TIG in action at next week’s Federal Identity Forum, IDESG Plenary

We may have spent more than a year working with you to update major federal guidance – we’re looking at you, Special Publication (SP) 800-63 – but our work is far from complete. Now we’re on to the hard part: supporting agencies as they implement the new SP 800-63 and driving towards global alignment of digital identity standards. Next week at the IDESG Plenary and the Federal Identity Forum, both at the convention center in Washington, D.C., we have a lot in store for NIST and our Trusted Identities Group (TIG) team this week.

What are we up to?

We are kicking the week off on September 11th with the Identity Ecosystem Steering Group (IDESG) Plenary. The plenary will start with an introduction to the new board of directors, an overview of the new business plan, and development of the upcoming year’s work agenda. In the morning, I’ll provide some remarks on the state of the identity ecosystem. In an afternoon panel, representatives from three TIG pilots will showcase their projects and answer questions: Daon, a graduate of the pilots program, ID.me, a current grant recipient running two different programs, and Hydrant ID, one of our newer pilots moving toward production.

After finishing up the plenary agenda, the IDESG will be hosting a reception featuring tech demonstrations from a number of IDESG members.

We are also participating in the Federal Identity Summit 2017 (FedID), formerly the Global Identity Summit, which relocated to D.C. Be sure to stop by the NIST booth at the FedID Expo to learn more about NIST’s cybersecurity programs!

At FedID, the TIG team will be participating in several panels and sessions:

Wednesday, September 13th:

  • 8:00 AM: panel discussion moderated by NIST’s Kevin Mangold featuring Naomi Lefkovitz, Senior Privacy Policy Advisor for NIST’s Privacy Engineering Program. She’ll highlight the program’s plans for the future along with a glimpse at how the team is working to improve stakeholder collaboration to develop and share more privacy engineering tools.
  • 10:00 AM: I will lead a track on the future of U.S. government identity standards. The  White House Office of Management and Budget will discuss its IT modernization approach and forthcoming digital identity policy, and the U.S. Defense Department will talk about how they are implementing the latest edition of SP 800-63.
  • 11:00 AM: Jamie Danker from the Department of Homeland Security and Naomi will hold their session, “Practical Application of Privacy & Civil Liberties.” Attendees will get the scoop on the privacy requirements integrated throughout NIST SP 800-63. With this added privacy guidance, NIST aims to help implementers and privacy programs collaborate on privacy risk management while developing secure digital identity solutions. This session will also cover tools available to aid organizations in conducting privacy risk assessments and share use cases that demonstrate these tools in practice.
  • 3:15 PM: Paul Grassi, NIST’s Senior Standards and Technology Advisor, will then take the stage for a panel on identity standards. During “A Survey of Identity Standards,” panelists will review the many identity standards comprising the infrastructure enabling trusted transactions online. This panel will provide an overview of the building blocks of identity standards, the role they play in creating a trusted identity ecosystem, and a practical application for putting them all together.
  • 4:15 PM: Session on NIST’s international standards alignment efforts: “Going global: How standardizing standards can encourage markets globally.” The GOV.UK Verify Program, Government of Canada, and TIG have been collaborating to compare their national frameworks for identity assurance to create a broad and competitive global market for identity solutions and enable cross-border interoperability of credentials. This session will detail how the three groups are working together on identity standards.

September 14th FedID festivities:

  • 11:00 AM: I will be back on stage leading a discussion on “The economics of high-assurance digital identities.” The Federal Government spends a lot of money on high assurance digital identities, given that every employee at each agency undergoes extensive identity vetting to receive a credential for accessing secure networks. On the constituent side of the equation, it’s a bit more complicated, as we need to ensure delivery of services and benefits to individuals we often never see in person. The session will look at some of the changes that 800-63B makes to existing password guidance that will hopefully make it easier for consumers.
  • 2:25 PM: I’m back at it again on a panel called “un-phishable” authentication at the U.S. Department of Veterans Affairs. You’ll hear about the importance of multi-factor authentication in a well-rounded identity program.

We are looking forward to sharing our successes, learning from you, and seeing you next week.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

How will they measure up? RTI awarded to evaluate the class of 2016 state and local pilots!

NIST is the federal government’s measurement agency. While the ultimate goal is innovation and adoption in the market, we need to know that the solutions being deployed present an advance for organizations and individuals alike. Measurement is critical to understanding what solutions work and how effectively we’re spending taxpayer dollars.

