DirectTrust is pleased to announce that we’ve completed our months-long review of the latest revision of NIST SP 800-63-4. The majority of the review took place in our Identity Management Sub-Workgroup. In general, we believe the latest revision of the guidelines on Digital Identity is a noticeable improvement over the previous revision (NIST SP 800-63-3).
Why NIST SP 800-63-4 Matters to DirectTrust
The digital identity guidelines published by NIST serve as the bedrock on which DirectTrust policies are built. DirectTrust policies were founded on revision 2 of the NIST SP 800-63 series and the DirectTrust policies currently observe the third revision of the guidelines.
Digital identity plays a fundamental role in nearly everything we do at DirectTrust. Health information cannot be shared securely without knowing who an organization is communicating with over the internet, with confidence.
That’s why we accredit our CAs and RAs (called Credential Service Providers by NIST) against our DirectTrust policies that have been founded and ratified through our mature governance processes.
Summary of DirectTrust Comments
The DirectTrust community made several comments about terminology, both suggesting clarifications as well as re-introducing terms used in previous revisions, such as “Registration Authorities.” The DirectTrust Community also made several comments related to identity resolution aimed at aiding healthcare in its patient matching dilemma. DirectTrust also recommended NIST include expiration requirements for each type of authenticator, or explicitly state that a particular authenticator’s cryptographic material never needs to expire. Lastly, DirectTrust suggested a few comments to clarify and strengthen the federation content in 63C. All of the DirectTrust comments and rationale can be found here.
What is Different About This Revision?
While this question deserved a dedicated discussion, NIST succinctly outlined the high level changes that were made in each of the four documents that make up NIST’s Digital Identity guidelines suite. The summary of changes is outlined below:
Nobody knows when NIST will make their next announcement regarding NIST SP 800-63-4. However, based on previous revision cycles, we expect the next revision of NIST’s Digital Identity guidelines won’t be out for at least 12 months and could possibly include a second comment period, thus further pushing out the timeline.
When the next revision of the 63 series is published, DirectTrust will work on updating our policies to reflect the new requirements within our workgroups and governance structure. Until then, stay tuned to our content and blog posts to stay informed and connected as we help to evolve healthcare!