Introduction to NIST SP 800-63 (Digital Identity Guidelines)
NIST Special Publication 800-63, the Digital Identity Guidelines, is the United States federal reference standard for how organisations prove who a person is online (identity proofing), how they authenticate that person on return visits (authentication), and how identity assertions are conveyed between systems in a federation. Although issued by the National Institute of Standards and Technology (NIST) for use by US federal agencies under OMB Circular A-130 and OMB Memorandum M-19-17, it has become the de facto global benchmark for digital identity assurance, cited by banks, healthcare providers, government service portals, and technology platforms far beyond the US public sector.
The publication is a suite, not a single document. The parent document SP 800-63 sets the overall model, while three volumes decompose the problem into orthogonal assurance dimensions: SP 800-63A (Enrolment and Identity Proofing), SP 800-63B (Authentication and Authenticator Management), and SP 800-63C (Federation and Assertions). A crucial break from earlier thinking is that these assurance levels are decoupled: an organisation selects an Identity Assurance Level (IAL), an Authenticator Assurance Level (AAL), and a Federation Assurance Level (FAL) independently, based on a risk assessment of each digital service, rather than lumping everything under one monolithic Level of Assurance (LOA) as the retired SP 800-63-2 did.
This guide is written for two audiences at once. For the auditor or assessor, it enumerates every requirement family, the assurance-level ladder, and the specific evidence that demonstrates conformance. For the implementer, product owner, and identity engineer, it explains the design consequences of each level so that IAL, AAL, and FAL choices can be baked into architecture rather than bolted on before an audit. This guide reflects the third revision, SP 800-63-3, as the widely deployed baseline while noting the material changes introduced by the fourth revision, SP 800-63-4.
Copyright and source note
NIST SP 800-63 and its constituent volumes (A/B/C) are publications of the US National Institute of Standards and Technology. As US Government works they are in the public domain in the United States; nevertheless, all normative text, requirement identifiers, and level definitions are the intellectual product of NIST. This CyberSigma guide is original explanatory and audit-oriented commentary. It paraphrases and interprets the standard for assessment purposes and does not reproduce NIST's normative text verbatim. Always work from the authoritative source at pages.nist.gov/800-63-3 (or the current -4 release) for the controlling requirements.
What is NIST SP 800-63
NIST SP 800-63 defines a risk-based framework for digital identity. Its core proposition is that an organisation should not simply demand the strongest possible identity checks and authentication for every service; instead it should assess the harm that would result from an identity error and then select the minimum assurance necessary to keep residual risk acceptable. Over-collecting identity data or forcing excessive authentication friction is treated as a real cost and, in the -4 revision, an explicit privacy and equity risk.
The standard separates identity into three lifecycle problems and gives each its own volume and its own assurance ladder:
- Identity Assurance Level (IAL), governed by SP 800-63A: how confident are we that a real-world person is who they claim to be? Ranges from IAL1 (self-asserted, no proofing) to IAL2 (remote or in-person proofing of validated evidence) to IAL3 (in-person or supervised remote proofing with biometric binding).
- Authenticator Assurance Level (AAL), governed by SP 800-63B: how confident are we that the person returning is the same person who enrolled? Ranges from AAL1 (single factor permitted) to AAL2 (two-factor, approved cryptography) to AAL3 (hardware-based, phishing-resistant, verifier impersonation resistant).
- Federation Assurance Level (FAL), governed by SP 800-63C: how strong is the assertion protocol when a Credential Service Provider (CSP) or Identity Provider (IdP) passes an authenticated identity to a Relying Party (RP)? Ranges from FAL1 (bearer assertion, signed) to FAL2 (encrypted/injected assertion) to FAL3 (assertion bound to a holder-of-key authenticator).
The framework also introduces defined actors: the Applicant (person undergoing proofing), the Subscriber (enrolled person), the Credential Service Provider (CSP, which proofs, issues, and manages authenticators), the Verifier (which checks authenticators), the Identity Provider (IdP), and the Relying Party (RP, the service consuming the identity). Clear separation of these roles is itself an assessment concern because a poorly bounded CSP/RP split undermines federation assurance.
SP 800-63-4 (the fourth revision) extends this model with mandatory continuous evaluation of fraud, equity and usability; a stronger treatment of syncable authenticators (passkeys); explicit support for digital evidence and mobile driving licences; and a requirement for a documented Digital Identity Acceptance Statement. Where a control differs between -3 and -4 this guide flags it.
