Framework

NIST SP 800-63
Digital Identity Guidelines: IAL, AAL, FAL, and the operating record

NIST Special Publication 800-63 is the United States federal reference for digital identity. The current edition (NIST SP 800-63-3) is a four-volume suite covering the overall framework (800-63-3), enrolment and identity proofing (800-63A), authentication and lifecycle management (800-63B), and federation and assertions (800-63C). NIST SP 800-63-4 has been published in draft form and is moving through public review. The framework names three independent assurance dimensions: identity assurance level (IAL) for how confidently a real-world identity is bound to an account, authenticator assurance level (AAL) for how robustly an authentication event proves the claimant controls the authenticator, and federation assurance level (FAL) for how trustworthy the federated assertion that carries the identity between systems is. SecPortal operates an 800-63 evidence pack as one structured engagement record carrying the policy, the Digital Identity Acceptance Statement, the authenticator inventory per AAL level, the proofing record per IAL level, the federation assertion record per FAL level, the lifecycle event trail, and the audit-grade evidence the rest of the identity and access programmes read against.

Get Started Free

No credit card required. Free plan available forever.

NIST SP 800-63 explained for enterprise identity teams

For internal security teams, identity and access management (IAM) teams, AppSec teams, product security teams, GRC and compliance teams, security engineering teams, security architects, CISOs and security directors, federal agencies, federal contractors, FedRAMP-authorised cloud service offerings, state and local government, and enterprise SaaS providers carrying customer identity at scale, NIST 800-63 is the load-bearing reference the per-application identity assurance choices read against. The framework is technology-neutral, vendor-neutral, and structurally durable; programmes adopt it as the identity discipline reference even when they are not directly subject to federal authorisation requirements.

This page covers the three assurance dimensions, the authenticator catalogue, the proofing discipline, the federation discipline, the evidence pack, the failure modes, and where NIST 800-63 sits alongside NIST SP 800-53 IA family, NIST CSF 2.0 PR.AA, ISO/IEC 27001 Annex A 5.16 to 5.18 and 8.5, SOC 2 CC6.1, PCI DSS Requirement 8, HIPAA Security Rule 164.312(d), and the FedRAMP Digital Identity Acceptance Statement requirements. Programmes that adopt NIST 800-63 as the identity reference read cleanly into every adjacent regime without rebuilding the identity evidence pack per audit.

Eight load-bearing principles of the digital identity discipline

NIST 800-63 is structured around three independent assurance dimensions and a set of operating principles that turn the IAL, AAL, and FAL choices into a continuous operating record. The eight principles below are the load-bearing orientations the rest of the framework reads against. Programmes that adopt them as the operating posture produce evidence that survives federal authorisation, regulator examination, and audit examination; programmes that treat them as text in a policy document produce an identity posture that ages out within the first cycle.

Three independent assurance dimensions

NIST 800-63 separates identity assurance level (IAL, how confidently the real-world identity is bound to the account), authenticator assurance level (AAL, how robustly an authentication event proves the claimant controls the authenticator), and federation assurance level (FAL, how trustworthy the federated assertion that carries the identity between systems is). The three dimensions are independent. A consumer-grade subscription site running IAL1 with AAL2 is a coherent posture; a federal benefit application running IAL2 with AAL1 is not. Programmes that conflate the three lose the discipline the standard depends on.

Risk-based level selection

The standard does not name a default level. It expects each application owner to perform a digital identity risk assessment (DIRA) against the impact categories the application sits inside (inconvenience, financial loss, harm to programmes, unauthorised information release, civil or criminal violations, personal safety), choose the IAL, AAL, and FAL levels that mitigate the identified risk, and record the decision in a Digital Identity Acceptance Statement. Programmes that promote AAL across the estate without IAL-side analysis produce strong authentication of weakly bound identities.

Authenticator catalogue with explicit AAL eligibility

NIST 800-63B catalogues nine authenticator types (memorised secret, look-up secret, out-of-band, single-factor OTP device, multi-factor OTP device, single-factor cryptographic software, multi-factor cryptographic software, single-factor cryptographic device, multi-factor cryptographic device) and names which combinations satisfy AAL1, AAL2, and AAL3. The catalogue is the structural input the authenticator inventory reads against; programmes that promote AAL without naming the underlying authenticator type produce a target without a concrete operating record.

Verifier requirements as load-bearing controls

The verifier (the system performing authentication) carries a set of load-bearing requirements: replay resistance (each authentication event uses fresh material), verifier impersonation resistance at AAL3 (the verifier cannot be impersonated), throttling and rate-limiting against online guessing, account lockout against credential stuffing, and protected channels for assertion transmission. Programmes that issue strong authenticators without enforcing verifier requirements produce an authentication posture that depends on the authenticator alone rather than on the system as a whole.

Reauthentication and session management per AAL

Each AAL carries its own reauthentication window and session inactivity timeout. AAL1 permits 30 days. AAL2 requires reauthentication after 12 hours or 30 minutes of inactivity. AAL3 requires reauthentication after 12 hours or 15 minutes of inactivity. The session promotion at the verification event decays with time; programmes that promote sessions without enforcing the expiry produce a posture that holds at the moment of authentication and erodes between accesses.

Identity proofing with explicit evidence taxonomy

NIST 800-63A names three evidence strengths (fair, strong, superior), six validation methods, and three verification methods. IAL2 requires two pieces of strong evidence or one piece of strong plus two of fair, validated against authoritative sources, and verified through a remote or in-person process. IAL3 requires the same against in-person or supervised remote proofing with biometric verification. The proofing record is the per-subscriber artefact the audit reads against, with named operator, named evidence, named validation, and named outcome.

Federation as a distinct discipline

NIST 800-63C treats federation as a separate discipline rather than as an authentication detail. The FAL choice names the assertion protection level (signed at FAL1, encrypted or confidential channel at FAL2, holder-of-key at FAL3). The federation agreement names the trust framework, the attribute set shared, the subject identifier shape, the retention expectations, the assertion lifecycle, and the relying party obligations. Programmes that operate federation without naming FAL produce assertions that float free of the trust framework.

