A minor plot twist: Comment period extended for PART of SP 800-63-3

Let’s get this out of the way right up front: this is not an early April Fools Day prank!

Granted, government blogs aren’t the typical medium for getting emotional. But we (Paul and Mike), and the rest of our incredible team at NIST, have truly been moved by the support, encouragement, and engagement you’ve provided as we embarked simultaneously on this major update to the document and – perhaps even bigger – updating our community engagement process to achieve a better result on this document.

We have received your feedback during the open comment period for draft Special Publication (SP) 800-63-3: Digital Identity Guidelines and can’t thank you enough. While we still have many comments to resolve, the feedback we’ve received has been very positive overall. Thanks to your help, we are very close – and will close the comment period as scheduled. Sort of…

But wait, there’s more!

In consultation with the White House Office of Management and Budget, we developed an approach to include normative guidelines to manage digital identity risk directly into SP 800-63-3. Over the years, many of you have asked for a more consistent approach to risk assessment and associated technical risk mitigation guidance. The changes in this update made this request even more important. We’re extremely grateful for our collaborative relationship with OMB, which enabled us to respond to you and better serve agency and industry needs. We believe this change will make digital identity management simpler for agency officials, mission owners, and implementers alike. But – consistent with the approach we’ve taken with this update so far – we need your feedback to know if we got it right. To that end, we are extending the comment period for the 800-63-3 volume only until for 30 days, closing on May 1^st.  

Let’s summarize:

• We are closing the comment period as scheduled for 800-63A, 800-63B, and 800-63C. Pending comment resolution, we believe these documents are sufficiently stable to finalize.
• We’re extending the comment period for the parent volume only, SP 800-63-3, until May 1^st.
• Today, we updated the SP 800-63-3 volume on GitHub and in CSRC. The new version is now available and ready for your feedback.
• We expect to finalize and issue all four volumes together.
• We will still adjudicate the comments received on SP 800-63-3, though some will no longer apply to the new version. On GitHub, if you’ve already commented or opened any issue, no need to do so again. Once the issue is closed, we encourage you to check the disposition to make sure we didn’t miss something in the version change.
• If there are flow-down changes into the other volumes, we’ll address them when SP 800-63-3 stabilizes.
• If something wild happens (not like wild wild…more like identity management standards wild) we’ll assess whether the flow-down changes warrant reopening other volumes, but we don’t anticipate that happening.

And some special notes on the updated version of SP 800-63-3:

• We ask that you review this document on its merits and do not comment on potential conflicts with existing guidance; we are working with our federal partners to address any such conflicts before finalizing.

• This volume now contains both normative and informative sections.
• We’ve incorporated guidelines for supporting the risk assessment process of digital applications.
• The entire volume is open for comment.

Please check out the updated parent document — and dig-comments [at] nist.gov (reach out) to us if you have questions. You can also submit comments the old-fashioned way, via dig-comments [at] nist.gov (email). Sorry we’re not accepting comments the old-old fashioned way or the old-old-old fashioned way of fax and post, respectively. Though singing telegrams won’t be turned away.

Follow us on Twitter for updates and reminders to submit feedback on SP 800-63-3, as well as to engage with all our other efforts.