Demystifying NIST 800-63-4
Video Transcript
Christine Owen:Hi there. Welcome to Identiholics. My name is Christine Owen and today I have an even more special guest than I've had before because I have, Ryan Galluzzo identity program lead at NIST. And the reason that we're talking today, and we're going to have this little, I would call it a bonus episode, is because they released this big massive document. And I had to kill so many trees for this, Ryan. So we've got 63-4 and we're going to talk a little bit about it, but we're also going to do a lot of demystifying of NIST. So first off, thank you so much for coming, Ryan.
Ryan Galluzzo:
Thank you for having me. I don't know about even more special, but I do appreciate the opportunity to get on here and talk to your audience today.
Christine Owen:
Thanks. Yeah, so I mean, no, I think it is even more special because I feel like people are always scared when they get NIST documents. They don't know what to do with them. So we're going to talk about what to do with them besides read them and try to figure out how to comply with them. So first off, I want to talk about a little bit about yourself and how you ended up where you ended up, because I feel like it's not like you woke up one day and said, "Boy, I really want to write standards for a living." Or maybe you did. I don't know.
Ryan Galluzzo:
No, not at all. I am here, I think most people in the identity space, largely by accident. I like to tell people that I ended up here because of a Boston Red Sox hat. So I guess rewinding back to about 2011, I had previously been in the Army where I was an artillery officer. I had decided I was very much done with that particular phase of my life, but I didn't really know what I wanted to do at all. I was thinking either go back to school and become a history professor or an archeologist, or become a super special secret agent in the intelligence community. And while those are vastly different, I didn't really have a good idea of what I wanted to do. So got out, was just lounging around at my parents' house in Massachusetts doing almost nothing.
My father, who had been in the intelligence committee for a long time had a random business trip down to Washington D.C., and he decided to wear his Red Sox at one day to go to a Starbucks in Boston. And when he was there, a former colleague of his saw that Red Sox sat and said, "Man, that looks a lot like Mark Galluzzo. I'm going to go say hello real quick." It turned out that that woman was the director of a nonprofit called the Intelligence and National Security Alliance. And she said, "Hey," my dad said, "Hey, my son is just sitting around eating my food, taking up space at my house. It would be really nice if he could come meet with you and have a conversation." And so I went and interviewed with them and I got an internship. And when I was at that internship, I ended up helping work on a white paper about interoperability and reciprocity of background investigation. So this was my first introduction to both the world of federal standards and federal guidance and federal policy and identity.
I really liked it, thought it was interesting, and ended up meeting some folks from Deloitte while I was doing that internship. And those folks from Deloitte were looking to build out a team to help support NIST and the National Strategy for Trusted Identities in Cyberspace, NSTIC. And so I ended up getting a job there and found myself not long after that as the sole person showing up almost every day at the Department of Commerce to work with really the heavyweights in the space. Jeremy Grant was the director of the program office. David Temoshok was there, Naomi Lefkovitz was there. I mean, who's who. Mike Garcia joined not long after that. And so I very quickly found myself in the deep end of identity and really it didn't change after that. So spent a long time working at the NSTIC program office through the days of standing up The Identity Ecosystem Steering Group, and working on The Identity Ecosystem Framework and then working on some international standards with them. And that's pretty much where I entered the identity space. And because it's identity, they don't allow you to leave. And so, I'm here.
Christine Owen:
Yeah. That's true.
Ryan Galluzzo:
But I truly, truly loved. I mean, I think the big thing there was not just the introduction to identity, but the introduction to NIST as an organization. And to me, it was the best of both worlds. I had been looking partially for being involved in important policy at a national level and important work at a national level through that, hey, maybe I want to become a member of the intelligence community, but also the academic world. And so it was like this really nice blend of both, and NIST in particular has this wonderful culture of academic focus and collaboration and coordination. And so I just loved it. I really, really loved NIST as an organization.
And after leaving the NSTIC project and doing some work at different agencies, Treasury, IRS, the opportunity to come back to NIST came up and absolutely jumped at it. And here I am. So I've been about two years now, two and a half years I think at NIST as the identity program lead. So it was-
Christine Owen:
Awesome. You know what I love about NIST?
Ryan Galluzzo:
[inaudible 00:06:04] fortuitous.
Christine Owen:
What I love about this is not just the people are really nice, the culture is really good, but also there's this beautiful weeping willow tree outside of the cafeteria and campus, and I love that tree. It's like such a pretty tree.
Ryan Galluzzo:
Well, it's currently off limits. So they've been in the process of doing a very elaborate renovation of our cafeteria. So the cafeteria is closed as well as the courtyard and around the cafeteria, I believe the weeping willow was still there. And even with some nice little chairs underneath it, so you have this beautiful shade. But yeah, all that's still closed. I don't know when it's going to be opening back up again, but we are looking forward to it because having a full cafeteria again I think would be nice.
