieces],” she said.  “We are bringing information for the private sector into the implementation guidance and working on international standards to build trust across the country and globe.”

Paul Grassi, a former senior standards and technology advisor at NIST, encouraged  industry to work with NIST through National Cybersecurity Center of Excellence on ways to improve identity access management.  He said the guidelines are meant to be a “digital management practice statement” to help agencies align with the risk management framework.

Editor's note: This article was changed Feb. 1 to reflect the fact that Paul Grassi no longer works for NIST. 

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group