Is NIST SP 800-63 a law?

No. It is a technical standard and guideline; it is mandatory for many U.S. federal systems and is widely used voluntarily by private organizations as an identity assurance benchmark.

What are IAL, AAL, and FAL?

They are assurance levels for identity proofing (IAL), authentication (AAL), and federation (FAL), each with tiers that increase the required rigor based on risk.

What is new in Revision 4?

SP 800-63-4 modernizes the guidelines with stronger emphasis on phishing-resistant authentication, fraud mitigation, equity, and updated proofing and federation requirements.

🇺🇸 United States · Framework/standard

NIST SP 800-63

NIST Special Publication 800-63 Digital Identity Guidelines

NIST SP 800-63 is the U.S. federal reference for digital identity, defining models and risk-based assurance levels for identity proofing (IAL), authentication (AAL), and federation (FAL). It is mandatory for many federal systems and widely adopted as a best-practice benchmark by private organizations. Revision 4 was published in 2025.

Jurisdiction:🇺🇸 United States

Type:Framework/standard

In effect:2017

Authority:National Institute of Standards and Technology (NIST)

Who it applies to

U.S. federal agencies and their service providers, and voluntarily by private-sector organizations that use it as an identity assurance benchmark.

Identity requirements

Select identity assurance levels (IAL) for identity proofing based on a risk assessment
Select authenticator assurance levels (AAL), with higher levels requiring multi-factor and phishing-resistant authenticators
Select federation assurance levels (FAL) governing assertions and trust in federated scenarios
Apply controls for the full authenticator lifecycle, including binding, reauthentication, and revocation
Implement fraud and threat mitigations and protect against credential compromise and replay
Document and record events to support security, auditability, and continuous evaluation of identity systems

How it impacts identity systems

Identity area	Impact
Authentication & MFA	Authenticator assurance levels define multi-factor and phishing-resistant authentication requirements for digital services.
Identity verification (KYC/proofing)	Identity assurance levels set the rigor of identity proofing for remote and in-person enrollment.
Customer identity & consent (CIAM)	Federation assurance levels and privacy controls guide how identity attributes are shared across services.
Audit, logging & accountability	The guidelines call for recording identity events to support security monitoring and ongoing assurance evaluation.

Penalties

As a standard rather than a statute, SP 800-63 carries no direct fines, but federal agencies must comply and non-conformance can fail audits or block authorization to operate.

Official source

https://pages.nist.gov/800-63-4/sp800-63.html

NIST SP 800-63: frequently asked questions

Is NIST SP 800-63 a law?: No. It is a technical standard and guideline; it is mandatory for many U.S. federal systems and is widely used voluntarily by private organizations as an identity assurance benchmark.
What are IAL, AAL, and FAL?: They are assurance levels for identity proofing (IAL), authentication (AAL), and federation (FAL), each with tiers that increase the required rigor based on risk.
What is new in Revision 4?: SP 800-63-4 modernizes the guidelines with stronger emphasis on phishing-resistant authentication, fraud mitigation, equity, and updated proofing and federation requirements.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all United States regulations or the full country index.