Christine Owen:
Yeah. I actually was wondering if you guys had... Yeah, I mean you're in the middle of nowhere, not really, but it's hard to get on and off that campus. I feel like. You're tucked in the back.
Ryan Galluzzo:
I don't have the most ideal commute, because I live in Fairfax and commute all the way up to Gaithersburg when I do come to campus. But it's quiet, it's beautiful, there's nature, there's wildlife. It's a really nice campus and it's really enjoyable to come here. Cafeteria [inaudible 00:07:18].
Christine Owen:
Yeah, you've got that whole herd of deer that you can't do anything about.
Ryan Galluzzo:
Had a bear at one point in time, I believe.
Christine Owen:
You had a bear?
Ryan Galluzzo:
Yeah, somebody is probably going to correct me on this, I guess in your comments or something, but there was a bear, it was called Gaithers Bear, and I think we even very briefly had a Gaithers Bear Twitter handle or something like that as well too.
Christine Owen:
That's awesome. All right, so wonderful protected land you have up there.
All right, so let's get down to brass tacks, which is 63. So 863 is the identity guidelines. They're essentially this gold standard for the US practitioners, not just for the government, but also for a lot of the vendors. So one thing that I hear a lot, and I try to correct this, so I would love to hear how you respond to this, but a lot of people complain that it takes so long. So in my opinion, I think it makes sense because of the process that you guys have in place. 63-3 came out in 2017, I think, right? Or 2018. And you try to be forward-thinking as far forward as you can. But the problem is then we had COVID and a lot of technology really advanced way faster than we thought it would, which is a good and bad thing because standards had to get back up. I think it was either 2021 you guys did started, was it in 2021 or 2022? You started reaching out to vendors?
Ryan Galluzzo:
So I believe in 2020 there was a call for feedback to seek input on what we should do next, where should we take the guidance from where we are? Obviously that then rolled into your point a lot of the stuff that happened during the pandemic, we learned a ton from having conversations with folks about what worked, what didn't work, what happened where we saw different kinds of threats. Obviously that was a, I don't want to say it was a paradigm changer so much as it shined a light on the importance of things like identity briefing and authentication and doing things from a very risk-based perspective. So I think that was immensely valuable to provide feedback to us.
And as far as the timeline goes, the other thing to think about with a lot of this is post 2020, 2021, 2022, we're starting to see an emergence of new techniques.
So things like verifiable credentials, mobile driver's license, digital wallets, all those standards start to peak around that point and start to move towards more finalization and more maturity. We've also got things like past keys emerging within the FIDO ecosystem. So there's this point that we get to in mid '21, '20 timeframe of whole bunch of stuff happening at once. And so that's why when we put out the guidance in December of '22, there were a lot of things where we had cracked the door on them. So we had made some minor changes to account for the possibility of being able to clone and export keys to support concepts such as pass key, but we didn't go really far with that yet. We had cracked the door on things like digital evidence, so mobile driver's license, verifiable credentials. And a lot of what we got was we need more.
And at the same time, we needed an opportunity for a lot of the thinking and other standards that are maturing in the space to really start to solidify around what those were going to look like, what implementations were going to look like before we could really continue to refine all the requirements that we were ultimately putting in. So there was a cycle that resulted in us as they were actually updating all of the core standards to support some of these new technologies that we wanted to make sure we were building in because the last thing we wanted to do is put it out in '22 or '23 and then all of a sudden we have a whole bunch of new technologies and we have to update it a year later. Or worst case, the standard is essentially outdated, the day gets published, which is a bad thing.
So we wanted to make sure that we gave some of those things some time to mature. At the same time, there was so much that we had changed from what was in revision three that we got thousands of comments. I mean, in December of '22, we released the first public draft of 63 revision four. We had 119 day public comment period. And it was very intentional because again, we knew there's a lot of things changing, wanted to have a lot of very deliberate conversations, wanted to get feedback from organizations that we didn't typically get feedback from. So like state level organizations, whole society, privacy experts, folks that were looking at the equity side of the house when it comes to things like benefits and benefits distributions. We really wanted to have a robust period of communication engagement and it worked. We got 3,876 comments, I think was the exact number, once we took the big comments and broke them down into the individual items, which is a lot. So we had to deal with each one of those items, have a very deliberate process for making sure that we understood what we were going to accept, what we weren't going to accept, and deduplicating a lot of those things and making sure that we covered the important topics. And that took a while. But as you mentioned last week or two weeks ago, not last week.
Christine Owen:
Two weeks ago.