Lifecycle events recorded against the subscriber account

The subscriber account lifecycle covers enrolment, authenticator binding, rebinding, suspension, revocation, account recovery, password reset, and account closure. Each event is recorded against the subscriber account with named actor, named decision, named evidence, and named effective date. Programmes that issue authenticators without operating the lifecycle produce a stale credential register that diverges from the live identity record within the first year.

The three assurance levels: IAL, AAL, and FAL

NIST 800-63 separates identity assurance from authentication assurance from federation assurance. The three dimensions are independent and chosen against the digital identity risk assessment per application. The level catalogue below is the structural input the Digital Identity Acceptance Statement reads against. Programmes choose the levels per application, per user population, and per identity-related risk profile; the framework does not name a default and does not name a single estate-wide level.

IAL1 (no identity proofing required)

IAL1 does not require linking the subscriber account to a specific real-world identity. The application accepts self-asserted identity attributes. IAL1 is the appropriate choice for public-facing applications where the impact of incorrect identity binding is low (newsletter subscription, anonymous feedback, low-risk consumer accounts). Programmes operating IAL1 do not produce identity proofing records; the AAL discipline still applies to the authenticator binding.

IAL2 (remote or in-person proofing against authoritative sources)

IAL2 requires identity proofing where the applicant presents identity evidence (drivers licence, passport, government-issued identification) of fair, strong, or superior quality, validated against authoritative sources (issuing authority, credit reference, electronic record verification), and verified through a remote or in-person process. IAL2 is the typical choice for federal benefit applications, regulated industries, and applications carrying moderate impact. The proofing record carries the evidence type, validation method, verification operator, and outcome.

IAL3 (in-person or supervised remote proofing with biometric)

IAL3 requires in-person or supervised remote identity proofing with a biometric verification step performed under operator supervision. IAL3 is the appropriate choice for high-impact applications (law enforcement systems, classified-handling systems, federal benefit applications carrying high impact). The supervised remote proofing flow requires a live operator, a verified credential service provider, and biometric capture under operator supervision.

AAL1 (single-factor authentication permitted)

AAL1 permits a single authentication factor (memorised secret) with replay resistance from the verifier. The single-factor option permits no second factor and provides the lowest authentication assurance the standard recognises. AAL1 is the appropriate choice for low-impact applications where the loss of authentication does not produce material harm. The 30-day reauthentication window applies.

AAL2 (two distinct factors, replay-resistant)

AAL2 requires two distinct authentication factors with replay-resistant authenticators. The typical combination pairs a memorised secret with an OTP device, an out-of-band authenticator, or a cryptographic authenticator. AAL2 is the typical choice for applications carrying moderate impact and is the level SecPortal MFA enforcement promotes sessions to. The 12-hour reauthentication window and the 30-minute inactivity timeout apply.

AAL3 (hardware-based, phishing-resistant)

AAL3 requires hardware-based authentication with verifier impersonation resistance (phishing resistance). The typical combination pairs a memorised secret with a multi-factor cryptographic device, or uses a multi-factor cryptographic device alone with biometric activation. FIDO2 hardware security keys, smart cards, and PIV cards satisfy AAL3. The 12-hour reauthentication window and the 15-minute inactivity timeout apply. AAL3 is the appropriate choice for high-impact applications where verifier impersonation resistance is required.

FAL1 (signed assertion over protected channel)

FAL1 requires the federation assertion to be signed by the identity provider and transmitted over a protected channel between the IdP and the relying party. The assertion signature evidences the IdP authorship; the protected channel evidences the transmission integrity. FAL1 is the appropriate choice when the assertion does not carry sensitive attributes beyond the subscriber identifier and the protected channel is sufficient to prevent disclosure.

FAL2 (encrypted assertion or confidential channel)

FAL2 adds either an encrypted assertion (the assertion content is encrypted to the relying party so an intermediary cannot read it) or a confidential channel between the IdP and the RP (a private connection without an intermediary). FAL2 is the appropriate choice when the assertion carries sensitive attributes (entitlements, personally identifying information beyond a subscriber identifier).

FAL3 (holder-of-key cryptographic binding at the RP)

FAL3 adds proof-of-possession of a holder-of-key cryptographic key at the relying party. The subscriber proves control of a cryptographic key bound to the assertion; the relying party verifies the binding. FAL3 is the appropriate choice for the highest-impact federated systems where the assertion alone is not sufficient evidence of identity even with encryption and protected channels.

The authenticator catalogue and AAL eligibility

NIST 800-63B catalogues nine authenticator types and names which combinations satisfy AAL1, AAL2, and AAL3. The catalogue is the structural input the authenticator inventory reads against. Programmes that promote AAL without naming the underlying authenticator type produce a target without a concrete operating record; the catalogue turns the AAL choice into named, auditable, and replaceable hardware or software components.

Memorised secret. A user-chosen secret string (password, passphrase, PIN). Memorised secrets satisfy AAL1 alone and AAL2 when paired with a second factor. NIST 800-63B explicitly recommends against arbitrary periodic password rotation and requires rotation on evidence of compromise. The standard names minimum length (eight characters at AAL1, six for PIN), banned-password list checking against common dictionaries, breach-corpus comparison, and rate-limiting to prevent online guessing.
Look-up secret. A pre-issued grid of one-time use codes (printed card, scratch list). Each code is used once and then crossed off the list. Look-up secrets satisfy AAL2 when paired with a memorised secret. The standard names minimum entropy per code (20 bits at AAL2), expiry, and the binding event between the look-up secret and the subscriber account.
Out-of-band (OOB) authenticator. A separate communication channel (SMS, voice call, push notification) confirms the authentication. SMS OOB is restricted (the standard discourages SMS as the OOB channel due to SIM swap and routing risks). Push notification OOB to a registered mobile application carrying a cryptographic key is preferred at AAL2.
Single-factor OTP device. A hardware token that generates time-based or event-based OTPs. Single-factor OTP satisfies AAL2 only when paired with a memorised secret. The standard names FIPS 140-2 Level 1 minimum cryptographic compliance for the OTP generator.
Multi-factor OTP device. A hardware token requiring activation by a memorised secret or biometric before generating the OTP. The activation factor and the OTP together are two factors. Multi-factor OTP satisfies AAL2 alone.
Single-factor cryptographic software. A software-based cryptographic authenticator (a private key stored in software) used alone. Single-factor cryptographic software satisfies AAL2 only when paired with a memorised secret.
Multi-factor cryptographic software. A software-based cryptographic authenticator requiring activation by a memorised secret or biometric. Multi-factor cryptographic software satisfies AAL2 alone.
Single-factor cryptographic device. A hardware authenticator carrying a cryptographic key (smart card, USB token without on-device authentication). Single-factor cryptographic devices satisfy AAL2 only when paired with a memorised secret.
Multi-factor cryptographic device (AAL3 capable). A hardware authenticator carrying a cryptographic key with on-device authentication (smart card with PIN, FIDO2 security key with biometric or PIN, PIV card). Multi-factor cryptographic devices satisfy AAL3 alone with phishing-resistant verifier impersonation resistance. FIPS 140-2 Level 2 minimum at AAL3.