Today, we’re announcing the winner of this spring’s competition to assess our 2016 round of pilot projects. Assessments of pilot projects will help us—the identity community—understand the most successful technologies and approaches and improve decision making for anyone looking to invest in identity solutions.

The assessment

Earlier this year, we announced that we wanted to evaluate how well our five 2016 state and local pilots have used digital identity technologies to improve and streamline the delivery of state and local government services.

We issued a notice of funding opportunity seeking an assessment to: understand the benefits of the five piloted solutions for both organizations and end users; enable broader adoption of online credentials for state and local government services; provide recommendations for applying identity solutions; and understand lessons learned to increase the public benefit.

The recipients awarded last year for the class of 2016 state pilots are:

1)     Florida Department of Revenue

2)     Yubico

3)     Ohio Department of Administrative Services

4)     Gemalto

5)     ID.me

The awardee 

Today we are excited to announce that we have awarded Research Triangle Institute (RTI)—an independent, nonprofit research institute—to conduct the evaluation and help shed light on how successfully public sector programs can adopt similar solutions.

RTI will interact with each pilot team to establish baseline metrics and collect ongoing data during implementation, with different timelines for each pilot. NIST anticipates that RTI will release one report for each project (five in total) and a final report summarizing the lessons learned from the five pilots, which will be issued at the end of the project.

Throughout the grant, RTI will be finding ways to disseminate these findings broadly to reach communities that can benefit from the great work of RTI and the projects’ partners.

RTI’s assessments will help pave the way for NIST to better inform and improve upon broader cybersecurity efforts in the future, and for state and local governments to understand options available for deploying trusted identities across more government services and benefit programs.

Follow us on Twitter!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Return of the Great Zoltan! Our 800-63 FAQs answer life’s most perplexing questions (about digital identity, anyway).

It’s been more than a month since we released Special Publication 800-63: Digital Identity Guidelines, and we have been thrilled by all the positive feedback – we are glad you like it as much as we do! But we’re also fielding a number of questions.

When we started this update to SP 800-63, we promised we’d put stakeholders in more control of the writing and position ourselves to be more hands-on in getting solutions implemented. For the latter, we’ve begun our work on the implementation guides, and today we’re releasing a simple little document to kickstart the continual process of clarifying the document and facilitating all the good work agencies and industry are doing to get digital identity right.

The document included a lot of updates, so it’s only natural that we’ve heard some reoccurring questions from the community. Realizing many have the same questions, we kept track of these and compiled them in a frequently asked questions (FAQs) page.

We will publish updates to the FAQs as more questions roll in and you’ll always be able to find the current version on GitHub.

More questions? Ask us directly!

You can send all your questions to us via GitHub or email. We will keep track of all the questions we receive and add to the FAQs when we see themes emerge.

When we add a new Q & A, we’ll let you know via Twitter. Again, the most up-do-date document will always be located here.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

Mic Drop — Announcing the New Special Publication 800-63 Suite!

Goodbye LOA…Hello IAL, AAL, and FAL (collectively called “xALs”)

More than a year in the making, after a large, cross-industry effort, we are proud to announce that the new Special Publication (SP) 800-63 IS. NOW. FINAL. With your help, Electronic Authentication Guidelines has evolved into Digital Identity Guidelines—a suite of documents covering digital identity from initial risk assessment to deployment of federated identity solutions. Check it out now at https://pages.nist.gov/800-63-3/ or as a PDF at https://doi.org/10.6028/NIST.SP.800-63-3.

There is no way a document this comprehensive could have evolved without the direct input of stakeholders, who contributed consistently throughout the drafting process. This revision to SP 800-63 was our first foray into using GitHub to collaborate with stakeholders for a major document, and it was a great success. The community interacted with us—and each other—throughout the course of the year to develop a better final product.

The community participation resulted in a tremendous response: contributors submitted 1,400+ comments for review, and the web version of the publication drew 74,000+ unique visitors between May 2016 and May 2017.

What’s changed, you ask?

Digital identity in both agencies and the market have changed dramatically since the last revision of this document in 2013.