Ryan Galluzzo:
Two weeks ago, we released a second public comment draft. We really felt that that was necessary here because we made some pretty substantial changes even from the last public comment period. And when you're addressing 3,876 comments, it wouldn't be very, I think, effective to try and transition directly from that to a final. So wanted to make sure we had another round of being able to vet these with the larger community.
I think that's a really important point about a lot of the work we do here at NIST is this is, yes, we manage and shepherd this process and we do have a lot of subject matter expertise in a lot of these things, but we want to make sure it is an open and collaborative process that takes in the best from industry, the best from academia, the best from the entire ecosystem to make sure that it is something that one is practical and implementable, and two, is also going to have broad adoption and support not just within the government but also in commercial. So we brought all those things together and realized we definitely needed to do a second public comment period on the stuff. And that's what we got out the door about two weeks ago.
Christine Owen:
So when you were deliberately going reaching out, were you reaching out to certain organizations to try to have conversations with them? Do you target organizations or do you passively allow them to come to you? Or a little bit of both?
Ryan Galluzzo:
We do both. So I think we were very deliberate in targeting for this. So we went to, I mean, the number of events that we went to that we probably would not have normally gone to during the public comment period last year or last time around was substantial, probably more so than any of the team were necessarily prepared for, but we were going to state level events on cybersecurity. We were going to privacy events, we were going to every opportunity for federal forums that we could find to try and make sure that we got news out about this and what the major changes were. We targeted very specific organizations that we wanted to go have conversations with because of their role in the large ecosystem. And at the same time, almost anyone who reached out and said, Hey, we'd like to have a conversation about this, we accepted that conversation.
We really wanted, given the level of visibility, the level of importance that was being placed on identity proofing, identity verification, authentication and federation and the wake of COVID as well as what we were seeing from an emerging technology perspective. We wanted to make sure we were covering the biggest spectrum possible. And we will be doing it as well during this public comment. It won't be a 119-day public comment because we do have to bring this to final, but we will be deliberately engaging in targeting folks within commerce, within the commercial space, within the academic space, as well as opening the doors to folks who want to have conversations with us.
So if you're out there and you're listening and you have something you love, we're more than happy to talk to you about it. If you have something you hate, we're more than happy to talk to you about it. If you just want to ask some questions before you provide your public comments, we're more than happy to talk to you about it. So reach out, let us know, get something set up and we're more than happy to than happy to have a conversation and understand what various different perspectives are and what we've done with the guidance.
Christine Owen:
Yeah, I'm sure Ryan's tired of talking to me about it over and over again.
Ryan Galluzzo:
No, no. You're one of my favorite sounding boards.
Christine Owen:
Yeah, I do enjoy it. It's a lot of fun. And I think that this is something that's really important for people to understand that it as long you are in the space or you're affected by this, you understand, maybe you can read the guidelines, you understand them to a point. You don't have to fully understand them. I know I didn't understand C for quite some time until this year, so you don't have to always fully understand, but as long as you do have comments or you have questions, it's really important to get those in. If you're a small micro agency and you have a weird use case, that's something that's really valuable to be able to understand whether these standards really do meet as many of the use cases as they're trying to hit, right? Because you can't hit all the use cases with standards. It's impossible. You can never get to a hundred percent, but getting to 99 is really important.
And what I found in having worked with a ton of different people, I found that some people are scared of NIST. They didn't know that you could actually talk to them. I think they think of you guys like procurement officers or something. Do you guys have that same issue?
Ryan Galluzzo:
Yeah, I think there's two different sets of groups that we interact with and they react to us in different ways. There's definitely the people who work with and understand NIST and have been in the space of standards development and the work that NIST does for a long time, know that they can have these collaborations, understand that this is what we really want to do. But there is definitely a completely separate world of these are things that come from somewhere and we're told to comply with them and we don't realize that we can reach out and have that engagement. So if you find yourself in that latter camp of like we've been told we have to do the NIST and we're trying to figure out how to do the NIST, you can pick up the phone and give us a call, you can shoot us an email, you can have a conversation.
And frankly, if you have feedback and learnings of where the NIST is not doing the thing that you wanted, we can certainly engage on that and understand what your particular use case is and explore how that can impact our guidance overall. It's certainly intended to be a two-way street and a conversation and collaboration. And I don't own an operational identity system, so we do rely on feedback from agencies and organizations that are interacting with end users on a day-to-day basis to make sure we're getting a lot of this stuff. So if you're out there and you've been, you didn't understand that you could do this or you were afraid to potentially do this, reach out, we're happy to hear from you and happy to understand what it is that you're dealing with on a day-to-day basis.
Christine Owen:
And I'll say the NIST has become less of an ivory tower, 63-3 definitely broke it down a little bit. There was a lot of outreach during that period. I think you guys are taking that and going even further, which is perfect and really good. And I think the other thing for practitioners who are either new to the space or system owners who know they have to, they're required to do the NIST.
