NIST SP 800-63 Digital Identity Guidelines

United States

4 domains

49 controls

NIST SP 800-63-3 + 800-63A/B/C Digital Identity Guidelines (IAL/AAL/FAL assurance levels).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (4)

800-63-3

3 controls

Controls in the 800-63-3 domain of NIST SP 800-63 Digital Identity Guidelines — 3 controls
Code	Title	Description
DIG-RISK-1	Digital Identity Risk Assessment	Agencies must conduct a digital identity risk assessment to determine the appropriate IAL, AAL, and FAL for each system...
DIG-RISK-2	Assurance Level Selection Per Transaction	IAL, AAL, and FAL must be selected independently for each system; a high AAL does not require a high IAL where the relyi...
DIG-RISK-3	Privacy Risk Assessment	Privacy risks associated with identity proofing, authentication, and federation must be assessed and mitigated, with pri...

800-63A

14 controls

Controls in the 800-63A domain of NIST SP 800-63 Digital Identity Guidelines — 14 controls
Code	Title	Description
IAL1-PROOF-1	IAL1 Self-Asserted Attributes	At IAL1, attributes are self-asserted or treated as self-asserted, and identity proofing is not required; collected attr...
IAL2-PROOF-1	IAL2 Identity Evidence Collection	IAL2 requires presentation of identity evidence meeting strength requirements (one strong plus one fair, or two strong)...
IAL2-PROOF-2	IAL2 Identity Resolution	The CSP must resolve the claimed identity to a unique person within the population served, using the minimum attributes...
IAL2-PROOF-3	IAL2 Evidence Validation	Each piece of identity evidence must be validated for authenticity, accuracy, and currency through authoritative sources...
IAL2-PROOF-4	IAL2 Identity Verification	The CSP must verify that the validated identity belongs to the applicant, using biometric comparison or knowledge-based...
IAL2-PROOF-5	IAL2 Remote Proofing Controls	Remote IAL2 proofing must include liveness, address confirmation via enrolment code, and protection of the proofing sess...
IAL2-PROOF-6	Knowledge-Based Verification Restrictions	KBV may only be used as a fallback at IAL2 with question-set, source-diversity, and attempt-limit constraints, and must...
IAL3-PROOF-1	IAL3 In-Person or Supervised Remote	IAL3 requires in-person or supervised remote proofing by a trained operator using approved equipment, with biometric cap...
IAL3-PROOF-2	IAL3 Evidence Strength	IAL3 requires either two pieces of superior evidence, or one superior plus one strong, or two strong if both validated a...
PROOF-BIOMETRIC-1	Biometric Collection at Enrolment	Biometric samples collected during proofing must be of sufficient quality for later re-verification and protected as sen...
PROOF-FRAUD-1	Proofing Fraud Mitigation	CSPs must implement fraud mitigation including device, behavioural, and document-anomaly signals, and must escalate susp...
PROOF-NOTICE-1	Notice to Applicants	Applicants must be given clear notice of what attributes are collected, how evidence is used, retention periods, and con...
PROOF-RECORDS-1	Identity Proofing Record Retention	The CSP must maintain a record of the identity proofing event including evidence, validation, and verification outcomes...
PROOF-TRUSTED-1	Trusted Referee and Applicant References	Where used, trusted referees and applicant references must follow defined processes including referee proofing, training...

