June 27, 2017. The National Institute of Standards and Technology (NIST) released this month new Digital Identity Guidelines in a suite of four final documents in the Special Publication (SP) 800 series as SP 800-63-3. According to NIST, this suite of four documents covers “digital identity from initial risk assessment to deployment of federated identify solutions.” This suite is an outcome of a collaboration of stakeholders from government, industry, and academe, with the guidelines in the suite of documents describing “the risk management processes for selecting appropriate digital identity services and the details for implementing identity assurance, authenticator assurance, and federation assurance levels based on risk”.
NIST describes this effort as follows:
“Digital identity in both agencies and the market have changed dramatically since the last revision of this document in 2013. Gone are the days of levels of assurance (LOAs), replaced by ordinals for individual parts of the digital identity flow, enabling implementers more flexibility in their design and operations:
- “Identity Assurance Level (IAL): the identity proofing process and the binding between one or more authenticators and the records pertaining to a specific subscriber.
- “Authenticator Assurance Level (AAL): the authentication process, including how additional factors and authentication mechanisms can impact risk mitigation.
- “Federation Assurance Level (FAL): the assertion used in a federated environment to communicate authentication and attribute information to a relying party (RP).”
Here are abstracts and keywords for each of the four documents in the SP 800-63 suite:
- “These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions. This publication supersedes NIST SP 800-63-2.
- “Authentication, assurance, authenticator, assertions, credential service provider, digital authentication, digital credentials, identity proofing, federation, passwords, PKI.”
- “These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the enrollment and verification of an identity for use in digital authentication. Central to this is a process known as identity proofing in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identification at a useful identity assurance level. This document defines technical requirements for each of three identity assurance levels. This publication supersedes corresponding sections of NIST SP 800-63-2.
- “Authentication, credential service provider, electronic authentication, digital authentication, electronic credentials, digital credentials, identity proofing, federation.”
- “These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. These guidelines focus on the authentication of subjects interacting with government systems over open networks, establishing that a given claimant is a subscriber who has been previously authenticated. The result of the authentication process may be used locally by the system performing the authentication or may be asserted elsewhere in a federated identity system. This document defines technical requirements for each of the three authenticator assurance levels. This publication supersedes corresponding sections of NIST SP 800-63-2.
- “Authentication, credential service provider, digital authentication, digital credentials, electronic authentication, electronic credentials, federation.”
- “This document and its companion documents, SP 800 63-, SP800-63A, and SP 800-63B, provide technical and procedural guidelines to agencies for the implementation of federated identity systems and for assertions used by federations. This publication supersedes corresponding sections of SP 800-63-2. These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the use of federated identity and the use of assertions to implement identity federations. Federation allows a given credential service provider to provide authentication and (optionally) subscriber attributes to a number of separately administered relying parties. Similarly, relying parties may use more than one credential service provider.
- “Assertions, authentication, credential service provider, digital authentication, electronic authentication, electronic credentials, federations.”
Here are definitions of the Keywords above:
Assertion. An assertion is a statement from a Relying Party (RP) that contains information about a subscriber. Assertions may also contain verified attributes.
Assurance. See identity assurance level (IAL), authenticator assurance level (AAL), and federation assurance level (FAL) described at beginning of this posting.
Authentication. Authentication is verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources.
Authenticator. An authenticator is something the claimant possesses and controls (typically a cryptographic module or password) that is use to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as a token.
Credential Service Provider. A credential service provider (CSP) is a trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.
Digital Authentication. Digital authentication is a process of establishing confidence in user identities presented digitally to a system. In previous editions of SP 800-63, this was referred to as electronic authentication.
Digital Credential. A digital credential is issued based on proof of possession and control of an authenticator associated with a previously issued credential, so as not to duplicate the identity proofing process.
Electronic Authentication. See Digital Authentication above.
Electronic Credential. See Digital Credential above.
Federation. Federation is a process that allows the conveyance of identity and authentication across a set of networked systems.
Identity Proofing. Identify proofing is a process by which a CSP collects, validates, and verifies information about a person.
Password. A password is a memorized secret that is a type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.
Public Key Infrastructure. A public key infrastructure (PKI) is a set of policies, processes, server platforms, software, and workstations used for the purpose of administrating certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.
HIPAA Integrity® recommends that you download the suite of documents, and pay particular attention to the Executive Summary at the beginning of each document and the definitions in Appendix A to SP 800-63-3. HIPAA Integrity® will incorporate terminology and process changes reflected in this suite of documents in Version 5.0 of the HIPAA Integrity® Safeguard Compliance Tool Set that will be released later this year. Version 5.0 also will contain the latest updates of the NIST Cybersecurity Framework and its relation to the HIPAA Security Rule in a concordance of the two sets of standards. In addition, Version 5.0 will contains checklists pertaining to Centers for Medicare & Medicaid Services (CMS) Emergency Preparedness Required Plan Functions for four of 17 healthcare provider types: hospitals, critical access hospitals (CAHs), long term care (LTC) facilities (including nursing and skill nursing facilities therein), and hospice facilities. Emergency Preparedness requirements must comport with certain HIPAA Privacy and Security Rules for all healthcare provider types covered by the CMS Emergency Preparedness Final Rule, and for the four types identified here, also include provisions relating to emergency and standby power systems.