Who must comply with NIST SP 800-63
Compliance is mandatory for some organisations and strongly advisable for many others. The following table summarises applicability.
| Organisation type | Basis of obligation | Practical driver |
|---|
| US federal executive-branch agencies | OMB Circular A-130 and M-19-17 make SP 800-63 binding | Agency ATO (Authorisation to Operate) and FISMA compliance depend on it |
| Contractors and cloud providers serving US agencies | Flow-down via FedRAMP and FAR/DFARS clauses | Login.gov, ID.me and CSPs must map to IAL/AAL/FAL |
| State and local government digital services | Frequently adopt 800-63 by policy or grant condition | Benefits portals, tax and licensing systems |
| Banks, fintechs and payment institutions (global) | Voluntary best practice; regulators reference it | KYC/CIP proofing and strong customer authentication design |
| Healthcare and health-IT organisations | Referenced by ONC and used to meet HIPAA identity controls | Patient portals, e-prescribing (EPCS) identity proofing |
| Enterprises deploying customer or workforce IAM | De facto industry benchmark for assurance | Justifying MFA strength and passwordless/passkey roadmaps |
| Identity providers and CSP vendors | Kantara / NIST 63 conformance schemes | Certification against IAL/AAL/FAL for procurement |
- Mandatory: any US federal agency system, and any system a federal agency relies on for identity, must be assessed against 800-63 and assigned explicit IAL/AAL/FAL values.
- Contractual: FedRAMP authorisations, EPCS (DEA electronic prescribing of controlled substances requiring IAL2/AAL2), and many grant programmes embed 800-63 by reference.
- Voluntary but recommended: financial services, healthcare, telecoms, and any organisation wanting a defensible, risk-based rationale for its proofing and authentication strength.
Structure of NIST SP 800-63
The suite is organised as a parent document plus three normative volumes, each addressing a distinct assurance dimension. Understanding this structure is essential because an assessment must produce a separate conformance conclusion for each volume that is in scope.
| Volume | Title | Assurance dimension | Level ladder | Key concepts |
|---|
| SP 800-63-3 | Digital Identity Guidelines (parent) | Overall model and risk selection | N/A | Actors, xAL selection, digital identity risk assessment |
| SP 800-63A | Enrolment and Identity Proofing | Identity Assurance Level (IAL) | IAL1, IAL2, IAL3 | Evidence strength, validation, verification, resolution, address confirmation |
| SP 800-63B | Authentication and Lifecycle Management | Authenticator Assurance Level (AAL) | AAL1, AAL2, AAL3 | Authenticator types, verifier requirements, reauthentication, session management |
| SP 800-63C | Federation and Assertions | Federation Assurance Level (FAL) | FAL1, FAL2, FAL3 | Assertions, RP/IdP trust agreements, holder-of-key, assertion protection |
Each level is cumulative: a higher level inherits the requirements of the level beneath it and adds constraints. The three ladders are independent so that a service can, for example, run at IAL1 (no proofing) but AAL2 (two-factor) — a common pattern for pseudonymous accounts that still need strong login security.
| Assurance factor | Level 1 | Level 2 | Level 3 |
|---|
| IAL (proofing) | Self-asserted attributes; no proofing required | Identity evidence collected, validated and verified (remote or in person) | Identity proofing performed in person or via supervised remote; biometric collected and bound |
| AAL (authentication) | Single or multi-factor; approved cryptography for MFA | Two distinct factors; approved cryptography; replay resistance | Hardware authenticator; verifier-impersonation (phishing) resistance; both factors hardware/software cryptographic |
| FAL (federation) | Bearer assertion, signed by IdP | Assertion additionally encrypted to the RP or injected via back channel | Holder-of-key: subscriber proves possession of a key bound to the assertion |
Master assessment checklist for NIST SP 800-63
This is the core of the guide. It enumerates every requirement family across the parent document and the three volumes. For each family, the table states what an assessor must verify and the typical evidence an implementer should be ready to produce. No control area is omitted; work through each h3 group in turn.