The identity proofing discipline (800-63A)

NIST 800-63A Volume A covers the structured discipline for binding a real-world identity to a subscriber account. The proofing chain runs from applicant intake through evidence collection, evidence validation, applicant verification, identity resolution, and proofing record retention. The per-subscriber proofing record is the load-bearing artefact the audit reads against; programmes that operate proofing without retaining the record produce IAL targets without per-subscriber evidence the targets were achieved.

Applicant identification. The structured intake naming the applicant, the proofing operator, the application context, and the requested IAL level. The intake record is the load-bearing first artefact in the proofing trail.
Identity evidence collection. The applicant presents identity evidence of named strength (fair, strong, superior). NIST 800-63A names the evidence types in each strength tier: fair (utility bill, financial account statement), strong (US passport, drivers licence, military ID), and superior (REAL ID-compliant identification with biometric, federally-issued PIV/CAC card). IAL2 requires two pieces of strong evidence or one strong plus two fair; IAL3 requires the same with in-person or supervised remote proofing.
Evidence validation. Each presented piece of evidence is validated against an authoritative source: the issuing authority, a credit reference agency check, an electronic record verification service, or a comparable trust authority. Validation names what was checked, the validation result, the validation timestamp, and the validation operator. Evidence that fails validation does not count toward the IAL target.
Applicant identity verification. The proofing operator verifies that the applicant matches the evidence. Verification methods are knowledge-based (out-of-wallet questions, dynamic knowledge challenge), biometric (live image capture matched against the presented evidence), or trusted referee (a trained operator vouches under formal procedure). IAL3 requires biometric verification under operator supervision.
Identity resolution and uniqueness. The validated and verified identity is resolved to a single unique person to prevent multiple subscriber accounts for the same real-world identity. Resolution names the deduplication method, the result, and the disposition for ambiguous matches.
Knowledge-based verification quotas and constraints. NIST 800-63A imposes limits on knowledge-based verification: minimum question count, banned-question lists (out-of-wallet questions only; no questions answerable from public records or social media), session expiry, and the prohibition on KBV alone for IAL3.
Proofing record retention. The proofing operator retains the full proofing record (intake, evidence, validation, verification, resolution, decision) per the documented retention schedule (typical federal minimum is the lifetime of the account plus seven years). The record is the per-subscriber artefact the audit and the regulator read against.
Trusted referee for special populations. NIST 800-63-4 introduces the trusted referee construct where applicants with limited evidence (unbanked, recently immigrated, displaced) are proofed under formal procedure with a trained operator vouching for the applicant. The referee record reads alongside the standard proofing record.

The federation discipline (800-63C)

NIST 800-63C Volume C treats federation as a distinct discipline rather than as an authentication detail. The FAL choice names the assertion protection level; the federation agreement names the trust framework, the attribute set shared, the subject identifier shape, the retention expectations, and the relying party obligations. Federation programmes that operate against SAML 2.0, OpenID Connect, or OAuth 2.0 read the FAL discipline alongside their protocol profile choices so the runtime posture matches the policy target.

Federation agreement. The trust agreement between the identity provider and the relying party names the trust framework, the in-scope attributes, the subject identifier shape (opaque persistent, opaque pairwise, public), the attribute retention expectations, the assertion lifecycle, and the relying party obligations. The federation agreement is the artefact the federation operating record reads against.
Assertion protection level. The FAL choice names the assertion signature requirement (signed at FAL1), the encryption or confidential channel requirement (FAL2), and the holder-of-key cryptographic binding requirement (FAL3). The verifier evidences the chosen protection level at the moment of assertion issuance and the relying party evidences it at the moment of consumption.
Assertion lifecycle. Each federated assertion carries an issuance timestamp, an expiry (short by design, typically minutes), an audience restriction naming the intended relying party, an issuer identifier naming the identity provider, a subject identifier opaque to third parties, an attribute set, and a unique assertion identifier for replay protection. The relying party validates each lifecycle attribute at consumption.
Attribute minimisation. The identity provider releases the minimum attribute set required for the relying party purpose. Programmes that release the full attribute pack regardless of relying party need produce a data-protection liability the federation discipline is designed to prevent.
Subject identifier discipline. The subject identifier is opaque (does not encode personal information) and ideally pairwise (different per relying party) to prevent unauthorised correlation across relying parties. Public subject identifiers (the same identifier shared across every RP) are permitted only when the relying party population is closed and the correlation risk is accepted in writing.
Replay protection at the relying party. The relying party validates the assertion identifier against a short-term cache to prevent replay attacks. The cache size and expiry sit against the assertion lifetime; replays inside the assertion expiry window are detected and rejected.
Identity provider obligations. The identity provider produces the assertion, signs it, optionally encrypts it, names the audience, names the issuer, includes the subject identifier, includes the minimal attribute set, logs the issuance, supports assertion revocation where applicable, and retains the issuance record per the documented retention schedule.
Relying party obligations. The relying party validates the signature against the identity provider key, validates the audience restriction, validates the expiry, validates the issuer, validates the assertion identifier against the replay cache, applies the policy-specific consumption rules (mapping attributes to internal authorisation, recording the federated session, applying the local session lifetime), and logs the consumption.