Gone are the days of levels of assurance (LOAs), replaced by ordinals for individual parts of the digital identity flow, enabling implementers more flexibility in their design and operations:

  • Identity Assurance Level (IAL): the identity proofing process and the binding between one or more authenticators and the records pertaining to a specific subscriber
  • Authenticator Assurance Level (AAL):  the authentication process, including how additional factors and authentication mechanisms can impact risk mitigation
  • Federation Assurance Level (FAL): the assertion used in a federated environment to communicate authentication and attribute information to a relying party (RP)

The suite that is now SP 800-63 has four parts—and could have more in the future as digital identity evolves. SP 800-63 is the mothership—your starting point for all things digital identity and risk—with SP 800-63A, 800-63B, and 800-63C covering the various components of a digital identity system:

  • SP 800-63-3 (Digital Identity Guidelines) incorporates risk language that agencies have been following from OMB M-04-04 and updates SP 800-63-2, sections 1-4 (see below for more on that)
  • SP 800-63A (Enrollment & Identity Proofing) updates SP 800-63-2, section 5
  • SP 800-63B (Authentication & Lifecycle Management) updates SP 800-63-2, sections 6-8
  • SP 800-63C (Federation & Assertions) updates SP 800-63-2, section 9

More specifics about each volume:

SP 800-63-3 provides identity-specific input that agencies should consider when taking their system through security assessment and authorization. It provides an overview of general identity frameworks; using authenticators, credentials, and assertions together in a digital system; as well as handy “choose your own adventure” (sorry, we’re old) flowcharts to enhance the process of selecting an xAL. In those flowcharts, organizations can perform a risk assessment, answer a set of functional questions, and, based on their responses, be guided to the most appropriate xAL for their system and users.

We understand some of you may read 800-63-3 and wonder if it conflicts with OMB M04-04. We don’t speak for OMB, but we’ve been working with them and understand that they have been working on a consolidated overarching digital identity policy as part of their effort to simplify existing policy guidance, and that this draft will be out for public comment in the near future.

The inclusion of risk assessment language from 04-04 into 800-63 removes one additional place where agencies need to look for requirements and ensures that the assessment of risk and the available processes and technologies to mitigate that risk are well aligned.

These changes simplify and clarify guidance, better align with commercial markets, promote international interoperability, and focus on outcomes (where possible) to promote innovation and deployment flexibility. Furthermore, removing LOAs and differentiating identity proofing from authentication from federation gives RPs latitude in designing, building, consuming, and procuring identity technology.

Identity proofing

SP 800-63A focuses on arguably the most difficult part of digital identity: strengthening identity proofing while expanding options for remote and in-person proofing. The new guidelines clarify methods for resolving an identity to a single person and enables RPs to evaluate and determine the strength of identity evidence. No longer will agencies be required to ask for “one government-issued ID and a financial account.” The proofing guidance moves away from a static list of acceptable documents and instead describes “characteristics” for the evidence necessary to achieve each IAL. Agencies can now pick the evidence that works best for their stakeholders. In fact, the document no longer differentiates between physical evidence (like a driver’s license) and digital evidence (perhaps a mobile driver’s license or an assertion from another identity provider). You should no longer think “plastic is good” and “digital is bad” for presented evidence; what matters is the process behind the presentation.

SP 800-63A opens the door for a diverse array of proofing options, including virtual in-person (aka “supervised remote”) and trusted referees (e.g., notaries), and offers clearer guidelines on document checking and address confirmation.



On the authentication side, some big changes include:

No more…

    • “what is your mother’s maiden name” to authenticate or to recover a lost, stolen, or forgotten credential
      • email as a place to send one-time-passwords (OTPs)
      • plain old SMS to send OTPs, although SMS is allowable with some risk-based and security measures
      • “token” talk – it’s now “authenticator” … we overload terms in identity all the time, so this was an opportunity to change (plus, “token” has other meanings in cybersecurity that have nothing to do with the device used to log in)
    • more options (to include more usable ones) at higher assurance levels
    • closing the holes of account recovery; if you lost your authenticator and have no backups, you’ll need to get reproofed…the risk otherwise is just too high

The new guidelines also enable server-side biometric matching and include a comprehensive set of biometric performance and security requirements. Biometric sensors are common in the devices that so many of us carry with us every day, so we felt we needed to provide guidelines that can prevent unreliable or weak biometric approaches from sneaking their way into federal digital services, while allowing these powerful tools to play a large role in doing digital identity right.


Federation is when the RP and IdP are not a single entity or not under common administration. Federation enables an IdP to proof and authenticate an individual and provide identity assertions that RPs can accept and trust.