800-63B

20 controls

Controls in the 800-63B domain of NIST SP 800-63 Digital Identity Guidelines — 20 controls
Code	Title	Description
AAL1-AUTH-1	AAL1 Single-Factor Authentication	AAL1 requires at least single-factor authentication using any approved authenticator type with replay-resistant protocol...
AAL2-AUTH-1	AAL2 Multi-Factor Required	AAL2 requires two distinct authentication factors using approved cryptographic techniques and replay-resistant protocols...
AAL2-AUTH-2	AAL2 Approved Authenticator Types	AAL2 permits multi-factor OTP, multi-factor cryptographic software or device, or combinations of memorized secret with O...
AAL2-AUTH-3	AAL2 Reauthentication	AAL2 sessions require reauthentication at least every 12 hours or after 30 minutes of inactivity, regardless of session...
AAL3-AUTH-1	AAL3 Hardware Cryptographic Authenticator	AAL3 requires a hardware-based cryptographic authenticator and an authenticator providing verifier impersonation resista...
AAL3-AUTH-2	AAL3 Verifier Compromise Resistance	AAL3 authenticators must resist verifier compromise so that compromise of the verifier does not allow impersonation.
AAL3-AUTH-3	AAL3 Reauthentication	AAL3 sessions require reauthentication at least every 12 hours and after 15 minutes of inactivity using both factors.
AUTH-BIO-1	Biometric Authentication Performance	Biometric authentication may only be used as part of multi-factor authentication, with FMR not greater than 1 in 10,000...
AUTH-EVENT-1	Authentication Event Records	CSPs must log authentication events including success, failure, authenticator binding, and revocation, with retention su...
AUTH-MIN-AGE-1	Subscriber Notification of Changes	Subscribers must be notified of authenticator binding, unbinding, and credential changes through an out-of-band channel.
AUTH-OTP-1	OTP Authenticator Controls	OTP authenticators must use approved cryptographic algorithms, limited OTP lifetime, and rate limiting on verification a...
AUTH-PHISH-1	Phishing Resistance	Verifier impersonation resistance (phishing resistance) is required at AAL3 and recommended at AAL2, typically achieved...
AUTH-RATELIMIT-1	Rate Limiting and Account Lockout	Verifiers must throttle consecutive failed authentication attempts to no more than 100 attempts per 30-day window per ac...
AUTH-REPLACE-1	Authenticator Loss and Replacement	Processes for replacement of lost, stolen, or damaged authenticators must reauthenticate the subscriber at the original...
AUTH-SECRET-1	Memorized Secret Composition	Memorized secrets must be at least 8 characters chosen by subscriber, accept all printable ASCII and Unicode, and not im...
AUTH-SECRET-2	Memorized Secret Breach Check	When users set or change a memorized secret, verifiers must compare it against a blocklist of commonly used, expected, o...
AUTH-SECRET-3	Memorized Secret Storage	Memorized secrets must be salted, hashed with an approved one-way function, and stretched using a memory-hard or iterati...
AUTH-SESSION-1	Session Binding	Session secrets must be bound to the authenticated entity, generated by the verifier, of sufficient entropy, and protect...
AUTH-SMS-1	SMS OTP Restricted Use	SMS-based out-of-band authentication is a restricted authenticator; the organisation must document the risk acceptance a...
AUTH-THREAT-1	Threat Model Coverage Per AAL	Authenticators must resist threats appropriate to the AAL including theft, duplication, eavesdropping, replay, side chan...

800-63C

12 controls

Controls in the 800-63C domain of NIST SP 800-63 Digital Identity Guidelines — 12 controls
Code	Title	Description
FAL1-FED-1	FAL1 Bearer Assertions	FAL1 permits bearer assertions signed by the IdP, transmitted directly to the RP over TLS, without proof of possession.
FAL2-FED-1	FAL2 Encrypted Assertion	FAL2 requires bearer assertions to be encrypted to the relying party so that only the RP can decrypt them.
FAL3-FED-1	FAL3 Holder-of-Key Assertion	FAL3 requires the subscriber to prove possession of a cryptographic key referenced in the assertion, binding the asserti...
FED-AGREE-1	Trust Agreement Between IdP and RP	A written trust agreement must exist between IdP and RP covering attributes, assurance levels, retention, breach notific...
FED-ASSERT-1	Assertion Content Requirements	Assertions must include issuer, subject, audience, issuance and expiration timestamps, authentication time, AAL and IAL...
FED-ATTR-1	Attribute Minimisation in Assertions	Assertions must include only attributes necessary for the RP's purpose, and may use attribute references or derived attr...
FED-KEY-1	Cryptographic Key Management for Federation	IdP signing and encryption keys must be managed in accordance with approved cryptography, rotated, and revoked when comp...
FED-LOG-1	Federation Audit Logging	IdPs and RPs must log federation events including assertion issuance, validation, attribute release, consent, and errors...
FED-PROXY-1	Federation Proxies	When a federation proxy is used, both legs of the federation must independently meet the required FAL, and the proxy mus...
FED-PSEUDO-1	Pseudonymous Identifiers	Where the RP does not require an identified subscriber, the IdP must support pairwise pseudonymous identifiers to preven...
FED-RP-1	Relying Party Validation Obligations	RPs must verify assertion signatures, audience, expiration, replay protection, and that the asserted IAL and AAL meet th...
FED-RUNTIME-1	Runtime Subscriber Decision	When required by policy or law, the IdP must obtain a positive runtime decision from the subscriber for the release of a...

Frequently Asked Questions

What is NIST SP 800-63 Digital Identity Guidelines?

NIST SP 800-63 Digital Identity Guidelines is a compliance framework from United States with 4 domains and 49 controls. NIST SP 800-63-3 + 800-63A/B/C Digital Identity Guidelines (IAL/AAL/FAL assurance levels). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-63 Digital Identity Guidelines have?

NIST SP 800-63 Digital Identity Guidelines has 49 controls organised across 4 domains. The largest domains are 800-63B (20 controls), 800-63A (14 controls), 800-63C (12 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-63 Digital Identity Guidelines map to?

NIST SP 800-63 Digital Identity Guidelines does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with NIST SP 800-63 Digital Identity Guidelines compliance?

Start your NIST SP 800-63 Digital Identity Guidelines compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-63 Digital Identity Guidelines requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 49 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required