The NIST 800-63 evidence pack

The minimum durable evidence pack the federal authoriser, the FedRAMP 3PAO, the internal auditor, the external assessor, the regulator, and the audit committee each read against the 800-63 record is grouped below by artefact type. Each artefact carries a named owner, a refresh cadence, and a version history so reconstruction at audit time is replaced with a continuous operating trail. NIST 800-63 does not invent these artefacts; it names what the identity operating record needs to contain to satisfy the assurance level the standard reads against.

The digital identity risk assessment (DIRA). The structured analysis of identity-related risk per application against the impact categories the standard names (inconvenience, financial loss, harm to programmes, unauthorised information release, civil or criminal violations, personal safety). The DIRA is the analytical input the IAL, AAL, and FAL choices read against.
The Digital Identity Acceptance Statement (DIAS). The artefact federal agencies and FedRAMP-authorised cloud services produce naming the IAL, AAL, and FAL choices per application and per user population, the analysis of identity-related risk against the FIPS 199 categorisation, the rationale for the levels selected, the compensating controls where the target level is partially met, and the residual risk acceptance position. The DIAS reads alongside the System Security Plan in FedRAMP and federal authorisation packages.
The identity proofing records. The per-subscriber proofing record carrying the evidence type, the validation method, the verification operator, the verification outcome, the resolution and uniqueness check, and the resulting trust framework decision. Retained per the documented retention schedule.
The authenticator inventory. The per-application and per-user-population inventory of issued authenticators (type, AAL eligibility, issuance date, binding date, last rebind date, suspension state, revocation date) with named owner and named lifecycle authority.
The federation register. The per-federation-relationship register carrying the relying party identity, the identity provider identity, the federation agreement, the FAL choice, the attribute set, the subject identifier shape, the attribute retention policy, the assertion lifecycle, and the in-force date.
The lifecycle event log. The trail of subscriber account lifecycle events (enrolment, authenticator binding, rebinding, suspension, revocation, account recovery, password reset, account closure) with named actor, named decision, named evidence, and named effective date.
The verifier configuration evidence. The configuration of the verifier (the system performing authentication) covering replay resistance, verifier impersonation resistance at AAL3, throttling, rate-limiting, account lockout, protected channel TLS profile, password policy, banned-password list source, and breach-corpus comparison source.
The session management evidence. The configuration of the session lifetime, the inactivity timeout, the reauthentication trigger, the session token shape, the session revocation mechanism, and the session log retention.
The exception and override register. The per-decision register of identity-discipline overrides (compensating controls accepted, level targets partially met, time-bound deferrals, residual risk acceptance) with named approver, named expiry, named compensating control, and named rationale.
The audit and assessment record. The trail of internal audits, external assessments, FedRAMP 3PAO reviews, regulator examinations, and corrective action follow-up that read against the 800-63 evidence pack on cycle.

Failure modes the framework is designed to surface

NIST 800-63 is forgiving on the choice of identity provider, the authenticator vendor, the federation protocol, and the depth of proofing automation. It is unforgiving about a small number of patterns that turn the identity programme cosmetic rather than operational. The patterns below recur across digital identity programmes and are the ones that erode the year-over-year identity audits and FedRAMP authorisations the framework increasingly reads against.

Promoting AAL without IAL. The application owner promotes session AAL by enforcing MFA across the estate but does not perform identity proofing at the corresponding IAL level. The authentication is strong; the real-world identity binding is weak. Programmes that operate IAL1 with AAL2 across applications carrying moderate impact produce a posture that authenticates the holder of the credential without evidence the credential holder is who they claim to be.
Issuing strong authenticators without enforcing verifier requirements. The authenticator catalogue is upgraded (FIDO2 keys, multi-factor cryptographic devices) but the verifier omits replay resistance, verifier impersonation resistance at AAL3, throttling, or rate-limiting. The authenticator strength sits unused against verifier weakness. The standard treats the verifier as a load-bearing control, not as a passive consumer of the authenticator output.
Operating federation without naming FAL. The federation relationship operates against SAML 2.0 or OpenID Connect with default profile choices and no explicit FAL designation. The assertion protection level is implicit and varies per identity provider. Programmes that promote FAL2 or FAL3 at the policy layer without enforcing assertion protection at runtime produce a federation posture that drifts between identity providers.
Treating the DIAS as a static document. The Digital Identity Acceptance Statement is written once, signed, filed, and not refreshed when the application risk profile, the user population, or the threat landscape changes. The IAL, AAL, and FAL choices age out within one cycle. The standard expects the DIAS to be refreshed on cycle (annual minimum) and on material change.
Skipping the authenticator lifecycle. Authenticators are issued and never rebound, suspended, revoked, or replaced. The credential register diverges from the live identity record within the first year. The lifecycle discipline is the operating control that keeps the authenticator inventory current and prevents authentication against stale credentials.
Using SMS as the OOB channel at AAL2 by default. The standard discourages SMS OOB due to SIM swap, SS7 routing, and number porting risk. Programmes that default to SMS OOB across AAL2 applications produce an authentication posture vulnerable to authenticated account takeover via the phone carrier.
Releasing the full attribute pack across every federation. The identity provider releases every available attribute to every relying party regardless of relying party need. Attribute minimisation is the data-protection discipline federation is designed around; programmes that ignore minimisation produce a federation surface that becomes a data-sharing liability over time.
Operating proofing without retaining the proofing record. The proofing operation completes, the subscriber account is created, and the proofing record (evidence, validation, verification, resolution) is not retained. The auditor and the regulator have no per-subscriber evidence the IAL target was actually achieved.
Ignoring reauthentication and session inactivity timeout. The AAL is promoted at the authentication event and the session is held open indefinitely. The standard names explicit reauthentication windows per AAL; programmes that omit them produce an AAL posture that decays between accesses.
Conflating identity assurance with access authorisation. The identity record is treated as the authorisation record. The standard separates identification (who the subscriber is), authentication (the subscriber controls a credential), and authorisation (the subscriber is entitled to access). Programmes that conflate the three produce an access record that promotes entitlements based on authentication without explicit authorisation decisions.