Especially, there's a lot of system owners actually that are not in the government space, they're healthcare, so they're adjacent and they're required by DEA regulations to follow NIST guidelines. In those cases, those are a lot of people who don't live and breathe this like we have. We came up living and breathing NIST in all the other federal requirements. We understand what it means. But I think that those people, especially reaching out to NIST or finding a practitioner who is really in tune with this is really important because it's not as black and white as it seems on paper. There is an entire risk-based approach, which by the way, Ryan, I'm so happy you guys changed your space approach and changed your methodology. I love it. Maybe I remember a comment on this, but I think that that piece gets very confusing that it's like you can't always do X and Y to get Z when it comes to a person's identity. Sometimes you have to go all around the lines to figure it out. So I think that that's really important for people to remember.
Ryan Galluzzo:
And I want to say thank you for the call out on the openness and 63 being part of that, breaking down the ivory tower stuff, Paul Grassi, Mike Garcia, Jeremy Grant, that whole team did a lot of really, really, really critical work that set a great template and foundation for what we're trying to do now on revision four as well too. So the whole standing on the shoulder of giants thing and driving forward on that. I would say from a risk-based approach, I think people are often surprised when they have conversations with us because we really, at least programmatically, our focus is not strict conformance and compliance, our focus is on trying to give agencies the tools that they need to make the best risk-based decisions possible. If you're purely focused on compliance, compliance and conformance, it's not going to solve all your problems. You need to really be able to look at this from the perspective of balancing understanding and managing risk across the board.
And what we're trying to do with all four of the volumes, not just the risk management volume, but all of them, is really lay out how we want you to do these things, the best way to potentially do these things, but also try and provide optionality and different pathways for organizations to be able to implement what makes sense to them and also understand where they might have to make some risk-based decisions and really focus most on documenting those. Because I think the idea that you're going to have a solution where you don't have to make some of those trade-offs or risk-based decisions is a little bit impractical. And so we understand that and what we want to do is be able to write to give people a good understanding of what we think the best case scenarios look like, but also understanding that we want to give you the pathways and flexibilities to make the decisions that are correct for your use case, that are correct for your users and your populations and correct for your threat environment. So hopefully that level of flexibility is coming through in what we've put through in the risk management process, but it's really about risk management tools more so than driving hard compliance conversations.
Christine Owen:
Actually a light bulb just went off. I think a way for cybersecurity practitioners to really think about it is in every system in cybersecurity, there's always some sort of exception. Someone always gets an exception. It doesn't matter. You can be as strict as you want and there's always this one random person out in the middle of nowhere and they get an exception for whatever it is that they're doing for their system, for how they get in whatever it is because they need it in a completely different, unicorny way.
And so I like to think of the guidelines like that for I'd say 80% of the population. You can do it the easiest way through the guidelines and for that 20%, then you have to figure out, okay, now what do we do? Well, we have to add in a little more friction, so that'll get us to the 90%. And then after that, what are we going to do? All right, we need to do a little more friction, now we've got about 3% of the population that we still can't get through. What are we going to do there? And that's when we really have to start making those risk-based decisions and figuring out what our exceptions are going to be.
Ryan Galluzzo:
Yeah. And that becomes even more crucial when you're talking about public facing applications. And in particular, protection of things like benefits programs. Because these are oftentimes things people are, one, entitled to, but also two, dependent upon for sometimes every day capabilities, life, execution getting through. And so it becomes very important to make sure you've got those processes built in to be able to help and handle people who really do have to get access to the things that they need to keep themselves going on a day-to-day basis.
Christine Owen:
Yeah, absolutely. So the other thing that I think is really interesting is, I was thinking about the evolution of 63 and how from two to three, something big happened. There was a big breach. And at that point what was realized is that the standards were too high in the sky and didn't meet vendors. Vendor technology actually could not meet the standards even if they had tried. That's something that we learned into. So three went out and tried to make it better and bring it down to the vendor level so that the vendors could actually meet it. And then that's why we took apart the LOAs, we added the A and the XLs. And now, what do you think was the big, not the impetus, but what was the big difference between three and four?
Ryan Galluzzo:
Well, I think partially we learned a lot from three, I think three really. I can't speak to all the motivations that went into the updates and was around, but not directly engaged in everything that was happening. But what I can say is that it was a complete shift. It was completely different than what was in revision two. It was a substantive change into both how the guidance was structured. We went from one big document to four other documents. And we changed the assurance level structure entirely. So it's a total paradigm shift from what we were talking about in revision two, revision three. And I think what happened was we essentially learned a lot over the past, essentially I guess eight years since it was published, of what's working, what's not, what was clear and what was not. Very simple things like how vendors ultimately interpreted some of the guidance and how that impacted how we structured some of the requirements. Things like what evidence, we went from partially evidence-based process in two a more or less entirely evidence-based process in revision three. What pieces of evidence were actually available? What was really fitting into the concept of evidence strength? What was available to users, what wasn't? But also looking at what practically speaking was working from an implementation perspective as well too.
