Is NIST SP 800-63 legally required for private companies?

No. It is required for U.S. federal agencies but widely adopted by private entities as a best-practice framework.

What do IAL, AAL, and FAL stand for?

They stand for Identity Assurance Level, Authenticator Assurance Level, and Federation Assurance Level, used to assess identity system strength.

Who enforces compliance with NIST 800-63 for federal agencies?

The Office of Management and Budget (OMB) enforces it under memorandum M-19-17.

What types of businesses should follow NIST SP 800-63?

Financial institutions, healthcare providers, government contractors, and identity tech vendors often follow the standard to align with federal practices.

NIST SP 800-63 Identity Guidelines

Global

2017

Cybersecurity

Overview

NIST SP 800-63 is a set of digital identity guidelines issued by the U.S. National Institute of Standards and Technology (NIST), with its latest version adopted in 2017 and updated through Revisions 3 and 4. The framework outlines requirements for identity proofing, authentication, and credential lifecycle management across federal agencies, financial institutions, healthcare organizations, and technology vendors.

The guideline is divided into four sections: 800-63 (overview), 800-63A (identity proofing), 800-63B (authentication), and 800-63C (federation and assertions). It introduces three risk-based levels IAL (Identity Assurance), AAL (Authenticator Assurance), and FAL (Federation Assurance) to determine the strength of identity systems. Though not legally binding, it is mandatory for U.S. federal agencies under OMB M-19-17 and supports implementation of the Federal Identity, Credential, and Access Management (FICAM) architecture.

Key Obligations

Follow identity proofing requirements defined in 800-63A
Implement authentication controls per 800-63B based on AAL risk level
Apply federation and assertion protocols using 800-63C when applicable

Ensure compliance with OMB M-19-17 for federal digital services
Use multi-factor authentication for moderate or high-risk services

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Use facial match and liveness checks paired with government ID verification to make sure the person holding the document is the person you're onboarding.

AML Screening

Comprehensive Anti-Money Laundering screening solutions to detect and prevent financial crimes through advanced monitoring and compliance tools.

Transaction Monitoring

Real-time transaction monitoring and analysis to identify suspicious activities and ensure regulatory compliance across all financial operations.