Enrollment and Identity Proofing Practices Statement Templates: Supporting Remote Proofing in Accordance with NIST SP 800-63A Identity Assurance Levels 2 & 3May 2020
Topics: Cybersecurity, Computer Security, Information Security, Information Security Risk Management, Computing and Information Systems Management
For digital transactions, companies and government agencies need to be able to accurately identify, credential, monitor, and manage user access to information and information systems. This is true for a wide range of users, from employees trying to access enterprise systems to citizens trying to access government services or consumers trying to purchase a product online.
Identity proofing establishes that a person is who they say they are, and the strength of this proof is based on one or more pieces of identity evidence. Identity proofing is defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines, and by Identity Assurance Levels (IALs), which ranges from 1 to 3.
Government agencies and commercial credential service providers (CSPs) that offer credentialing services should follow NIST SP 800-63-3 guidance for identity proofing, but this can be difficult. A key reason why agencies are unable to implement high assurance identity proofing is their reliance upon traditional identity proofing methods based on personally identifiable information (PII). However, because an individual’s PII has become widely available through both social media and unintentional data breaches, traditional identity proofing methods that rely on knowledge-based authentication are now insufficient for corroborating an individual’s claimed identity.
This paper provides a methodology, refined process flow, and customizable templates for government agencies and CSPs to use in developing a clearly defined and documented high assurance identity proofing process in the form of an Enrollment and Identity Proofing Practice Statement (EIPPS). An EIPPS describes the basic processes an agency or CSP will use based on current published guidance from NIST.