API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

NIST SP 800-63 Identity Guidelines

Global2017Cybersecurity

Overview

NIST SP 800-63 is a set of digital identity guidelines issued by the U.S. National Institute of Standards and Technology (NIST), with its latest version adopted in 2017 and updated through Revisions 3 and 4. The framework outlines requirements for identity proofing, authentication, and credential lifecycle management across federal agencies, financial institutions, healthcare organizations, and technology vendors.

The guideline is divided into four sections: 800-63 (overview), 800-63A (identity proofing), 800-63B (authentication), and 800-63C (federation and assertions). It introduces three risk-based levels IAL (Identity Assurance), AAL (Authenticator Assurance), and FAL (Federation Assurance) to determine the strength of identity systems. Though not legally binding, it is mandatory for U.S. federal agencies under OMB M-19-17 and supports implementation of the Federal Identity, Credential, and Access Management (FICAM) architecture.

Key Obligations

Follow identity proofing requirements defined in 800-63A
Implement authentication controls per 800-63B based on AAL risk level
Apply federation and assertion protocols using 800-63C when applicable

Ensure compliance with OMB M-19-17 for federal digital services
Use multi-factor authentication for moderate or high-risk services

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

AML Screening

Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

Related Regulations

Identity Theft Red Flags Rule

GLBA Safeguards Rule Compliance

FIDO WebAuthn Authentication Standard

FAQ

Is NIST SP 800-63 legally required for private companies?

No. It is required for U.S. federal agencies but widely adopted by private entities as a best-practice framework.

What do IAL, AAL, and FAL stand for?

They stand for Identity Assurance Level, Authenticator Assurance Level, and Federation Assurance Level, used to assess identity system strength.

Who enforces compliance with NIST 800-63 for federal agencies?

The Office of Management and Budget (OMB) enforces it under memorandum M-19-17.

What types of businesses should follow NIST SP 800-63?

Financial institutions, healthcare providers, government contractors, and identity tech vendors often follow the standard to align with federal practices.