DirectTrust is pleased to announce that we’ve completed our months-long review of the latest revision of NIST SP 800-63-4. The majority of the review took place in our Identity Management Sub-Workgroup.  In general, we believe the latest revision of the guidelines on Digital Identity is a noticeable improvement over the previous revision (NIST SP 800-63-3). 

Why NIST SP 800-63-4 Matters to DirectTrust

The digital identity guidelines published by NIST serve as the bedrock on which DirectTrust policies are built. DirectTrust policies were founded on revision 2 of the NIST SP 800-63 series and the DirectTrust policies currently observe the third revision of the guidelines. 

Digital identity plays a fundamental role in nearly everything we do at DirectTrust. Health information cannot be shared securely without knowing who an organization is communicating with over the internet, with confidence.

That’s why we accredit our CAs and RAs (called Credential Service Providers by NIST) against our DirectTrust policies that have been founded and ratified through our mature governance processes. 

Summary of DirectTrust Comments

The DirectTrust community made several comments about terminology, both suggesting clarifications as well as re-introducing terms used in previous revisions, such as “Registration Authorities.” The DirectTrust Community also made several comments related to identity resolution aimed at aiding healthcare in its patient matching dilemma. DirectTrust also recommended NIST include expiration requirements for each type of authenticator, or explicitly state that a particular authenticator’s cryptographic material never needs to expire. Lastly, DirectTrust suggested a few comments to clarify and strengthen the federation content in 63C. All of the DirectTrust comments and rationale can be found here

What is Different About This Revision?

While this question deserved a dedicated discussion, NIST succinctly outlined the high level changes that were made in each of the four documents that make up NIST’s Digital Identity guidelines suite. The summary of changes is outlined below:

NIST Document Changes
SP 800-63-4
  • Expands security, privacy, equity and usability considerations of previous versions
  • Updated models identity models and descriptions
  • Updated risk management content and considerations
  • Introduced IAL0
SP 800-63A-4
  • Redefined IAL1
  • Updated content around identity evidence and the collection of attributes
  • Introduces core attributes
  • Updated content around privacy and equity requirements
  • Introduces applicant references and updated content around Trusted Referees
SP 800-63B-4
  • Updated biometric performance requirements
  • Updated requirements for phishing resistant wireless authenticators
  • Introduced activation secrets
SP 800-63C-4
  • Updated requirements around trust agreements and registration
  • Requires encryption of all assertions containing PII and injection protection
  • Adjusted FAL3 definition to allow Relying Party-managed authenticators
  • Requires the communication of IAL/AAL/FAL in the assertion
  • Added discussion around RP accounts and provisioning

What’s Next?

Nobody knows when NIST will make their next announcement regarding NIST SP 800-63-4. However, based on previous revision cycles, we expect the next revision of NIST’s Digital Identity guidelines won’t be out for at least 12 months and could possibly include a second comment period, thus further pushing out the timeline. 

When the next revision of the 63 series is published, DirectTrust will work on updating our policies to reflect the new requirements within our workgroups and governance structure. Until then, stay tuned to our content and blog posts to stay informed and connected as we help to evolve healthcare!