So I think the big thing is we learned a lot from what was in 63-3 and several years of agencies and vendors and organizations looking to try and implement. So I think that is one of the big things that shifted. We now had a corpus of implementation information that we can turn to figure out how we can continue to refine 63 in revision four. Obviously the other thing was learning from identity systems getting attacked during the pandemic at a scale that we hadn't yet seen before. So what were the successful attacks? Were the unsuccessful attacks? What could we learn about what was done, what wasn't done in some of those protections that were being put in place at different organizations? And how did that feedback into things?
So I think we had implementation experience. We had a complete shift in the world around identity, where identity went from being a back burner thing to something that was very front and center and a lot of these applications in a lot of these programs. And then we had a corpus of threat evidence and threat information to all build in to understand what was happening and what wasn't happening. I think those were the two major things. And then obviously the third thing that covered earlier is new technologies. I think huge thing that 63 attempted to do was lean forward on things like dock off and biometrics that were starting to scale at the time that it was being developed, but really weren't necessarily widely adopted just yet. We've attempted to keep some of that forward-leaning mentality when it comes to revision four, particularly looking at things like wallet-based credentials or passkeys and stuff like that. How do those fit into the bigger picture and how can we potentially leverage some of those new technologies to both mitigate risk, while also bringing in potentially some convenience and user control where it didn't previously exist.
Christine Owen:
So I actually liked the fact that I do think that the second revision of dashboard is even more forward leaning than the first. And I really dug into the technologies that we know back when it was written the first time that we knew were going to start bubbling up and are now really bubbling up now mobile driver's licenses, digital identity wallets, etc. But the one thing that I think that practitioners or people who need to use the guidelines for whatever reason don't always understand is that in between three and the first year after four, there were actually, do you guys call them practice guides? What do you call them?
Ryan Galluzzo:
[inaudible 00:30:23].
Christine Owen:
There were supplemental documents
Ryan Galluzzo:
And we intend to continue to do that. Are you talking about the implementation resources?
Christine Owen:
Yes.
Ryan Galluzzo:
Or are you talking about supplement that we put? Yeah.
Christine Owen:
So I would think it's both because part of that is that there were certain things in dash three. I think I'm too much of an insider of NIST, think I need a shirt. This is obviously one of my shirts. That is a Jeremy Grant that you and I got to see on stage once. But in three, there were certain technologies that weren't advanced enough to really put into the guidelines and then there was I think a supplemental or it was either that or called the implementation guideline. I don't remember which one you guys called it, but what it did essentially was say, okay, these technologies that were nascent when we publish three are not nascent anymore. So here's how you use them effectively to be able to do identity vetting.
Ryan Galluzzo:
So what we try and do with our implementation resources is take things to ideally a next level of detail. So yeah, we put out implementation resources not long after 63-3 was published that included additional information on if you're doing inspection of documents, what are the security features that you should be looking for? And if you're using specific kinds of authenticators, here's examples of what those... Because to be fair, a lot of times the guidance is not easy to digest if you're not familiar with some of the terminology. And a lot of times we have to use generic forms of statements or more technically focused descriptions of authenticators or technology. And a lot of times practitioners are like, okay, I read multifactor cryptographic authenticator, what is that? Give me an example of what that is. And so I think what we try and do with the implementation resources is focus more on how do we make it practical and consumable. And then what we did with the supplement this past year was essentially 863-3 didn't really envision the paradigm of being able to potentially share things like authentication keys between different devices controlled by a user, which is how the called the pass key. And again, another example of us making generic terms, we call them syncable authenticators, they could be called passkeys, the FIDO two web authentication of those things. But essentially-
Christine Owen:
Syncable authenticators are a subset of passkeys, passkeys is the overarching?
Ryan Galluzzo:
Essentially, there's passkeys with a very loaded term and there's a lot of very nuanced conversation that goes on around passkeys. And so what we wanted to do was very specifically focus on that syncable version, which was a new paradigm for 63. And so we released our first ever supplement and that essentially said, look, you can support these kinds of sync authenticators. And here's the requirements that you should be looking for when doing that. So we use supplements to do things like that. We use implementation resources to try and give people a better understanding of what does this look like in the practical world. I would also say the one thing we're trying to do a lot more as well too is we have the National Cybersecurity Center of Excellence, which for those who don't know about it's basically the place where we try and take the words that are in our guidance or in international standards and put them into actual implementable code that can be used as reference architectures and demonstration implementations to help organizations understand what does this look like in the real world?