We love federation. In fact, we think you should leverage federated services whenever you can. As such, SP 800-63C lays out the details of identity federation and identity assertions to keep implementation of federation on the level. This section expands federation guidelines from previous versions of 800-63, provides greater detail on how assertions should be used, and includes a host of privacy-enhancing requirements that can make federation appealing to users.

What’s next?

But wait, there’s more!

We know the security and privacy requirements of this revision have changed substantially from past versions, but keep in mind we do not intend to drop this document and walk away. While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities.

To that end, we hope this revision can set us on a new path to continually improve digital identity. Rather than waiting until agency and market needs have shifted enough to warrant a revision in any of the volumes—then waiting more than a year to complete a revision—we plan to continue engaging with implementers so we can compile, and share, lessons learned and implementation guidance throughout the life of the current revision.

Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats. We look forward to working with agencies and the private sector to improve these guidelines based on real implementation of digital identity services. Over time, we want them to become even more outcome-based and reliant on proven performance metrics, as well as adaptive to innovations in the market so anyone, public or private, can better serve their users.

For us, the immediate next step is preparing implementation guidance to help agencies deploy solutions that meet SP 800-63’s requirements. The first set will focus on identity proofing, and we will release further guidance over the course of the year.

We’re also drafting SP 800-63D, a relatively simple additional volume detailing efforts to align with international technical specifications for interoperable identity in federations—including SAML profiles and an iGov OpenID Connect/OAuth profile developed in partnership with industry and other governments.

Please stay tuned for the implementation guidance and 800-63D, and we look forward to further collaboration!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

REGISTER NOW – Privacy Risk Assessment: Prerequisite for Privacy Risk Management Workshop

We are pleased to announce the next workshop in NIST’s ongoing series on privacy engineering and risk management – Privacy Risk Assessment: A Prerequisite for Privacy Risk Management, to be held in Gaithersburg, Maryland, on June 5, 2017. Registration is open now!

What is this all about? This workshop builds off the introductory concepts from NIST Internal Report 8062 (An Introduction to Privacy Engineering and Risk Management in Federal Systems), intended to establish a common baseline to better understand and communicate privacy risks, as well as to enable effective implementation of privacy principles. Participants will discuss the role of privacy risk models, and what specific guidance and tools are needed for organizations to most effectively do privacy risk assessments as a prerequisite to privacy risk management.

Who should be there? This discussion will help NIST develop a body of privacy risk management guidance that aligns with NIST’s cybersecurity risk management guidance. As such, system design, security, and privacy engineers, security and privacy officers, and security and privacy subject matter experts should attend this interactive workshop. Public and private sector attendees and academics welcome.

Can’t make it? The introductory session will be webcast, and video from the webcast will be archived on the NIST website within a week of the event. Due to the interactive nature of the breakout sessions, they will not be available to remote participants.

Note that feedback is welcome at any time. To provide feeback to NIST on this privacy engineering effort, please send an email to privacyeng@nist.gov.

What are the details? The workshop will be held on NIST’s main campus in Gaithersburg, Md. The current agenda is below – stay tuned for updates on opening session speakers and breakout session topics, which will be updated soon.

  • 7:30-8:30: Registration
  • 8:30-9:25: Opening session
  • 9:30-10:45: Breakout session #1: The relevance and role of risk models in privacy
  • 10:45-11:00: Break
  • 11:00-12:30 Breakout session #2: Necessary guidance and tools for privacy implementation

Please note: Registration closes on May 29, 2017.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

A minor plot twist: Comment period extended for PART of SP 800-63-3

By: Paul Grassi and Mike Garcia

Let’s get this out of the way right up front: this is not an early April Fools Day prank!

Granted, government blogs aren’t the typical medium for getting emotional. But we (Paul and Mike), and the rest of our incredible team at NIST, have truly been moved by the support, encouragement, and engagement you’ve provided as we embarked simultaneously on this major update to the document and – perhaps even bigger – updating our community engagement process to achieve a better result on this document.

We have received your feedback during the open comment period for draft Special Publication (SP) 800-63-3: Digital Identity Guidelines and can’t thank you enough. While we still have many comments to resolve, the feedback we’ve received has been very positive overall. Thanks to your help, we are very close – and will close the comment period as scheduled. Sort of…

But wait, there’s more!

