By Gary Moore, Director, Trust Compliance Office, DirectTrust

The National Institute of Standards and Technology (NIST) has released their updated Digital Identity Guidelines, SP 800-63-4, covering identity proofing (63A), authentication (63B), and federation (63C). While these guidelines are tailored specifically for federal agencies, most industries generally accept these as best practices as well. These updates matter for any organization that issues, accepts, or relies on digital credentials and DirectTrust has kicked off a detailed review to ensure our policies, implementation guidance, and accreditation criteria continue to align with national best practices while remaining practical for healthcare.

What is SP 800-63?

It all comes down to trust, as in, knowing who you’re dealing with online, and ensuring other systems can rely on that decision.

  • 63A (Identity Assurance): How a person or organization is proofed and placed into a confidence “bucket” (IAL1–3).
  • 63B (Authenticator Assurance): How strongly someone proves possession of their credential (AAL1–3).
  • 63C (Federation Assurance): How trust decisions travel across communities (FAL1–3).

Why this matters beyond compliance

Stronger proofing and authentication can help reduce wrong-patient errors, cut down on duplicate accounts, and protect privacy by ensuring data only flows to the right, authorized people. On the operations side, clearer, consistent identity practices streamline data access, lower the burden on help desks, and improve continuity of care, whether you’re inside one health system or exchanging with many. In addition, these practices can guard against the most common cause of cybersecurity breach: credential theft.

How DirectTrust fits in

While NIST sets the standards and guidelines, DirectTrust makes it practical. We take 800-63’s high-level identity guidance and translate it into the policies, implementation playbooks, and accreditation criteria that healthcare organizations can actually use. That means providers, vendors, Health Information Service Providers (HISPs), payers, and public agencies aren’t left guessing how to apply it but have a clear, shared framework. In other words, after NIST shows us “what good looks like,” we help healthcare organizations run it in the real world, including dealing with the complexity of today’s daily operations.

What’s new in 800-63-4 (at a glance)

Several shifts are especially relevant to our community:

  • Baseline evidence at every level: Even IAL1 now contemplates presenting and validating identity evidence (with strength scaled by level). That opens appropriate, lower-friction options for some healthcare use cases that still need a minimum, consistent floor.
  • Modernized evidence validation: Clearer expectations for how identity documents are verified and cryptographically validated (e.g. using e-passport chips).
  • User-centric federation: Stronger treatment of identity wallets/attribute wallets and user-controlled release, so a person can consent to share just what’s needed (e.g. “over 18” vs. full birthdate) with a relying party.
  • Refined authenticator mapping: Updates to which authenticators are appropriate at each AAL, reinforcing phishing-resistant options.

How DirectTrust is responding

We’re launching a line-by-line review and community discussion to map 800-63-4 into our trust framework. Key policy updates will include:

  • DirectTrust Certificate Policy (CP) for Direct Secure Messaging: refresh identity proofing sections to reflect updated 63A evidence types and validation methods.
  • Identity Provider Policy (IPP) v2: expand to incorporate new 63A/63B expectations (including authenticator choices) and evaluate where IAL1 is appropriate in healthcare workflows.
  • Identity Proofing Guidance: our practical “how-to” for Registration Authorities (RAs)/Identity Providers (IdPs), aligned to the revised evidence strengths, remote proofing (e.g. live-video checks), and cryptographic validation (e.g. e-passport chip reads).

We expect additional work on federation policy, especially as more communities adopt wallets and user-managed attributes, to ensure identities and trust decisions can flow safely across networks without duplicative onboarding.

How policy ties to accreditation criteria

Updating policy isn’t the finish line. Once the new requirements are set, our accreditation criteria will also be revised so assessors can verify they’re implemented correctly. For instance, if your last assessment was aligned to 800-63-3, expect meaningful differences under 800-63-4. Early engagement helps you plan changes (controls, process evidence, authenticator choices) before your next renewal.

Where we need your voice

Two DirectTrust workgroups are planning on managing most of this work:

As you may know, participation in DirectTrust workgroups is a membership benefit. If you issue credentials, operate identity services, run HISPs/EHRs, or rely on federation, your real-world constraints and use cases are exactly what we use to help shape policy. If you joined us at the 2025 DirectTrust Conference, one related phrase may have resonated with you: “Let’s make the right thing, the easy thing.”

Efforts in action: cryptographically protected evidence

As just one example, one promising opportunity that we heard about at the conference is e-passport–based digital identity. This is where an ICAO chip is read, compared with a live-video capture, and then the result is bound to a wallet protected by the user’s device biometrics. It’s a strong, repeatable way to prove identity remotely while supporting selective attribute release in federated flows.

Next steps

  • Read through 800-63-4 (identity, authentication, federation) to gain a baseline understanding.
  • Nominate stakeholders (identity, security, HISP ops, compliance) to join IIT and CPP.
  • Inventory your authenticators and proofing flows against likely AAL/IAL targets; note any migrations toward phishing-resistant multi-factor authentication (MFA).
  • Plan for accreditation impacts so your next cycle aligns with the updated criteria.

800-63-4 gives us clearer, more user-centric identity guidance, and DirectTrust’s aim is to convert it into healthcare-ready policy, guidance, and accreditation criteria. This will allow our industry to adopt it consistently and confidently.

Interested in participating? Reach out to DirectTrust for more information.