63-3 Parent: Digital Identity Risk Management
| What to verify | Typical evidence |
|---|
| A digital identity risk assessment has been performed for each in-scope service | Completed risk assessment worksheet identifying potential impacts across the six A-130 categories |
| Impact categories are assessed: inconvenience, financial loss, reputational harm, unauthorised release of sensitive info, personal safety, civil/criminal violations | Impact-category scoring matrix with rationale per category |
| Initial IAL, AAL and FAL are selected independently and justified | Digital Identity Acceptance Statement (mandatory in -4) recording chosen xALs and residual risk |
| Compensating and supplemental controls are documented where a level is tailored down | Tailoring log with control rationale and approver |
| Assurance selections are periodically re-evaluated | Review cadence record and change history |
63A Identity Proofing: General and Enrolment Requirements
| What to verify | Typical evidence |
|---|
| The CSP has a documented, risk-informed identity proofing and enrolment process | Enrolment procedure document mapped to the selected IAL |
| The proofing process performs Resolution (uniquely resolves to one identity), Validation (evidence is genuine), and Verification (evidence relates to the applicant) | Process design showing all three phases and their controls |
| Collected PII is limited to the minimum necessary and retention is defined | Data-minimisation and retention schedule; privacy notice |
| Applicant is notified of the proofing, its purpose, and consequences | Copy of applicant notice / consent record |
| Enrolment records are protected and bound to the subscriber account | Access controls and encryption over enrolment records |
63A IAL1 Requirements
| What to verify | Typical evidence |
|---|
| No identity proofing is required; attributes may be self-asserted | Configuration showing self-asserted account creation |
| If any attributes are validated, they are not asserted as proofed to a higher level | Attribute-provenance labelling |
| Any collected identity evidence is handled per privacy requirements | Privacy assessment for optionally collected data |
63A IAL2 Requirements
| What to verify | Typical evidence |
|---|
| Evidence meeting the required strength is collected (e.g. one STRONG + one FAIR, or two STRONG, per the evidence-strength table) | Evidence-strength policy and sample proofing records |
| Each piece of evidence is validated as genuine (document authentication, issuer checks) | Document-verification vendor logs; authoritative/issuing-source query results |
| The applicant is verified as the rightful holder (e.g. liveness/biometric comparison or knowledge-based verification within limits) | Liveness/selfie-match logs; verification method configuration |
| Address of record is confirmed and an enrolment code / notification sent | Enrolment-code issuance and confirmation logs |
| Remote proofing sessions are protected against fraud (session integrity, anti-injection) | Trusted-referee or remote-session controls; fraud-signal review |
| Biometrics, if used at IAL2, meet performance and presentation-attack requirements | PAD test results; false-match/false-non-match rates |
63A IAL3 Requirements
| What to verify | Typical evidence |
|---|
| Proofing is in person or supervised remote (real-time operator supervision with tamper controls) | In-person station procedures or supervised-remote platform attestation |
| At least the IAL3 evidence strength is met (typically two SUPERIOR/STRONG pieces) | Evidence inventory for IAL3 enrolments |
| A biometric is collected and bound to the identity record for future re-proofing and non-repudiation | Biometric enrolment record with binding to account |
| Physical evidence is inspected for authenticity by a trained operator | Operator training records; inspection checklist |
| The supervised-remote environment integrity is continuously monitored | Session monitoring and tamper-evidence logs |
63B Authenticator Types and Requirements (General)
| What to verify | Typical evidence |
|---|
| Only approved authenticator types are used for the target AAL | Authenticator inventory mapped to permitted types per AAL |
| Memorised secrets (passwords) meet composition rules: minimum 8 chars, checked against breach/blocklists, no arbitrary composition or forced periodic rotation | Password policy configuration; breached-password screening integration |
| Rate limiting / throttling on authentication attempts is enforced | Lockout and throttling configuration and logs |
| Approved cryptography (FIPS-validated where required) underpins cryptographic authenticators | FIPS 140 validation certificates for modules |
| Authenticator secrets are stored using salted, computationally hard one-way functions | Credential-storage design and code review evidence |
63B AAL1 Requirements
| What to verify | Typical evidence |
|---|
| At least one authenticator (single or multi-factor) is required | Authentication policy showing single-factor minimum |
| Replay resistance for the authentication event where applicable | Nonce/challenge or TLS-channel evidence |
| Reauthentication at least every 30 days of continuous session or on session end | Session-timeout configuration |
| Approved cryptography used for any cryptographic authenticator | Algorithm configuration |
63B AAL2 Requirements
| What to verify | Typical evidence |
|---|
| Two distinct authentication factors are required (something you know/have/are) | MFA enforcement configuration |