So right now, one of the things we're doing there is how do you use mobile driver's license and verifiable credentials and online workflows. And how can we test out all the different standards that are starting to emerge there so that when we say, yeah, you can use digital evidence in 86-3, okay, cool, what does that actually look like and how do I do it? Well, now we've got the NCCoE project that supports it so you can actually see in practice these are all the different things that need to be done and what it does from a risk mitigation perspective. So ideally, we'd have this world of the core guidance, which is where you've got the requirements, but then you've got supporting implementation resources and NCCoE projects so that organizations that are out there going, how on earth do I do this? They've got a better blueprint and a better set of resources at their disposal to actually do the implementation side.
Christine Owen:
But also, this is my guess that I have, we haven't talked about this before, but my assumption is you also probably know who's doing what in the space because they come and tell you, right? So you might be able to connect. I feel like actually I'm positive you've done this with agencies, you connect agencies up if they need help. So you can-
Ryan Galluzzo:
Yeah. [inaudible 00:35:20] of all the different procurement requirements that exist in the world.
Christine Owen:
Exactly.
Ryan Galluzzo:
What we try and do is when we do work in the NCCoE, we've got an entire process with collaborative research and development agreements and a very level set field within the NCCoE. But when it comes to more general conversations, a lot of times we'll take what we've learned from conversations with vendors and stuff like that and provide that as, hey, this is what we're seeing in the space more generically, this is what the vendors are doing in this space. Here's some folks you may want to go talk to about some of the things that are happening. But I want to be clear, we don't create matchmakers for procurements and stuff like that.
Christine Owen:
No, no, no, no. I actually was thinking-
Ryan Galluzzo:
To try and connect people=
Christine Owen:
More as a small agency comes to you and ask questions. You probably know a big that has had that issue before, right? I would never have you matchmake with vendors. That is not your job.
Ryan Galluzzo:
Yeah, we talked to lots of agencies, we talked to lots of vendors, we talked to lots of members of academia, the research space. So I'm not going to say we have the best view, but I think we have a really good view of a lot of things that are going on. And I think we try and be a collection point for a lot of that stuff to be able to make sure it gets into the guidance where it makes sense, or create connections with our partners to make sure that they've got the ability to share information to the best of their capacity.
Christine Owen:
Yeah. And what's crazy is how many people actually work on these?
Ryan Galluzzo:
The guidance documents?
Christine Owen:
Yeah.
Ryan Galluzzo:
So David Temoshok is the lead for 863 and has been for a while now. I'm a co-author. Connie LaSalle is a co-author, Andy Regenscheid. And then we have a really good team of contractors that support us as well too and really are driving it, but it's really about eight to 10 people at the end of the day.
Christine Owen:
Yeah. It's crazy. It's amazing how much you guys do with such a small team.
Ryan Galluzzo:
Thank you. I mean, I think there's a lot of folks in government across the board that have to do a lot of things with what's available from a resource and perspective. So I don't know that we're unique in that particular.
Christine Owen:
I agree with you. I agree. But your guidelines aren't just for, I mean the effect is beyond federal, right? It's not just U.S. Federal, it's also commercial really. You see it in state, local, academia, healthcare. You see requirements based on your guidelines and there all the time. And then on top of that, a lot of commercial companies are starting to go back to the guidelines to help figure out what the best way for them to do something is. And then you also have international standards that at least watch us. They used to follow us, but then we completely changed the guidelines. So now they watch us. But I mean there's a lot, it is a pretty wide-ranging ripple effect of these guidelines. They're a lot bigger than just, oh, federal agencies, they have to deal with this, again, which also sometimes vendors feels like that, but there's a lot of other people who also rely on these.
Ryan Galluzzo:
I think to be clear, we have 10 people that work on this, but we've got a huge accelerator in the community. Everything we do is through the public comment periods. And I think this speaks to why we do have the reach that we have with a lot of the work that comes out on NIST is it's because it's a broader collaborative effort and it's not just the 10 people that work here at NIST trying to come up with this stuff. It's taking the input, taking the feedback, taking the learnings from the entire community in a way that actually promotes that kind of adoption and inclusion when it comes to participation. So yeah, eight to 10, 12 of us generally speaking, working on a day-to-day basis, but we're taking the feedback and the best of what's coming out of an entire community of hundreds of thousands of practitioners. So it's not just us. And I think that hopefully speaks to why a lot of people look to and view the work that we do as being as valuable and accessible as it is.
Christine Owen:
I wouldn't call it hundreds of thousands of practitioners though.
Ryan Galluzzo:
I feel like maybe 20. I don't know.
Christine Owen:
Yeah, it's a pretty small community. So let's get into some of the things that changed, I would say more significantly, and I don't want to go into a lot of it. So the risk-based methodology changed significantly. Personally, I love it. But have you started getting feedback on that or how's that do you think is going to be taken? We're you guys a little scared when you pressed send on that one?