How NIST 800-63 relates to adjacent regimes

NIST 800-63 sits in a busy identity, federal-authorisation, regulatory, and standards neighbourhood. The relationships below are the ones programmes encounter most often when they read the framework against the rest of the identity regime. Programmes operating across regions and sectors use NIST 800-63 as the identity assurance spine and read SP 800-53 IA family, NIST CSF 2.0 PR.AA, ISO 27001 Annex A 5.16 to 5.18 and 8.5, ISO/IEC 29115, SOC 2 CC6.1, PCI DSS Requirement 8, HIPAA Security Rule 164.312(d), FedRAMP DIAS, eIDAS, and UK GPG 45 and 44 as the framework-specific reads alongside.

NIST SP 800-63 vs NIST SP 800-53 IA family

NIST SP 800-53 Rev 5 Identification and Authentication (IA) family contains the per-control language federal information systems implement: IA-1 policy and procedures, IA-2 identification and authentication of organisational users, IA-3 device identification, IA-4 identifier management, IA-5 authenticator management, IA-8 identification and authentication of non-organisational users, IA-11 reauthentication, and IA-12 identity proofing. NIST 800-63 is the implementation companion that supplies the IAL, AAL, and FAL definitions the IA controls read against. Programmes operating against 800-53 use 800-63 to evidence what the controls demand.

NIST SP 800-63 vs NIST CSF 2.0 PR.AA

NIST CSF 2.0 Protect function PR.AA (Identity Management, Authentication, and Access Control) names the framework-level outcome statements for identity. PR.AA-01 covers identity and credential management. PR.AA-02 covers authentication. PR.AA-03 covers users, services, and hardware authentication. PR.AA-05 covers access permissions. NIST 800-63 reads beneath the PR.AA outcome statements as the implementation standard the outcomes are evidenced through.

NIST SP 800-63 vs ISO/IEC 29115

ISO/IEC 29115:2013 (entity authentication assurance framework) is the international standard for authentication assurance levels. The four-level ISO 29115 model (LoA 1 through 4) maps approximately to the NIST AAL discipline. NIST 800-63 evolved beyond ISO 29115 by separating identity assurance (IAL) from authentication assurance (AAL) and adding federation assurance (FAL) as a distinct dimension. Programmes operating in international contexts read 800-63 against 29115 alongside the regional equivalents.

NIST SP 800-63 vs ISO/IEC 27001 Annex A 5.16 to 5.18 and 8.5

ISO/IEC 27001:2022 Annex A 5.16 (identity management), 5.17 (authentication information), 5.18 (access rights), and 8.5 (secure authentication) name the ISMS controls for identity and authentication. NIST 800-63 reads alongside these controls as the implementation depth the ISMS reads against. ISO 27001 names what is required (identity management, secure authentication); 800-63 names the assurance levels and authenticator catalogue programmes implement against.

NIST SP 800-63 vs SOC 2 CC6.1

SOC 2 Trust Services Criteria CC6.1 (logical and physical access controls) names the service organisation commitments around identity and access. SOC 2 examinations typically read the 800-63 evidence pack (identity proofing records, AAL configuration, session management, authenticator inventory) as the operating evidence the CC6.1 controls produce. Service organisations operating against SOC 2 use 800-63 to produce the CC6.1 evidence continuously rather than reconstructing it at examination time.

NIST SP 800-63 vs PCI DSS Requirement 8

PCI DSS v4.0 Requirement 8 (identify users and authenticate access to system components) names the merchant and service-provider commitments around identity and authentication for cardholder data environments. Requirement 8.3 names multi-factor authentication; the PCI DSS expectations are conceptually aligned with NIST AAL2 for administrative access and AAL2 with MFA for remote access. Programmes operating PCI DSS environments use 800-63 vocabulary to evidence the Requirement 8 controls.

NIST SP 800-63 vs HIPAA Security Rule 164.312(d)

HIPAA Security Rule 164.312(d) requires person or entity authentication for access to electronic protected health information (ePHI). The Security Rule is technology-neutral; covered entities and business associates implement against the rule using the identity discipline that fits their environment. NIST 800-63 is the typical reference healthcare organisations adopt for the per-application identity assurance choices.

NIST SP 800-63 vs FedRAMP Digital Identity Acceptance Statement

FedRAMP authorisation packages require a Digital Identity Acceptance Statement aligned to NIST SP 800-63 identity assurance, authentication, and federation levels. The DIAS sits alongside the System Security Plan as one of the required artefacts the FedRAMP Program Management Office and the Joint Authorization Board read against. Cloud service offerings carrying federal data evidence the IAL, AAL, and FAL choices per application and per user population through the DIAS.

NIST SP 800-63 vs eIDAS LoA

The EU eIDAS regulation (Regulation 910/2014, as amended) names three Levels of Assurance for electronic identification: low, substantial, and high. The eIDAS LoA model maps approximately to the NIST AAL discipline with regional variations in proofing expectations. Cross-border programmes operating under eIDAS and 800-63 typically maintain an assurance-level mapping in the federation agreement so the per-relying-party trust framework decision is explicit.

NIST SP 800-63 vs UK GPG 45 and GPG 44

UK Government Digital Services Good Practice Guide 45 (identity verification) and Good Practice Guide 44 (using authenticators to protect an online service) are the UK counterpart guidance to NIST 800-63A and 800-63B respectively. The UK uses a five-element identity profile (strength, validity, activity, fraud, identity) rather than the NIST IAL ladder. Programmes operating in both regimes maintain a profile mapping so the proofing record reads coherently across NIST and UK regulators.

Where NIST 800-63 sits next to other framework pages

NIST 800-63 is the digital identity reference; the adjacent framework pages cover the regimes the 800-63 evidence pack reads alongside. The pages below are the ones identity programmes most often read together when producing the integrated identity evidence pack.

