The National Institute of Standards and Technology (NIST) announced the fourth revision to its Digital Identity Guidelines draft on Dec. 16.
The agency’s first major change to the policy in five years features suggestions on identity verification technology – including identity proofing and testing requirements for facial recognition applications.
“The rapid proliferation of online services over the past few years has heightened the need for reliable, equitable, secure, and privacy-protective digital identity solutions,” NIST’s 80-page draft says.
“The guidelines present the process and technical requirements for meeting digital identity management assurance levels for identity proofing, authentication, and federation, including requirements for security and privacy as well as considerations for fostering equity and the usability of digital identity solutions and technology,” the agency wrote.
These standards regulate digital identity management in Federal government, which is foundational to cybersecurity efforts like zero trust. They also shape the identity proofing process that people are required to pass to access certain online government services.
NIST revised its previous draft of the Digital Identity Guidelines according to feedback they received from a June 2020 call for comments.
According to NIST’s publication, they used this feedback to draft a fourth document on identity proofing in government to supersede the third. The agency highlighted four key areas the new draft seeks to expand upon:
- Advance equity: This draft seeks to expand upon risk management and mandates that agencies account for impacts to individuals, communities, and organizations. This includes continuous evaluation of mission delivery and potential impacts across demographics – including responsible use of face recognition;
- Emphasize optionality and choice for consumers: This draft expands the list of acceptable identity proofing alternatives to provide new mechanisms to securely deliver services to individuals with differing means, motivations, and backgrounds;
- Deter fraud and advanced threats: This draft updates risk and threat models to account for new attacks, and opens the door to new technology such as mobile driver’s licenses and verifiable credentials; and
- Address implementation lessons learned: This draft addresses areas where implementation experience has indicated that additional clarity was required to effectively operationalize the guidelines.
In addition to releasing the fourth version of the Digital Identity Guidelines, NIST also laid out a roadmap for the final publication of the guidelines, with a target date of the second quarter of fiscal year 2024.
Before the agency releases the final version in a little over a year, it will host a virtual event on draft four of the guidelines on Jan. 12, 2023. According to the announcement, NIST will provide an overview of the draft, highlight key areas where input is needed from the community, and share information on how to get involved.
NIST is accepting comments on the publication’s most recent revisions until March 24, 2023. The agency is specifically interested in recommendations on identity proofing and enrollment, risk management, and authentication and life cycle management.