| Approved cryptography is used and authenticators are replay resistant | Protocol/cipher configuration and MFA vendor attestation |
| Reauthentication at least every 12 hours, or after 30 minutes inactivity | Session and idle-timeout settings |
| Verifier is resistant to replay and, where feasible, to man-in-the-middle | Channel-binding / TLS mutual controls |
| Biometric factors meet FMR (<=1/10,000) and presentation-attack detection where used | Biometric performance and PAD test reports |
63B AAL3 Requirements
| What to verify | Typical evidence |
|---|
| A hardware-based authenticator providing verifier impersonation (phishing) resistance is used (e.g. FIDO2/WebAuthn security key, PIV) | Hardware authenticator inventory; WebAuthn attestation |
| Verifier-impersonation resistance and verifier-compromise resistance are demonstrated | Protocol analysis showing channel binding to authenticated verifier |
| Both factors are provided via hardware or software cryptographic authenticators | Authenticator composition mapping |
| Reauthentication at least every 12 hours, or after 15 minutes inactivity, using both factors | Session policy configuration |
| Authenticator uses an approved cryptographic module (typically FIPS 140 Level 1 overall, Level 3 physical security) | FIPS validation certificate and level breakdown |
63B Authenticator Lifecycle Management
| What to verify | Typical evidence |
|---|
| Authenticator binding at enrolment is controlled and traceable | Binding records tying authenticator to subscriber |
| Account recovery and authenticator reset do not lower the assurance level (e.g. no email-only reset for AAL3) | Recovery process design and step-up controls |
| Lost/stolen/compromised authenticators can be revoked and suspended promptly | Revocation logs and SLA |
| Subscribers are notified of binding, renewal and revocation events | Notification templates and dispatch logs |
| Authenticator expiration, renewal and re-key procedures exist | Lifecycle procedure document |
63B Session Management
| What to verify | Typical evidence |
|---|
| Session secrets are generated with sufficient entropy and protected in transit and at rest | Session-token design and TLS configuration |
| Absolute and idle session timeouts match the AAL requirements | Timeout configuration |
| Reauthentication events are enforced at session boundaries | Reauth trigger logs |
| Sessions can be terminated by the subscriber and on suspicious activity | Logout and anomaly-driven termination controls |
63C Federation: General and Trust Agreements
| What to verify | Typical evidence |
|---|
| A trust agreement or established relationship exists between IdP and RP | Signed trust agreement / federation metadata registration |
| The federation model (static, dynamic) and its registration are documented | Federation architecture description |
| Attribute disclosure to the RP is minimised and subject to subscriber runtime or configured consent | Attribute-release policy and consent records |
| Assertions carry only the attributes the RP requires | Attribute-request scoping evidence |
| Pairwise pseudonymous identifiers are used where privacy requires unlinkability | PPID configuration |
63C FAL1 Requirements
| What to verify | Typical evidence |
|---|
| Assertions are signed by the IdP and validated by the RP | Assertion-signature verification configuration and keys |
| Bearer assertions are protected in transit (TLS) and time-limited | Assertion lifetime and transport settings |
| Assertion audience/RP is restricted to the intended party | Audience-restriction claim configuration |
63C FAL2 Requirements
| What to verify | Typical evidence |
|---|
| Assertion is encrypted to the RP or delivered via a protected back channel (injection) | Encryption configuration or back-channel token exchange evidence |
| Assertion replay protection is enforced (single-use, jti/nonce, tight expiry) | Replay-cache / nonce configuration |
| IdP and RP key management for signing/encryption is documented | Key rotation and storage evidence |
63C FAL3 Requirements
| What to verify | Typical evidence |
|---|
| The subscriber presents a holder-of-key authenticator bound to the assertion | Holder-of-key / bound-token proof-of-possession evidence |
| The RP verifies proof of possession in addition to assertion validity | RP verification logic and logs |
| The bound key meets the required authenticator assurance | Authenticator attestation for the bound key |
Cross-cutting: Privacy, Usability, Equity and Security
| What to verify | Typical evidence |
|---|
| A privacy risk assessment covers identity data collection, use, retention and sharing | Privacy Impact Assessment (PIA) referencing 800-63 data flows |
| Usability of proofing and authentication is evaluated and friction is justified | Usability test results; abandonment metrics |
| Equity assessment checks that proofing does not disproportionately exclude groups (mandatory in -4) | Equity/accessibility assessment and remediation log |
| Security controls (encryption, logging, incident response) protect identity systems | SC/AU/IR control mapping (e.g. to SP 800-53) |
| Redress and appeal processes exist for proofing failures | Documented redress / manual-review procedure |
Scoping a NIST 800-63 assessment
Scoping determines which services, which volumes, and which assurance levels are under examination. Because the three assurance ladders are independent, scoping must be done per digital service rather than per organisation.