Ryan Galluzzo:
No, I wouldn't say scared. Because I mean, this is why we do drafts, right? There's going to be things in all of these documents that people really like, and there's going to be things that people really hate. And we need to be able to understand and balance those different things because a lot of times there's two different worldviews that might exist out there, people who are far more focused on the security side of the house, there are people who might be far more focused on the privacy side of the house, people with a very focused on usability, accessibility. And we have to then take a lot of that feedback and balance it out. So there's going to be all kinds of different worldviews coming to this guidance, and as a result, no one's going to love everything that's in it.
So that's part of the problem. And I think the risk management sections is one of those places where we got a lot of very different feedback on it. So when we made the major change in December of '22, 1 of the things we got rid of were these process step diagrams that basically said if this, then that, then this, then your assurance level. And we got a lot of feedback from people during the comment period that those were too confining and restricting and agencies felt like they had to really focus on a compliance view of the world. And so we decided to go to something that was a bit more RMF-type oriented and aligned that focuses more on the process while providing a bit more flexibility for agencies to really make decisions about the assurance levels based upon their context, their understanding, and less focused on following the lines down the chart. Some people loved the lines down the chart and were very angry that we took those out. And other people were like, this is exactly what we needed to be able to have a more risk-oriented posture when it comes to the guidance.
And so we continued to hew towards the risk-based approach and the risk-based concept within this most recent public draft, but there are two main changes that we made to that section. One, we added a step one I think, but more of a step zero type concept of really understanding the online application that you're attempting to defend and protect. So we call it defining the online application or online service, but it's really like who are the users? What are the data that's being used? What's the user population? What's the threat environment look like? Just collect all that information so you really understand this is the thing. And that helps set all of the other conditions for all the other decisions that you're going to try and make throughout the process, as well as informing you to make sure you understand these are all your different user types in particular.
Because I think one of the things we had started to hear is we were having conversations was the application has the following assurance levels, and that isn't always the right paradigm, particularly if you've got different users that do different things. So if you've got a user that can do nothing more than go in and say like, "Hey, I'd like to request a copy of a super non-sensitive form," that's very different than an administrative user that can potentially add and drop other people or change rights and stuff like that. They should be at a different assurance level. So we wanted to make sure that people were really thinking about all the different roles, all the different user types are going to be in an application. And also not just generally speaking what those are, but what can they actually do and with what data? And that would help inform the rest of the decision making across the board.
The other thing we did back in December that we've doubled down on now is the idea of continuous improvement. And again, this is trying to push away from a focus on conformity and compliance and focus more on how well is what we're doing working. And so we said you have to have a continuous evaluation program in the draft we put out in December of '22. This time we went through and we got a lot of feedback. Hey, you need to have metrics. You need to tell us what we need to be measuring here. So we put in a very large suite of recommended metrics. They're all recommended right now because it's probably going to take some time for organizations to develop the maturity and the data streams and the relationships within their organization that they need to have all that information, but looking at really practically speaking, how good are we doing? How well are we defending against fraud? What's our pass and fail rates? What kind of evidence are people actually using and what's being successful in the process and what's not being successful in the process? Where are we getting complaints? That's a huge thing.
A lot of times, you can understand where your process is not doing the right thing by users calling in and complaining about, Hey, I constantly have to do password reset. Hey, I get stuck trying to use your biometric match all every single time I come through. And you can start to collect that information that's not always in the identity program, that might be with a customer service rep or customer engagement rep. You need to be pulling that in to be able to understand how well you're doing as a program and be able to look at your identity solution as something that is supporting an overall application and really create that picture of what we're doing. And that allows you to adjust your controls over time to be able to say we have an informed perspective on how to apply certain aspects of our process and our controls.
Christine Owen:
Yeah. I think I really liked the concept of pulling apart the users as well and not just saying the application. Because when you do that for pretty much any government application, you're going to find that there's some highly sensitive information in there, and so you're just going to say it's IL3, AAL3, FAL3 across the board. But that's not really true because, of course that's true for the administrators. But then if it comes down to all a user is doing is submitting a form, an end user that's external is submitting a form, then that's it. So that's not as big of a deal. Especially if it's something, for example, a FOIA system. I mean that can be near anonymous.
Ryan Galluzzo:
Another great example is applications that support guest payments. Those might come out as a moderate or high level overall application because they're processing financial information, but users that are only doing this specific action might be much lower risk. It might not require proofing at all in certain instances. So really being able to understand in a nuanced way all the different things that are happening in the application and that users can and can't do, I think is really important in what we're trying to set up with that initial step in the risk management process.