In consultation with the White House Office of Management and Budget, we developed an approach to include normative guidelines to manage digital identity risk directly into SP 800-63-3. Over the years, many of you have asked for a more consistent approach to risk assessment and associated technical risk mitigation guidance.

The changes in this update made this request even more important. We’re extremely grateful for our collaborative relationship with OMB, which enabled us to respond to you and better serve agency and industry needs.

We believe this change will make digital identity management simpler for agency officials, mission owners, and implementers alike. But – consistent with the approach we’ve taken with this update so far – we need your feedback to know if we got it right. To that end, we are extending the comment period for the 800-63-3 volume only until for 30 days, closing on May 1st.

Let’s summarize:

  • We are closing the comment period as scheduled for 800-63A, 800-63B, and 800-63C. Pending comment resolution, we believe these documents are sufficiently stable to finalize.
  • We’re extending the comment period for the parent volume only, SP 800-63-3, until May 1st.
  • Today, we updated the SP 800-63-3 volume on GitHub and in CSRC. The new version is now available and ready for your feedback.
  • We expect to finalize and issue all four volumes together.
  • We will still adjudicate the comments received on SP 800-63-3, though some will no longer apply to the new version. On GitHub, if you’ve already commented or opened any issue, no need to do so again. Once the issue is closed, we encourage you to check the disposition to make sure we didn’t miss something in the version change.
  • If there are flow-down changes into the other volumes, we’ll address them when SP 800-63-3 stabilizes.
  • If something wild happens (not like wild wild…more like identity management standards wild) we’ll assess whether the flow-down changes warrant reopening other volumes, but we don’t anticipate that happening.

And some special notes on the updated version of SP 800-63-3:

  • We ask that you review this document on its merits and do not comment on potential conflicts with existing guidance; we are working with our federal partners to address any such conflicts before finalizing.
  • This volume now contains both normative and informative sections.
  • We’ve incorporated guidelines for supporting the risk assessment process of digital applications.
  • The entire volume is open for comment.

Please check out the updated parent document — and reach out to us if you have questions. You can also submit comments the old-fashioned way, via email. Sorry we’re not accepting comments the old-old fashioned way or the old-old-old fashioned way of fax and post, respectively. Though singing telegrams won’t be turned away.

Follow us on Twitter for updates and reminders to submit feedback on SP 800-63-3, as well as to engage with all our other efforts.

Posted in Uncategorized | Tagged , , , , , , , , , , , , | Leave a comment

Closing time! You don’t have to go home … but you can still comment on draft SP 800-63-3

Just 15 days remain in the comment period for draft Special Publication (SP) 800-63-3: Digital Identity Guidelines! The document opened for public comment on January 30th and will close on March 31st. Based on the comments we’ve received so far, we don’t expect to extend the deadline, so get to work and submit your comments before closing time!

To see what we covered during our informational 800-63-3 webinar, check out the recording from February 7th (accompanying slides can be found here).


Why now?

The proposed update more closely matches the way digital services are deployed and utilized today. Our aim for SP 800-63-3 is to help agencies mitigate risk by accepting diverse sets of identity proofing and authentication techniques. The revised draft also more closely aligns with the identity standards work occurring across the globe.

Our process and timeline

Since the start of this public comment period, we’ve already adjudicated more than 50 of your comments – the vast majority of which have been clarifications or the addition of helpful definitions. As always, we welcome more of your comments and plan to review and adjudicate them as quickly as we can once the comment period closes. While we aim to publish the final Digital Identity Guidelines document by early summer, we take this process seriously and won’t go final just yet if requirements fundamentally shift based on insightful comments from the community. That said, we don’t feel that the comments we’ve received so far have reached the threshold that warrants extending the comment period or introducing a second comment period…so you should anticipate that, after first opening for comments on GitHub last May, the end of this comment period on March 31st is truly your last chance to weigh in.

How to comment

GitHub is our preferred tool for the submission of comments; you can read the document here and you can contribute here. We also have a PDF version of the draft and submit email comments to dig-comments@nist.gov. Note that we will make all comments publicly available by converting those shared via email to open GitHub “issues” to maintain an open and transparent process.

We appreciate your collaboration, questions, and thoughts – so please keep the comments coming until the end of the month as we work to make 800-63-3 even better…the sooner you can submit them, the better.

If you’re looking for updates on SP 800-63-3 or other Trusted Identities Group activities, please subscribe to our email updates or follow us on Twitter.


Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Build Trust and Verify: New funding opportunity to assess our state pilots!

Last year we issued five grants so state and local jurisdictions could use digital identity technologies to improve delivery of services.

Now, we want to evaluate how well those pilots have done: we’re issuing a new funding opportunity to quantify the benefits these solutions bring to the organization and end users, share lessons learned, and shed light on how successfully similar solutions can be adopted elsewhere, in public sector programs and services at all levels of government. With so many individuals depending on state and local government services for day-to-day activities, these entities can play a critical role in advancing digital identity for large populations. The findings, discoveries, and lessons learned from this funding opportunity will help pave the way for NIST to better inform and improve upon broader cybersecurity efforts in the future.

“NIST is the federal government’s measurement agency,” notes Trusted Identities Group (TIG) director Mike Garcia. “While our office focuses on innovation and adoption in the market, measurement is critical to understanding what solutions work and how effectively we’re spending taxpayer dollars. Ultimately, we expect that these independent assessments of pilot projects will help us—the identity community—understand the most successful technologies and approaches and improve decision making for anyone looking to invest in identity solutions.”

This latest funding opportunity will have an organization conduct an assessment of our five 2016 state pilots – led by the Florida Department of Revenue, Yubico, Ohio Department of Administrative Services, Gemalto, and ID.me. This will require interacting with each pilot team to establish baseline metrics and collect ongoing data during implementation, with different timelines for each pilot.

We anticipate that the awarded organization will release a report for each pilot and a final report summarizing and comparing the five at the end. Finally, a critical piece of the project will be sharing these reports far and wide, as we remain focused on increasing adoption of these solutions by sharing knowledge and lessons learned.

NIST anticipates funding one award for approximately $750,000 with a project length of three years. To be eligible, applicants may be any U.S.-located non-federal government entity. *However, an applicant will be ineligible if it has been involved in any of the 2016 state pilots.*

Millions of individuals impacted by the 24 TIG pilots through the years

Through 2016, our family of 24 pilot projects has impacted more than 7.4 million individuals. The success of our work is based not just on our direct impact, but also on the network effects and indirect impacts of our work. We’re always looking to extend the reach of these projects to  ensure that as many people as possible have access to trusted identity solutions and a seamless online experience. Part of this process is spreading the word so others can see the benefits and learn how to implement these solutions at their own organizations. Enter our new TIG funding opportunity.

For a detailed discussion of this opportunity and the chance to ask questions, register now for our applicants’ conference webinar on March 28, 2017, at 1:00 p.m. Eastern Time.

Quick links:

The deadline to apply is: Tuesday, May 9, 2017, by 11:59 p.m. Eastern Time

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , | 2 Comments

From public preview to public draft: SP 800-63 is open for comment!

Last summer’s efforts on draft SP 800-63-3: Digital Identity Guidelines paved the way for a lot of positive changes – thanks to all who provided feedback. Today we are excited to announce the next step: the official public draft of SP 800-63-3 is out, open for public comment, and we’re anxiously awaiting more great feedback. The public draft will have a 60-day open comment period, closing on March 31st.





GitHub remains the preferred tool for the public comment period; you can read the document here and you can contribute here. We also have a PDF version of the draft and comments can be submitted via email to dig-comments@nist.gov. Note that we will make all comments publicly available by converting those shared via email to open GitHub “issues” to maintain an open and transparent process.

SP 800-63-3, our first foray into using GitHub for communicating with stakeholders, is a prime example of NIST’s history of engaging the community when developing publications. While in the past NIST and the community co-edited documents, we believe SP 800-63-3 is the first example of co-developing a publication.

We were able to engage the community in near real time to more quickly create a better, more innovative product. During the public preview – which ran from May 8 to September 17, 2016 – we had a tremendous response with at least 3,757 unique visitors to our GitHub repository, with contributors submitting 266 items for our review.

We look forward to hearing from you all with additional comments on the public draft of SP 800-63-3. The document enables federal agencies to accept more diverse sets of authentication and identity-proofing in an effort to improve the ability to mitigate risk. The draft also more closely aligns with the identity standards work occurring across the globe.

All about the webinar

Much has changed in SP 800-63 since revision 2, and we realize not everyone had a chance to review the document over the summer (you can find a full rundown of changes HERE). So, we are hosting an informational webinar to share some of the most significant updates we made to the document, highlight our approach during the public comment period, and most importantly, answer your questions about this significant set of updates.