- Enumerate every digital service or transaction that involves establishing or using an identity, and treat each as a scoping unit.
- For each unit, decide which volumes apply: services with no proofing are out of scope for 63A at IAL2/3 but still in scope for 63B; non-federated services are out of scope for 63C.
- Record the selected IAL, AAL and FAL for each unit — the pairing (e.g. IAL1/AAL2/FAL0 where no federation exists) is the scope statement.
- Identify all actors in scope: internal CSP functions, outsourced proofing vendors, IdPs, and downstream RPs, since third-party CSPs inherit assessment obligations.
- Include supporting infrastructure: credential stores, biometric subsystems, session managers, and logging that underpin the assurance claims.
- Exclude, with rationale, systems that neither proof identity nor authenticate subscribers (e.g. purely anonymous public content).
Scoping pitfall
A common error is scoping only the login screen. The assurance claim depends on the whole chain — proofing vendor, credential storage, recovery flows, and session handling. Account recovery in particular is frequently the weakest link because a weak reset path silently downgrades a strong AAL. Scope recovery explicitly.
Implementation approach
A pragmatic 800-63 programme runs in phases. Each phase has defined activities and deliverables so that progress is auditable.
Phase 1 — Risk assessment and level selection
- Activities: inventory digital services; run the digital identity risk assessment across the six impact categories; select initial IAL/AAL/FAL per service; identify tailoring and compensating controls.
- Deliverables: service inventory, impact scoring matrix, and a Digital Identity Acceptance Statement per service recording the chosen levels and residual risk.
Phase 2 — Gap analysis
- Activities: map current proofing, authentication and federation implementations against the requirements for the selected levels; document deltas.
- Deliverables: gap register with severity, owner and target level for each finding; prioritised remediation backlog.
Phase 3 — Design and remediation
- Activities: design or procure conformant proofing (evidence validation, liveness), authenticators (FIDO2/passkeys, PIV, OTP), and federation protocols (OIDC/SAML with correct FAL protections); harden recovery and session management.
- Deliverables: target-state architecture, authenticator and proofing vendor selections, and updated recovery/session designs.
Phase 4 — Implementation and integration
- Activities: build/configure the controls; integrate breached-password screening, MFA, PAD-tested biometrics, and assertion protection; enforce data minimisation.
- Deliverables: configured environments, integration test results, and updated privacy/equity assessments.
Phase 5 — Validation, assessment and ATO
- Activities: independent conformance assessment against each volume; penetration and PAD testing; remediate residual findings; obtain sign-off/ATO.
- Deliverables: assessment report, evidence pack, and authorised Digital Identity Acceptance Statement.
Phase 6 — Continuous monitoring
- Activities: monitor fraud, usability and equity metrics; re-evaluate assurance on change; maintain authenticator lifecycle and revocation.
- Deliverables: monitoring dashboard, periodic re-assessment records, and change-driven risk re-evaluations.
Maturity and capability model
NIST 800-63 does not define a maturity model of its own, but assessors benefit from a capability ladder to describe how robustly an organisation operationalises the guidelines. The following model helps benchmark programmes beyond a pass/fail conformance snapshot.
| Level | Name | Characteristics | Typical evidence |
|---|
| 1 | Ad hoc | Assurance levels not formally selected; proofing and MFA inconsistent; no acceptance statement | Scattered configs, no risk assessment |
| 2 | Defined | IAL/AAL/FAL selected per service; policies written; MFA broadly deployed | Acceptance statements, documented policies |
| 3 | Implemented | Controls conform to selected levels; breached-password screening, PAD and assertion protection in place | Assessment report, test results |
| 4 | Managed | Fraud, usability and equity metrics tracked; recovery and session hardened; lifecycle managed | Metrics dashboards, revocation logs |
| 5 | Optimised | Continuous re-evaluation; passwordless/phishing-resistant by default; automated assurance monitoring | Trend analysis, automated re-assessment |
Assessment and audit approach
- Confirm scope: list in-scope services and their declared IAL/AAL/FAL from the Digital Identity Acceptance Statements.
