Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Identity and Access Management at NIST: A Rich History and Dynamic Future

Celebrating 50 years of Cybersecurity at NIST

Digital identity for access control is a fundamental and critical cybersecurity capability that ensures the right people and things have the right access to the right resources at the right time. NIST has a rich history in digital identity standardization spanning more than 50 years. We have conducted research, developed prototypes and reference implementations, and supported pilots to better understand new and emerging technologies that inform our digital identity standards, guidelines, and resources. Also, NIST participates and leads in the development of national and international standards, guidance, best practices, profiles, and frameworks to create an enhanced, interoperable digital identity and access management ecosystem.

Passwords as the Beginning

Before most people had ever used a computer, the National Bureau of Standards was developing guidelines and standards for using automation to identify computer users and limit their access to information—in other words, user authentication. By the mid-1980s, passwords were widely used and NIST released a comprehensive standard on passwords, Federal Information Processing Standard (FIPS) 112, Password Usage. FIPS 112 covered not only password characteristics (e.g., composition, length, lifetime, and sources), but also their management and usage  (e.g. secure storage, distribution to users, communication, and time between authentications).These advanced concepts found in the 1985 standard are still familiar today, such as password strength, one-time passwords, and login attempt limits.

Smart Cards / Token-Based  Authentication

Recognizing a need for stronger authentication mechanisms as alternatives to passwords, NIST started work on smart cards in the late 1980s, and our Data Encryption Standard (DES) was used on a cryptographic token to create the Token Based Access Control System (TBACS). Expanding further, NIST put standard cryptographic algorithms for authentication —DES and RSA —onto smart cards. The challenge of managing symmetric keys on a large scale led to an increased focus on the use of public key cryptography following the standardization of the Digital Signature Standard (DSS) as FIPS 186 in 1994. NIST was instrumental in developing foundational standards, architectures, and specifications that drove the early implementations of the public key infrastructure components that were critical to the adoption and use of public key cryptography in the federal government. In the late 1990s, NIST led the government’s work on defining smart card interoperability technical specifications and standards, which resulted in the Government Smart Card Interoperability Specification (GSC-IS) and establishing the framework for smart cards to work in an open environment.

Personal Identity Verification (PIV)

The year 2004 marked the inception of Personal Identity Verification (PIV) credentials. It began with Homeland Security Presidential Directive 12 (HSPD-12) to establish requirements for a common standard for identifying federal employees and contractors. NIST immediately began developing the standard for the PIV card, security, and privacy requirements for issuing organizations, and detailed technical specifications of components and processes for government-wide interoperable use of PIV cards in authentication, access control, and PIV card management. The next tasks were to complete the publications supporting the standard, produce and issue the first PIV cards, establish a program for PIV product validation, and provide PIV reference implementations. Today, the set of PIV credentials can accommodate a diverse and growing set of user device platforms, with interoperability across the federal government achieved via Federation.

Digital Identity Guidelines

In the early 2000s, NIST supported the Office of Management and Budget (OMB) in developing guidance (OMB M-04-04) on electronic authentication ("e-authentication") to assist federal agencies in selecting authentication processes that provide the appropriate level of assurance for particular use cases. NIST staff and OMB were also working together on Special Publication (SP) 800-63, Digital Identity Guidelines, to complement OMB-M-0404 and provide e-authentication guidelines with specific technical requirements for each assurance level. These guidelines are targeted not only at internal federal agency purposes but also at public-facing federal agency applications. Over the years, NIST built on the foundation of the e-authentication program, incorporating lessons learned from industry adoption of new technologies. The latest revision, SP 800-63 ­­– now named ‘The Digital Identity Guidelines – provides a risk management framework for identifying digital identity needs and establishes a graduated set of controls for the identity proofing and enrollment, authentication, and federation of digital identities across identity domains. The guidelines serve as the standard for digital identity management for federal agencies to provide online services, transactions, and applications to the public. The Digital Identity Guidelines have been broadly adopted by industry and internationally.

