NIST discusses new section on VCs and mDLs, timeline for digital ID updates

Digital identity guidelines from the U.S. National Institute of Standards and Technology are changing, and the agency held an event this week to advance its dialogue with stakeholders from the public and private sector on what exactly they should be.

In addition to reviewing the development of NIST’s updated Digital Identity Guidelines, officials summarized the feedback received during the comment period and provided details like the new target date for the final publication of the revisions.

NIST received over 3,800 comments to its Revision 4 draft of the guidelines, and more than 130 responses, which Kevin Stone, chief of the applied cybersecurity division characterized as “the start of the discussion.” Just over two-third of those comments came from the private sector.

David Temoshok noted that the initial comment period in 2020 provided feedback on the 2017 version of the guidelines, and recommendations on changes to include in the revisions. Discussions with industry and government agencies are ongoing, he says.

The changes are generally intended to improve equitability, emphasize options and individual choice, deter phishing, fraud, and advanced threats, and include the experience of real-world implementations. They also highlight multi-disciplinary risk management processes and clarify a few points.

Temoshok reviewed how NIST handles the comments it receives, and arranges them to inform changes to the text.

The greatest volume of comments, by far, were for NIST SP 800-63A, so the likely next stage for that document is a second public comment period. Same goes for the Base Volume. NIST plans to release a final version of the SP 800-63B revision next, while the next step for SP 800-63C is yet to be decided.

“There weren’t a lot of changes in volume B to start off with,” Temoshok explains.

For volume C, NIST specifically wanted to know if the implementation of Verifiable Credentials and mobile driver’s licenses were adequately dealt with. The overwhelming answer was “no,” leading to the creation of a new section.

NIST intends to make publication decisions by the end of this year, and release the new versions in the second quarter of calendar 2024.

Article Topics

digital identity  |  mDL (mobile driver's license)  |  NCCoE  |  NIST  |  standards  |  verifiable credentials