Revised Guidelines for Digital Identification in Federal Systems
“NIST’s draft revision supports the significant, ongoing governmentwide efforts to ensure the integrity of federal digital identity systems while balancing privacy, equity and accessibility,” said Miller, “including the White House’s Initiative on Identity Theft Prevention and Public Benefits.” The draft guidelines do not address situations wherein a person is accessing a physical location such as a building, though the authors do note that some digital identities may be used in both digital and in-person scenarios.
NIST is accepting comments on the multivolume draft until March 24, 2023. NIST will host a virtual workshop on Jan. 12, 2023, to provide details on the major changes to the guidelines and the comment process. Interested parties can register online to attend. This will be the first step in a robust engagement process to gain feedback from public and private sector organizations, technology and professional services providers, academia, civil society, advocacy groups and many others on how to improve the draft guidance and achieve a more competitive, secure, private and inclusive identity ecosystem. Among several topics that NIST intends to address, a significant portion of the organization’s engagement efforts will be dedicated to exploring emerging and alternative methods of identity verification, including technologies that do not rely upon facial recognition.
As with the previous version (Revision 3) of Digital Identity Guidelines, the draft publication comprises four volumes. The base volume provides the underlying risk management processes. The three subsequent volumes elaborate on what the authors call digital identity’s major aspects — proofing, authentication and federation. Identity proofing establishes that a subject is a specific person. Authentication, in part, determines the validity of the means used to claim a digital identity. Federation allows identity information to be shared across systems in support of authentication.
New additions to the draft include:
· An updated section on use of biometric information for identity proofing, including performance and testing requirements;
· Authentication methods that are more resistant to phishing attacks, which commonly support fraud, identity theft and other contemporary cyberattacks;
· An updated set of recommendations on how to share and exchange identity information about a user between different systems, for example when using a previously registered email address to sign into a different website.
The draft describes a process for identifying, assessing and managing digital identity risks that aligns with the NIST Risk Management Framework (RMF). The publication expands upon the RMF by outlining how equity and usability should be incorporated into digital identity risk management. Equity refers to consistent, impartial treatment of all individuals, and the draft revision is intended to expand the guidance and considerations for organizations to manage digital identity systems in ways that work for everyone — in particular those individuals and communities whose needs, capabilities and preferences have not been adequately accounted for in the past.
NIST requests that respondents download the comments template and email the completed template form to dig-comments@nist.gov before the March 24, 2023, deadline.