National Strategy for Trusted Identities in Cyberspace (NSTIC)

In April 2011, President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC), which  called for the public and private sectors to collaborate on the creation of an “Identity Ecosystem.” This ecosystem would enable individuals to choose from multiple identity providers and digital credentials for more convenient, secure, and privacy-enhancing transactions anywhere online. The  NSTIC objective was to advance four guiding principles for all identity solutions: (1) privacy-enhancing and voluntary, (2) secure and resilient, (3) interoperable, and (4) cost-effective and easy-to-use. NIST established the NSTIC Program Office to administer 15 pilot programs to advance the guiding principles and to establish and lead the Identity Ecosystem Steering Group (IDESG) in developing and implementing the Identity Ecosystem Framework. The NSTIC program and pilots demonstrated identity solutions to promote the guiding principles and advanced key initiatives, including the adoption of multi-factor authentication, implementation of mobile driver’s licenses, and foundation for privacy engineering for identity solutions. The lessons learned drove industry adoption of new technologies and also informs NIST standards and guidelines on digital identity.

National Cybersecurity Center of Excellence (NCCoE)

The National Cybersecurity Center of Excellence (NCCoE) was formed in 2012 to create practical, standards-based solutions that organizations of all types and sizes can use to protect their assets, people, and data. Since its inception, the NCCoE has collaborated with several communities to provide guidance on digital identity management, including the financial sector, the energy sector, public safety communities, and e-commerce. For each project, the NCCoE designed and implemented a standards-based architecture in the NCCoE lab environment using commercially available standards and technology. This applied work feeds directly into the guidance the NCCoE publishes and acts as a feedback loop for standards bodies and commercial technology providers. In this way the NCCoE has demonstrated a myriad of standards-based identity concepts including multifactor authentication using FIDO protocols, single sign-on using OAuth 2.0, and identity federation using OpenId Connect 1.0 and SAML 2.0. Currently the NCCoE is working with industry to demonstrate zero trust architectures, which rely upon many of these digital identity principles.

Where We Are Heading

An increasing part of our personal and professional lives rely on digital services, the value of which has been emphasized throughout the pandemic. State and federal agencies increasingly turned to the Internet to provide critical government services, and remote work and online collaboration tools have become part of everyday life for many Americans. Digital identity is a critical technology to enable, deliver and support these services. While digital identity services and technologies have come a long way since NIST’s early work on passwords in the 1980s, the recent experience during the pandemic have highlighted some of the remaining challenges to ensuring these technologies can support security and privacy needs while maintaining equitable access to important government services. Today, we are building on our rich history in identity and access management to identify new technologies, processes, and considerations for providing digital identity services in a private and equitable manner. 

About the author

Nelson Hastings

Nelson Hastings is the leader of the Cybersecurity and Privacy Applications Group of Applied Cybersecurity Division within NIST’s Information Technology Laboratory. Over his 20 plus years at NIST, he has worked in the areas of public key infrastructure, cryptographic module validation, and cybersecurity for public safety communications, voting systems, and smart grid. His group’s portfolio includes NIST’s privacy engineering program, small business cybersecurity outreach, digital identity guidance, and cybersecurity for public safety communications, voting systems, industrial control systems, internet of things, and smart grid.

Andrew Regenscheid

Andrew Regenscheid is a project lead for applied cryptography within the Computer Security Division at NIST. In his 15 years as part of the Cryptographic Technology Group, Andrew has worked to apply cryptographic algorithms and tools to improve the security of computer platforms, communication protocols, and authentication mechanisms. As the technical lead for the Personal Identity Verification standards program, Andrew is responsible for developing identity management standards and technical guidelines for federal government employees and contractors, while also contributing to NIST’s broader portfolio of digital identity guidance as a coauthor of NIST SP 800-63. 

David Temoshok

David Temoshok currently serves as Senior Advisor Applied Cybersecurity for the National Institute of Standards and Technology. In this capacity, Mr. Temoshok is responsible for the development and implementation of United States national and international standards for secure identity and authentication assurance – including NIST Special Publication 800-63-3 Digital Identity Guidelines and associated international standards to promote secure, privacy-enhancing online services on national and global scales.

Bill Fisher

Bill Fisher is a security engineer at the National Cybersecurity Center of Excellence (NCCoE). In this role, he is responsible for leading a team of engineers that work collaboratively with industry partners to address cybersecurity business challenges facing the nation. He lead the center’s Attribute Based Access Control (ABAC) project and was a member the ITL Cybersecurity for IoT program. He lead’s the NCCoE Public Safety and Data Security programs and is a member of the NCCoE ransomware team. Recently he joined as co-lead on the NCCoE mobile driver’s license (mDL) project

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.