signzy

API Marketplace

downArrow

Solutions

downArrow

Resources

downArrow

Our Company

downArrow
Book a Demo
laptop
Logo
Responsive
Decorative line
← Back to Glossary

NIST SP 800-63 Identity Guidelines

Global

Global

2017

Cybersecurity

Overview

NIST SP 800-63 is a set of digital identity guidelines issued by the U.S. National Institute of Standards and Technology (NIST), with its latest version adopted in 2017 and updated through Revisions 3 and 4. The framework outlines requirements for identity proofing, authentication, and credential lifecycle management across federal agencies, financial institutions, healthcare organizations, and technology vendors.
The guideline is divided into four sections: 800-63 (overview), 800-63A (identity proofing), 800-63B (authentication), and 800-63C (federation and assertions). It introduces three risk-based levels IAL (Identity Assurance), AAL (Authenticator Assurance), and FAL (Federation Assurance) to determine the strength of identity systems. Though not legally binding, it is mandatory for U.S. federal agencies under OMB M-19-17 and supports implementation of the Federal Identity, Credential, and Access Management (FICAM) architecture.

Key Obligations

  • Follow identity proofing requirements defined in 800-63A
  • Implement authentication controls per 800-63B based on AAL risk level
  • Apply federation and assertion protocols using 800-63C when applicable
  • Ensure compliance with OMB M-19-17 for federal digital services
  • Use multi-factor authentication for moderate or high-risk services

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

AML Screening

AML Screening

Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.

Transaction Monitoring

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

Related Regulations

Decorative icon
Identity Theft Red Flags Rule

Decorative icon
GLBA Safeguards Rule Compliance

Decorative icon
FIDO WebAuthn Authentication Standard

FAQ

Is NIST SP 800-63 legally required for private companies?

No. It is required for U.S. federal agencies but widely adopted by private entities as a best-practice framework.

What do IAL, AAL, and FAL stand for?

They stand for Identity Assurance Level, Authenticator Assurance Level, and Federation Assurance Level, used to assess identity system strength.

Who enforces compliance with NIST 800-63 for federal agencies?

The Office of Management and Budget (OMB) enforces it under memorandum M-19-17.

What types of businesses should follow NIST SP 800-63?

Financial institutions, healthcare providers, government contractors, and identity tech vendors often follow the standard to align with federal practices.