June 27, 2017. The National Institute of Standards and Technology (NIST) released this month new Digital Identity Guidelines in a suite of four final documents in the Special Publication (SP) 800 series as SP 800-63-3. According to NIST, this suite of four documents covers “digital identity from initial risk assessment to deployment of federated identify solutions.” This suite is an outcome of a collaboration of stakeholders from government, industry, and academe, with the guidelines in the suite of documents describing “the risk management processes for selecting appropriate digital identity services and the details for implementing identity assurance, authenticator assurance, and federation assurance levels based on risk”.
NIST describes this effort as follows:
“Digital identity in both agencies and the market have changed dramatically since the last revision of this document in 2013. Gone are the days of levels of assurance (LOAs), replaced by ordinals for individual parts of the digital identity flow, enabling implementers more flexibility in their design and operations:
Here are abstracts and keywords for each of the four documents in the SP 800-63 suite:
Here are definitions of the Keywords above:
Assertion. An assertion is a statement from a Relying Party (RP) that contains information about a subscriber. Assertions may also contain verified attributes.
Assurance. See identity assurance level (IAL), authenticator assurance level (AAL), and federation assurance level (FAL) described at beginning of this posting.
Authentication. Authentication is verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources.
Authenticator. An authenticator is something the claimant possesses and controls (typically a cryptographic module or password) that is use to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as a token.
Credential Service Provider. A credential service provider (CSP) is a trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.
Digital Authentication. Digital authentication is a process of establishing confidence in user identities presented digitally to a system. In previous editions of SP 800-63, this was referred to as electronic authentication.
Digital Credential. A digital credential is issued based on proof of possession and control of an authenticator associated with a previously issued credential, so as not to duplicate the identity proofing process.
Electronic Authentication. See Digital Authentication above.
Electronic Credential. See Digital Credential above.
Federation. Federation is a process that allows the conveyance of identity and authentication across a set of networked systems.
Identity Proofing. Identify proofing is a process by which a CSP collects, validates, and verifies information about a person.
Password. A password is a memorized secret that is a type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.
Public Key Infrastructure. A public key infrastructure (PKI) is a set of policies, processes, server platforms, software, and workstations used for the purpose of administrating certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.
HIPAA Integrity® recommends that you download the suite of documents, and pay particular attention to the Executive Summary at the beginning of each document and the definitions in Appendix A to SP 800-63-3. HIPAA Integrity® will incorporate terminology and process changes reflected in this suite of documents in Version 5.0 of the HIPAA Integrity® Safeguard Compliance Tool Set that will be released later this year. Version 5.0 also will contain the latest updates of the NIST Cybersecurity Framework and its relation to the HIPAA Security Rule in a concordance of the two sets of standards. In addition, Version 5.0 will contains checklists pertaining to Centers for Medicare & Medicaid Services (CMS) Emergency Preparedness Required Plan Functions for four of 17 healthcare provider types: hospitals, critical access hospitals (CAHs), long term care (LTC) facilities (including nursing and skill nursing facilities therein), and hospice facilities. Emergency Preparedness requirements must comport with certain HIPAA Privacy and Security Rules for all healthcare provider types covered by the CMS Emergency Preparedness Final Rule, and for the four types identified here, also include provisions relating to emergency and standby power systems.