The NIST SP 800-53 framework page covers the federal control catalogue. The Identification and Authentication (IA) family reads NIST 800-63 as the implementation companion that supplies the IAL, AAL, and FAL definitions the per-control language operates against.
The NIST CSF 2.0 framework page covers the framework-level outcome model. The Protect function PR.AA category (Identity Management, Authentication, and Access Control) reads NIST 800-63 as the implementation standard the outcome statements are achieved through.
The NIST SP 800-207 framework page covers the Zero Trust Architecture reference. The strong-authentication and continuous-evaluation tenets read NIST 800-63 as the underlying identity assurance discipline a Zero Trust posture inherits per-session.
The FedRAMP framework page covers the federal authorisation programme for cloud services. The Digital Identity Acceptance Statement is the FedRAMP artefact aligned to NIST 800-63 identity assurance, authentication, and federation levels; cloud service offerings carrying federal data evidence the IAL, AAL, and FAL choices through the DIAS.
The NIST SP 800-37 framework page covers the Risk Management Framework (RMF). The RMF Select, Implement, and Assess steps read the 800-63 evidence pack against the IA control family for federal information systems.
The ISO/IEC 27001 framework page covers the certifiable ISMS standard. Annex A 5.16 (identity management), 5.17 (authentication information), 5.18 (access rights), and 8.5 (secure authentication) read NIST 800-63 as the implementation depth the ISMS controls are evidenced through.
The SOC 2 framework page covers the AICPA Trust Services Criteria. CC6.1 (logical and physical access controls) reads the 800-63 evidence pack (identity proofing records, AAL configuration, session management, authenticator inventory) as the operating evidence the control produces.
The PCI DSS framework page covers the payment card industry data security standard. Requirement 8 (identify users and authenticate access to system components) reads against NIST 800-63 vocabulary for AAL2 administrative access and remote access.
The HIPAA framework page covers the Security Rule. 164.312(d) (person or entity authentication) reads against NIST 800-63 as the typical reference healthcare covered entities and business associates adopt for the per-application identity assurance choices.
The CISA Cybersecurity Performance Goals framework page covers the CISA baseline goals. The CPG access-control and identity goals reference NIST 800-63 as the underlying federal identity standard the goals operate against.

Where SecPortal fits in a NIST 800-63 programme

SecPortal is the operating layer for the 800-63 programme record, not a replacement for the framework itself, not an identity provider, not a credential service provider, not a federation broker, and not an identity proofing platform. The platform handles the workstreams that produce the 800-63 evidence (workspace MFA enforcement promoting sessions to AAL2 through the session middleware, document management for the DIAS and the per-application identity decisions, activity log capturing every state change against an authenticated session, RBAC keeping authentication and authorisation as separate concerns, finding records and overrides for the identity-related gaps, compliance tracking across the adjacent regimes, AI report generation for the audit and authoriser narrative). The same workspace that hosts the identity record hosts the technical assessment evidence the identity decisions are exercised against, so the line from policy to evidence stays traceable.

Workspace-level multi-factor authentication enforcement with TOTP authenticators promotes sessions to AAL2 through the session middleware before any dashboard route is reachable. The owner enables workspace MFA from settings, members enrol an authenticator app on next login, and every session is promoted to AAL2 from then on, so the operating workspace inherits the same second-factor requirement the 800-63 AAL2 target names.
Team management with role-based access control (owner, admin, member, viewer, billing) carries the per-role authorisation decisions separately from the per-user authentication decisions. The 800-63 discipline of keeping identification, authentication, and authorisation as separate concerns reads natively against the RBAC model.
Activity log with timestamped entries for every state change across findings, engagements, scans, documents, comments, invoices, and team changes carries the per-session evidence the 800-63 audit reads against. Each actor row sits against an authenticated session promoted to AAL2 before the action was taken, so the audit trail evidences authenticated authorship rather than asserted authorship. Activity log retention follows the plan (30, 90, or 365 days) and exports to CSV for evidence preservation against the documented retention schedule.
Encrypted credential storage with AES-256-GCM holds the authenticated-scan credentials the technical assessment programmes need. The credentials inherit the AAL2 enforcement gate on the settings tab so credential changes are themselves authenticated against the second-factor session promotion.
Verified domain management constrains the credential creation and the scan target selection to hostnames the workspace owns. The verification record evidences ownership rather than asserting it, which pairs naturally with the identity-resolution discipline the 800-63 proofing chain operates against.
Document management with version history per artefact and named custodian carries the Digital Identity Acceptance Statement, the identity proofing records, the authenticator inventory, the federation register, the verifier configuration evidence, the session management evidence, and the exception register. Each document is named, versioned, and retained against the per-plan retention schedule the 800-63 evidence pack reads against.
Compliance tracking that reads the same identity evidence pack across NIST SP 800-53 IA family, NIST CSF 2.0 PR.AA, ISO 27001 Annex A 5.16 to 5.18 and 8.5, SOC 2 CC6.1, PCI DSS Requirement 8, HIPAA 164.312(d), FedRAMP Digital Identity Acceptance Statement requirements, and the regional eIDAS and UK GPG references.
Findings management with CVSS 3.1 scoring, severity bands, status group, and named owner carries the identity-related findings (authenticator policy gaps, session lifetime misconfiguration, federation profile drift, identity proofing record gaps surfaced at audit) on the same finding register the rest of the security programme uses, so the corrective action follow-up does not bifurcate into an identity-only track and a security-only track.
Finding overrides with the eight-field decision chain (rationale, scope, named approver, expiry, compensating control, residual risk acceptance, refresh trigger, audit annotation) carry the residual identity decisions where the target level is partially met. The override register is the artefact the DIAS residual risk position reads alongside.
AI report generation that turns the operating identity record into an executive briefing, an audit-committee pack, an internal-audit summary, a FedRAMP DIAS draft, or an examiner-ready evidence summary against the underlying record. The narrative reads against the live record rather than against a separately maintained presentation deck.
Notifications and alerts that drive the identity cadence (DIAS refresh due dates, authenticator inventory refresh, federation agreement renewal, override review prompts, session policy review intervals) so the cycle does not depend on tribal memory of when the next obligation is due.