- Validate the risk assessment: check that impact categories were assessed and that level selections are justified and independent.
- Assess 63A proofing: verify resolution, validation and verification meet the target IAL, including evidence strength, liveness/PAD, and address confirmation.
- Assess 63B authentication: verify authenticator types, password/breach controls, MFA strength, phishing resistance (for AAL3), and session/reauth timeouts.
- Assess 63B lifecycle and recovery: confirm binding, revocation, and that recovery does not downgrade assurance.
- Assess 63C federation: verify assertion signing/encryption, replay protection, holder-of-key (FAL3), audience restriction and attribute minimisation.
- Test privacy, usability and equity: review the PIA, usability data and equity assessment for exclusion risks.
- Perform technical testing: penetration testing, PAD testing, and assertion/session security tests.
- Consolidate findings: rate gaps by severity, map to the responsible owner and requirement identifier.
- Report and re-assess: issue the assessment report, agree remediation, and schedule re-evaluation on change or at defined intervals.
Evidence request list
- Governance: digital identity risk assessments, impact scoring matrices, Digital Identity Acceptance Statements, tailoring logs.
- Proofing (63A): enrolment procedures, evidence-strength policy, document-verification vendor logs, liveness/PAD test reports, address-confirmation/enrolment-code logs, biometric enrolment records.
- Authentication (63B): authenticator inventory, password policy, breached-password screening evidence, MFA configuration, FIPS 140 certificates, credential-storage design, session/reauth timeout configs, rate-limiting logs.
- Lifecycle and recovery: binding records, revocation/suspension logs, account-recovery process design, subscriber notification templates.
- Federation (63C): trust agreements/metadata, assertion signing/encryption configs, replay-protection settings, holder-of-key evidence, attribute-release and consent records, PPID configuration.
- Privacy, usability, equity: Privacy Impact Assessment, usability/abandonment data, equity and accessibility assessment, redress procedures.
- Security and operations: encryption and key-management evidence, logging/audit records, incident-response plan, penetration-test reports, third-party (CSP/IdP) attestations.
Roles and responsibilities
| Role | Responsibility under 800-63 |
|---|
| Service/Business Owner | Owns the digital identity risk decision and signs the Digital Identity Acceptance Statement |
| Credential Service Provider (CSP) | Performs proofing, issues and manages authenticators, maintains enrolment records |
| Identity Provider (IdP) | Authenticates subscribers and issues assertions to relying parties |
| Relying Party (RP) | Consumes assertions, applies FAL protections, requests minimal attributes |
| Verifier | Validates authenticators and enforces AAL requirements at login |
| Privacy Officer / DPO | Owns the PIA, data minimisation and consent for identity data |
| Security / IAM Engineering | Implements authenticators, session management, encryption and monitoring |
| Equity / Accessibility Lead | Assesses proofing for disparate impact and drives remediation (esp. -4) |
| Independent Assessor / Auditor | Evaluates conformance to each volume and issues the assessment report |
| Fraud Operations | Monitors proofing/authentication fraud signals and tunes controls |
KPIs to track
- Percentage of digital services with a current Digital Identity Acceptance Statement and assigned xALs.
- MFA/phishing-resistant authenticator adoption rate (share of logins at AAL2 and AAL3).
- Proofing pass rate and manual-review/redress rate at IAL2/IAL3.
- Presentation-attack detection (PAD) effectiveness and biometric false-match / false-non-match rates.
- Breached-password screening hit rate and password-related account-takeover incidents.
- Account-recovery abuse rate and mean time to revoke a compromised authenticator.
- Federation assertion replay/validation failure rate and attribute over-disclosure incidents.
- Proofing abandonment rate and equity gap (variance in pass rates across demographic groups).
- Number of open assessment findings by severity and mean time to remediate.
