February 15, 2023 By Sue Poremba 4 min read

One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines.

These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors.

What is digital identity?

To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture.

In its 2017 guidelines, NIST defines digital identity as the online persona of a subject and how that subject is represented online, adding, “Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts.”

The security risk around digital identities stems from verification. In real life, you can hand over your picture ID and prove your identity. For a long time, there was no way to offer up proof in online interactions. The business or person on the other end of the transaction simply had to trust you were who you said you were. This created an environment that made identity theft and impersonation easy.

The role of biometrics

The 2017 version of NIST’s Digital Identity Guidelines established proof of digital identity. The guidelines relied on any number of familiar authenticators, like passwords and MFA. They also touched on biometrics, both physical and behavioral, to prove digital identity. But in 2017, the guidelines only supported limited use of biometrics. They stated that some metrics could be spoofed or unauthorized, like a photo taken and posted without permission.

Facial recognition, which helps streamline identity authentication, mixes human identification with digital identification. This ensures, for example, that the person walking through airport security matches their digital identities stored electronically through various networks. NIST conducted research after the 2017 guidelines were released and found facial recognition algorithms offer highly accurate (99.5%) identification, especially if there are multiple photographs or digital facial identities to use.

The proposed guidelines will update the use of facial recognition while downgrading the use of biometrics from the 2017 version. Biometrics won’t be required in low-risk situations, FCW reported, but will have performance requirements when used for proving identity.

“This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines,” Jason Miller, deputy director for management at the Office of Management and Budget, stated in a NIST news release.

The goal of these new performance changes is to cut down on common cyber risks like phishing and fraud. They also aim to bring greater emphasis to the processes around multi-disciplinary risk management and improve the best practices around digital identity information sharing between government agencies and other entities.

Who will the new NIST guidelines impact?

NIST guidelines have become the standard for federal government agencies, federal contractors and companies within the federal supply chain. These entities must follow the compliance requirements outlined in all NIST guidelines, including those for digital identity.

The NIST framework already covers a lot of organizations, especially those that are third-party subcontractors for federal contractors. For those not connected to the federal government, however, NIST guidelines are not a requirement. However, many companies find that the NIST framework offers directions for implementing best security practices.

Modern consumers are growing more aware of the need for organizations to have solid cybersecurity policies and platforms. In addition, they are increasingly frustrated with how poorly companies protect their personal digital identities.

The new NIST guidelines will update its digital identity risk management model, which integrates digital identity risk with overall organizational risk management. In addition, they will address an area of biometric digital identity that most organizations have struggled with – discrepancies in facial recognition software.

The trouble with facial recognition software

Both government and private industries have been collecting and using facial images for years. However, critics of facial recognition technology accuse it of racial, ethnic, gender and age-based biases, as it struggles to properly identify people of color and women. The algorithms in facial recognition tend to perpetuate discrimination in a technology meant to add security rather than adding risk.

The updated NIST digital guidelines will directly address the struggles of facial recognition in particular, and biometrics overall.

“The forthcoming draft will include biometric performance requirements designed to make sure there aren’t major discrepancies in the tech’s effectiveness across different demographic groups,” FCW reported. Rather than depend on digital photos for proof, NIST will add more options to prove identity.

Lowering risk is as important to private industries as it is to federal agencies. Therefore, it would behoove enterprises to take steps to rethink their identity proofing.

Feedback on the new digital guidelines

The new NIST digital guidelines likely won’t go into effect until 2024. In the meantime, NIST is looking for feedback by email ([email protected]) on the proposed guideline changes until March 24, 2023.

NIST particularly wants feedback on identity proofing that offers both security and convenience to the user without a facial recognition component, as well as the requirements around establishing and maintaining fraud detection.

Users will state how they wish to entrust their digital identity — or even which identities they want to be protected. There are concerns within the security and technology industry regarding how this guideline can be implemented. Control over OAUTH tokens and the data they use is another question that has come up.

“Identity doesn’t operate in a vacuum,” Ryan Galluzzo, digital identity program lead for the applied cybersecurity division at NIST, told FWC.

The standards that worked in 2017 no longer meet the evolving needs of digital identity. The new NIST Digital Identity Guidelines will bring digital identity security in line with any changes in overall risk management to the benefit of all.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today