What SecPortal does not do

NIST 800-63 is an identity assurance framework that depends on the organisation operating identity proofing, authenticator issuance, verifier configuration, and federation as coordinated functions. SecPortal is the operating record for the 800-63 evidence slice, not the identity provider, not the credential service provider, not the federation broker, and not the third-party 3PAO. The honest scope below reads against the NIST 800-63 boundary so the platform commitment is unambiguous.

SecPortal is not an identity provider, a credential service provider, or a federation broker. The platform does not run SAML 2.0 or OpenID Connect identity provider endpoints, does not issue or verify federated assertions for other relying parties, and does not act as a credential service provider for upstream applications.
SecPortal does not perform IAL2 or IAL3 identity proofing. The platform does not collect identity evidence (drivers licence, passport, government-issued identification), does not validate evidence against authoritative sources, and does not run knowledge-based, biometric, or supervised remote proofing flows. Identity proofing is performed by the identity programme that issues the SecPortal account against the wider identity assurance posture.
SecPortal does not enforce AAL3 with hardware-based, phishing-resistant authenticators at the workspace level. The current workspace MFA enforcement promotes sessions to AAL2 using TOTP authenticators. Organisations requiring AAL3 enforcement implement against their identity provider at the federation layer and operate SecPortal as the relying party against that posture; the platform-side enforcement remains AAL2 with TOTP.
SecPortal does not ship enterprise SSO, SCIM, or SAML federation as a packaged capability. The workspace authentication uses Supabase Auth with email and password plus TOTP MFA. Programmes requiring federated identity for SecPortal access do so through identity provider integrations outside the platform; the federated-identity posture is operated against the IdP rather than against SecPortal.
SecPortal does not produce or sign the Digital Identity Acceptance Statement on behalf of the organisation. The platform carries the DIAS as a document artefact with version history and named custodian; the DIAS authorship, the FIPS 199 categorisation analysis, the per-application IAL/AAL/FAL decisions, and the residual risk acceptance position remain owned by the application owner and the authorising official.
SecPortal does not author or issue authenticators (hardware tokens, smart cards, FIDO2 security keys, PIV cards). The authenticator catalogue the workspace inherits is the Supabase Auth TOTP catalogue at AAL2. The wider authenticator inventory the identity programme operates is held in the identity provider and read into the workspace as a document artefact.
SecPortal does not run NIST 800-63 third-party assessments or issue compliance certifications. The platform carries the operating record the FedRAMP 3PAO, the SOC 2 auditor, the ISO 27001 certification body, the PCI QSA, and the regulator read against, with the artefact pack the audit fieldwork reads continuously rather than reconstructed at examination time.
SecPortal does not ship packaged Jira, ServiceNow, Slack, Microsoft Teams, PagerDuty, SIEM, SOAR, GRC, CMDB, ERP, HRIS, or identity-governance push connectors for identity workflow automation. The identity record reads alongside those systems where they exist; SecPortal is the operating record rather than the integration hub.

The operational workstreams the 800-63 evidence pack reads against already exist as named capabilities and use cases on SecPortal. The multi-factor authentication feature covers the TOTP enrolment, the workspace MFA enforcement, and the AAL2 session promotion through the session middleware. The team management feature covers the RBAC tiers (owner, admin, member, viewer, billing) that keep authentication and authorisation as separate concerns. The activity log feature covers the per-session evidence the audit trail reads against. The encrypted credential storage feature covers the authenticated-scan credentials gated by the same AAL2 enforcement as the rest of the workspace. The verified domain management feature evidences ownership rather than asserting it, paired naturally with the identity- resolution discipline the proofing chain operates against.

For the workflow side, the security leadership reporting workflow covers the executive and audit-committee read against the identity assurance posture. The audit fieldwork evidence request fulfillment workflow covers the certification audit and FedRAMP assessment liaison the 800-63 evidence pack reads against. The cross-framework control mapping workflow reads the same identity evidence pack across NIST SP 800-53 IA family, NIST CSF 2.0 PR.AA, ISO/IEC 27001 Annex A 5.16 to 5.18 and 8.5, ISO/IEC 29115, SOC 2 CC6.1, PCI DSS Requirement 8, HIPAA 164.312(d), FedRAMP DIAS, eIDAS, and UK GPG 45 and 44 so the cross-regime read is reconcilable rather than reconciled per audit. The control gap remediation workflow carries the corrective action follow-up the identity audit findings, the authenticator inventory gaps, and the federation profile drift produce. The customer security evidence room workflow bundles the 800-63 evidence pack into the enterprise customer security read at procurement and renewal. The cyber insurance security evidence workflow bundles the same evidence pack into the underwriter and broker read at renewal so the identity posture is visible alongside the security posture.

For GRC and compliance teams running the identity programme alongside the wider information security and operational resilience programmes, the GRC and compliance teams workspace bundles the platform with the engagement structure the identity audit cadence reads against. For identity teams carrying the per-application identity decisions, the identity security teams workspace covers the per-cycle authenticator inventory refresh, the federation register review, and the DIAS refresh cadence. For CISOs and security leaders carrying the audit-committee read against the identity assurance posture, the CISOs and security leaders workspace covers the board-side reporting model that sits on top of the identity operating record.

For deeper reading on the disciplines this framework reads against, the Zero Trust Architecture implementation guide covers the strong-authentication and continuous-evaluation tenets the 800-63 evidence pack feeds into. The non-human identity security guide covers the machine-identity discipline alongside the human-identity discipline 800-63 primarily addresses. The identity threat detection and response (ITDR) explainer covers the operational detection-and-response surface the identity assurance posture is defended through at runtime. The security budget allocation framework for CISOs covers the budget frame the identity programme reads against alongside the rest of the security investment portfolio.

Key control areas

SecPortal helps you track and manage compliance across these domains.

IAL: Identity Assurance Level

Identity assurance level names how confidently an applicants real-world identity is bound to a subscriber account. IAL1 requires no real-world identity binding (self-asserted identity). IAL2 requires identity proofing against fair, strong, or superior evidence with remote or in-person validation. IAL3 requires the same against in-person or supervised remote proofing with biometric verification. The IAL choice is the load-bearing input the rest of the identity programme reads against; programmes that promote AAL without IAL produce an authentication record disconnected from the real-world identity.