Readiness checklist
- Digital identity risk assessment completed for every in-scope service across all six impact categories
- IAL, AAL and FAL selected independently and recorded in a Digital Identity Acceptance Statement
- Proofing implements resolution, validation and verification to the target IAL with liveness/PAD where required
- Password policy enforces breach screening, 8+ character minimum and no forced periodic rotation or composition rules
- MFA enforced to the target AAL; AAL3 services use phishing-resistant hardware authenticators (FIDO2/PIV)
- Account recovery and reset paths do not downgrade the assurance level
- Session and reauthentication timeouts match the required AAL
- Federation assertions are signed, protected (encrypted/injected at FAL2) and, where required, holder-of-key at FAL3
- Attribute disclosure minimised with consent and, where needed, pairwise pseudonymous identifiers
- Privacy Impact Assessment, usability evaluation and equity assessment completed
- FIPS-validated cryptographic modules used where mandated and certificates on file
- Redress process exists for individuals who fail proofing
- Third-party CSP/IdP conformance attestations obtained
- Continuous monitoring of fraud, usability and equity metrics operating
Common gaps
- Treating identity as one monolithic level instead of selecting IAL, AAL and FAL independently.
- Weak account recovery (email or knowledge-only reset) that silently downgrades a strong AAL.
- Persisting legacy password rules — forced periodic rotation, composition complexity — that 800-63B explicitly discourages.
- No breached-password / blocklist screening on memorised secrets.
- Claiming AAL3 without genuinely phishing-resistant, verifier-impersonation-resistant hardware authenticators.
- Missing presentation-attack detection or unvalidated biometric performance in remote IAL2 proofing.
- Bearer assertions without replay protection, audience restriction or (at FAL2) encryption.
- Over-collection of PII during proofing and no retention/minimisation policy.
- Absence of a Digital Identity Acceptance Statement or documented risk rationale.
- No equity assessment, causing disparate proofing failure rates for some populations (a -4 gap).
- Unassessed third-party CSPs whose controls are assumed rather than verified.
- Reauthentication and session timeouts not aligned to the claimed AAL.
NIST SP 800-63 mapped to other frameworks
| Framework | Relationship to 800-63 | Mapping notes |
|---|
| NIST SP 800-53 | Provides the underlying security/privacy controls (IA, AC, AU, SC families) | 800-63 assurance is implemented atop 800-53 IA controls |
| NIST Cybersecurity Framework (CSF) | Identity supports PR.AA (Identity Management and Access Control) | 800-63 operationalises the CSF Protect identity outcomes |
| ISO/IEC 29115 | International entity-authentication assurance framework with LoA 1-4 | Conceptually parallel; 800-63 splits LoA into IAL/AAL/FAL |
| eIDAS (EU) | Assurance levels Low/Substantial/High for electronic identification | Rough alignment: Substantial~IAL2/AAL2, High~IAL3/AAL3 |
| FIDO2 / WebAuthn | Technical authenticator standard | Delivers AAL2/AAL3 phishing-resistant authenticators |
| PCI DSS | Requires strong authentication (MFA) for access to cardholder data | 800-63B AAL2 satisfies PCI MFA intent |
| Kantara Identity Assurance | Accreditation scheme certifying CSPs against 800-63 | Provides third-party conformance evidence |
| FedRAMP | Cloud authorisation programme | Inherits 800-63 IAL/AAL/FAL for identity controls |
| DEA EPCS | E-prescribing of controlled substances | Requires IAL2/AAL2-equivalent proofing and two-factor |
How CyberSigma helps
CyberSigma runs end-to-end NIST 800-63 engagements: we perform the digital identity risk assessment, select and justify IAL/AAL/FAL per service, and author your Digital Identity Acceptance Statements. Our assessors gap-test your proofing (63A), authentication and lifecycle (63B) and federation (63C) implementations, including breached-password screening, FIDO2/passkey and PIV rollout, PAD/biometric validation, and assertion-protection reviews. We harden the recovery and session paths that most audits miss, deliver privacy, usability and equity assessments aligned to SP 800-63-4, and provide the evidence pack and remediation roadmap needed for ATO, FedRAMP, EPCS or your board. Talk to CyberSigma to move from ad hoc identity controls to a defensible, risk-based, phishing-resistant identity programme.