So, mark your calendars for February 7th at 1:00 PM EST! We look forward to you joining us during this webinar to share more about what’s in the new draft and engage you in the document’s evolution. You can register now HERE.

Note: this webinar will be hosted on ReadyTalk; please arrive early in case you need to download and install anything to participate.

We’ll see you then – and happy commenting!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , | Leave a comment

Making Privacy Concrete (Three Words Not Usually Found Together)

By: Sean Brooks, Mike Garcia, Naomi Lefkovitz, Suzanne Lightman, Ellen Nadeau

Most in the IT space won’t know this, but NIST has one of the world’s best concrete engineering programs. Maybe we just have concrete on the mind since a couple of us in the office are doing house renovations, but with today’s publication of the NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems (NISTIR 8062), we are taking a page from the concrete folks’ book with a document that we believe hardens the way we treat privacy, moving us one step closer to making privacy more science than art. NISTIR 8062 introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on federal systems.

There were several reasons for venturing into this territory. Certainly the Office of Management and Budget’s July 2016 update to Circular A-130 gave us a strong impetus, but our ongoing trusted identities pilot program was also a significant earlier driver. The pilots need to demonstrate their alignment with the NSTIC Guiding Principles, but in the first couple of years of the program, grant recipients often had difficulty expressing to us how their solutions aligned with the Privacy Guiding Principle. Even agreeing about the kinds of privacy risks that were of greatest concern in federated identity solutions could drag out over multiple rounds of discussion.

NIST has produced a wealth of guidance on information security risk management (the foundation of which is NIST’s Risk Management Framework), but there is no comparable body of work for privacy. While there are international privacy framework standards that include the need for identifying privacy risk, there are no widely accepted models for doing the actual assessment.

We learned from stakeholders that part of the problem is the absence of a universal vocabulary for talking about the privacy outcomes that organizations want to see in their systems. In information security, organizations understand that they are trying to avoid losses of confidentiality, integrity and availability in their systems. The privacy field has the Fair Information Practice Principles, but as high-level principles they aren’t written in terms that system engineers can easily understand and apply. Oftentimes, privacy policy teams must make ad hoc translations to implement them in specific systems.

To try to bridge this communication gap and produce processes that are repeatable and could lead to measurable results, we began by considering how privacy and information security are related and how they are distinct. The Venn diagram below illustrates how information security operates in the space of unauthorized behavior within the system, whereas privacy can be better described as dealing with the aspects of system processing of personally identifiable information (PII) that is permissible, or authorized. The two fields overlap around security of PII.

Security and Privacy Concerns Venn Diagram

We also reflected on whether having privacy engineering objectives that had some functional equivalency to confidentiality, integrity, and availability could help bridge the gap between privacy principles and their implementation in systems. Here’s what we came up with.

privacy engineering objectives

Lastly, we developed, and confirmed with stakeholders, a privacy risk model to use in conducting privacy risk assessments. We needed a frame of reference for analysis—a clear outcome—that organizations could understand and identify. In information security, the risk model is based on the likelihood that a system vulnerability could be exploited by a threat, and the impact if that occurs. What is the adverse event though when systems are processing data about people in an authorized manner – meaning any life cycle action the system takes with data from collection through disposal? We know that people can experience a variety of problems as a result of data processing such as psychologically-based problems like embarrassment or more quantifiable problems like identity theft. We think that if organizations could focus on identifying whether there was a likelihood that any given action the system was taking with data could create a problem for individuals, and what the impact would be, this would give them a clearer frame of reference for analyzing their systems and addressing any concerns they discovered.

How did this work out for our pilots? Frankly, it exceeded our expectations. Using this privacy risk model, they could identify new privacy risks, prioritize the risks, communicate them to senior management, and implement controls as appropriate (usually some combination of policy-based and technical controls). Shoutout to the pilots—we greatly appreciate your insights!

NISTIR 8062 is only an introduction to privacy engineering and risk management concepts. In the coming months and years, we will continue our engagement with stakeholders to refine these ideas and develop guidance on how to apply them. One of the properties of concrete that makes it so useful is that you can mold it into just about any shape, but once it sets you know exactly what to expect of its performance. This sort of flexible but consistent performance has long eluded those who care about systems-implementable privacy protections.

Posted in Uncategorized | Tagged , , | 7 Comments