AAL: Authenticator Assurance Level

Authenticator assurance level names how robustly an authentication event proves the claimant controls the authenticator. AAL1 permits single-factor authentication with a memorised secret. AAL2 requires two distinct authentication factors with replay-resistant authenticators (memorised secret plus OTP, OOB, or cryptographic authenticator). AAL3 requires hardware-based, phishing-resistant authenticators with verifier impersonation resistance (multi-factor cryptographic device or FIDO2 hardware authenticator). Each AAL carries its own reauthentication, session timeout, and protected channel requirements.

FAL: Federation Assurance Level

Federation assurance level names how trustworthy a federated assertion that carries the identity between an identity provider and a relying party is. FAL1 requires a signed assertion over a protected channel. FAL2 adds encryption of the assertion or a confidential channel between the IdP and the RP. FAL3 adds proof-of-possession of a holder-of-key cryptographic key at the relying party. FAL applies only when identity is federated; non-federated systems operate against IAL and AAL only. Programmes operating across regions and organisations read the FAL discipline alongside SAML 2.0, OpenID Connect, and OAuth 2.0 profile choices.

800-63A: Enrolment and identity proofing

Volume A covers the structured discipline for binding a real-world identity to a digital account: applicant identification, identity evidence collection (strong, fair, superior), evidence validation against authoritative sources, applicant identity verification (knowledge-based, biometric, supervised remote), and proofing record retention. Programmes performing IAL2 or IAL3 proofing produce a per-subscriber proofing record the audit reads against, with the evidence type, the validation method, the verification outcome, the proofing operator, and the resulting trust framework decision.

800-63B: Authentication and lifecycle management

Volume B covers the authenticator catalogue (memorised secret, look-up secret, out-of-band, single-factor OTP device, multi-factor OTP device, single-factor cryptographic software, multi-factor cryptographic software, single-factor cryptographic device, multi-factor cryptographic device) with per-type AAL eligibility, the verifier requirements (replay resistance, verifier impersonation resistance, throttling, rate-limiting, account lockout), the reauthentication and session management requirements per AAL, and the lifecycle events (enrolment, binding, rebinding, suspension, revocation, account recovery, password reset).

800-63C: Federation and assertions

Volume C covers the federated identity discipline: the runtime decisioning federation, the proxied federation, the federation agreements (trust framework, scope of attributes shared, retention of subject identifiers), the assertion protection (signature, encryption, holder-of-key), the assertion lifecycle (issuance, validation, revocation, replay protection), the relying party obligations (audience restriction, expiration, nonce validation), the identity provider obligations (subject identifier opaqueness, attribute minimisation, audit logging), and the protocol profile choices SAML 2.0, OpenID Connect, OAuth 2.0 each carry.

Authenticator types and AAL eligibility matrix

NIST 800-63B catalogues authenticators by structural type and names which combinations satisfy AAL1, AAL2, and AAL3. Memorised secret alone qualifies for AAL1 only. Memorised secret plus OTP, OOB, or cryptographic authenticator qualifies for AAL2. Multi-factor cryptographic device or FIDO2 hardware authenticator alone qualifies for AAL3 with phishing resistance. Programmes choose the authenticator mix against the AAL target, the user population, the accessibility requirements, and the operational economics of issuance, recovery, and revocation.

Reauthentication, session management, and authenticator lifecycle

NIST 800-63B names the maximum session duration before reauthentication is required (30 days at AAL1, 12 hours or 30 minutes of inactivity at AAL2, 12 hours or 15 minutes of inactivity at AAL3), the protected channel requirements per AAL, the throttling and rate-limiting required at the verifier, and the authenticator lifecycle events (rebinding, suspension, revocation, account recovery) the operating record carries. Programmes that promote AAL without enforcing session expiry produce an authentication posture that decays between the verification event and the next access.

Digital Identity Acceptance Statement (DIAS)

The DIAS is the artefact federal agencies and FedRAMP-authorised cloud services produce to evidence the IAL, AAL, and FAL choices made per application and per user population, the analysis of identity-related risk against the FIPS 199 categorisation, the rationale for the levels selected, the compensating controls where the target level is partially met, and the residual risk acceptance position. The DIAS reads alongside the System Security Plan in FedRAMP and federal authorisation packages.

Adjacent regimes and audit-grade evidence

NIST 800-63 reads against NIST SP 800-53 IA family (Identification and Authentication), NIST CSF 2.0 PR.AA (Identity Management, Authentication, and Access Control), ISO 27001 Annex A 5.16 to 5.18 and 8.5, ISO/IEC 29115 (entity authentication assurance framework), SOC 2 CC6.1 (logical and physical access controls), PCI DSS Requirement 8 (identify users and authenticate access), HIPAA Security Rule 164.312(d), eIDAS levels (low, substantial, high), UK GPG 45 and GPG 44, and FedRAMP digital identity requirements. The 800-63 record produces the per-application identity assurance evidence each of these regimes reads against without a parallel evidence pack per audit.

Related features

Multi-factor authentication on every workspace

Collaborate across your entire team

Every action recorded across the workspace

Encrypted credential storage for authenticated scans

Verify ownership before any scan runs

Compliance tracking without a full GRC platform

Vulnerability management software that tracks every finding

Document management for every security engagement

AI-powered reports in seconds, not days

Finding overrides that survive every scan cycle

Notifications and alerts for the people who carry the work

Run a NIST SP 800-63 evidence pack on one workspace

Hold the IAL choice per user population, the AAL target per application, the FAL profile per federation, the authenticator inventory, the proofing records, the federation assertion records, the lifecycle event trail, the Digital Identity Acceptance Statement, and the audit evidence on one workspace. Carry the same record into FedRAMP, NIST SP 800-53 IA family, NIST CSF 2.0 PR.AA, ISO 27001 Annex A 5.16 to 5.18 and 8.5, ISO/IEC 29115, SOC 2 CC6.1, PCI DSS Requirement 8, HIPAA Security Rule 164.312(d), eIDAS, UK GPG 45 and 44, without rebuilding the evidence pack per audit. Start free.