Christine Owen:
Yeah. And I think it's great. I mean now that I'm on the vendor side and not a practitioner, I think it's even better. I really do think that this is something that has... I think a lot of did a subset of this for a long time anyway, so codifying it is really important. But of course I'm not upset, I'm sure that's going to get filtered into FISMA somehow and it's going to become something else, but I don't have to deal with it. I'm not sad.
The other thing that I think was pretty big is, and again, I'm very happy that there's a lot of discussion on this in the current draft is wallets and MDLs. And I know that that was one of my big comments that just doing a line really wasn't going to cut it for practitioners. So you guys really did a deep dive into that. How did you gather the information to be able to get that deep dive? What are the outside sources that you used able to work on that?
Ryan Galluzzo:
So there is so much going on right now when it comes to things like wallets and the credentials they contain, whether it's mobile driver's license or verifiable credentials. We really tried over the past year to embed ourselves in the conversations that were going on at organizations like W3C, the OpenID Foundation. We've had folks like Ketan Mehta who've been working in ISO on the ISO standards around mobile driver's license for years now. So really just trying to the best of our ability wrap our arms around where those things were going. But also the important thing to remember with a lot of the stuff is a lot of the standards that are going into using those things online still aren't done. And so when we put out the initial draft in '22, we wanted to again crack the door there, but there wasn't a lot for us to go off of yet because things like 18013-7 we're still being developed in it in their early stages. A lot of the work being done at the OpenID Foundation around things like OpenID for verifiable presentations was still very early days. And now two years on, things have matured a lot more.
So we've been able to see where the overall direction was going and how can we learn from what they were doing there and how the protocols were evolving to be able to start put together requirements. And again, we try and stay, to the greatest degree possible, in the guide itself, in the requirements development itself, protocol agnostic because there might be protocols developed in two or three years that we weren't envisioning now that we want to be able to meet the requirements, but we don't want to have to say, you have to use a specific protocol to be compliant or to meet our requirements. So we've been watching those things watching as they evolve.
And I mean, even today, 18013-7 dash seven is not yet published. It hopefully will be published pretty soon, which is, for those who don't know, it's got the requirements for the mobile driver's license for online usage. We've also been engaging very heavily with our colleagues across the pond in Europe, who are working on EI-2.0, which mandates the development of a European digital identity wallets, being able to observe and get feedback from them on what they're doing, or getting inputs rather from them on what they're doing with their digital wallets and what they're doing with their architectural reference framework. Lot of things we're learning from the work that they're doing as well too. So we're just doing our best to wrap our arms around where the overall space is going with respect to these kinds of implementations. And ideally, hopefully we did a good job on it. I mean, it's probably not going to be perfect yet, but we're hoping to get there to have those core requirements in 63C in particular for how do you actually present something out of these wallets in a way that can be consumed with confidence and with a degree of protection that we're looking for from an assertion perspective. So just a lot of work going on and really wrapping our arms around a lot of the good work that the larger community is doing in this space already.
Christine Owen:
Yeah. And I think that's really important to think about when some of us are crafting those comments [inaudible 00:51:28]. I mean we're all thinking about it, I think in a very similar way, how wallets are going to end up blowing up and changing the way that we interact. I actually thought about it the other day, and I can leave the house with just my mobile device and I would be fine. And a key. I do need a key to drive my car. But I don't need anything else. I don't need a driver's license anymore because Virginia has a mobile driver's license. I have the ability to put payments on my phone and to pay through NFC, so I don't really need much anymore. And when we get to a place where we really double down on verifiable credentials and digital identity wallets, it's going to be amazing. I'm very excited about that. Five years from now.
Ryan Galluzzo:
I think there's a ton of potential, there's a lot of challenges that still need to be worked out as well too, and understanding how this is all going to work at a national level. I think there's still some work to be done there, but tons of potential. And to what I was trying to say earlier, we really wanted to make sure that we got as much right now as we can to make sure that we can open the door to having that future capability within the guidance, particularly as those technologies begin to scale more. And hopefully not get stale, but scale more across the U.S. and become more available. Because again, it's one of the first times that we're starting to see really a form of authoritative identity that is made to be used in a digital manner. A lot of what we do right now is doing our best to gain confidence through physical means of identification like driver's licenses and passports, and it doesn't always convey as well as we'd like into the digital space. And so this is one of the first opportunities we've got to really leverage this emerging technology within the context of how we've done identity proofing and authentication.
Christine Owen:
Yeah. You know what's funny? Is I tried to use my MDL at a airport lounge recently, and they got very angry at me. They told me that they do KYC and it's not allowed in KYC. I said, it will be one day, mark my words. And then I had to go searching. I was very tired. I had to go searching for my driver's license.
Ryan Galluzzo:
One of the things we're really doing with the mobile driver's license project as well too in the NCCoE is trying to get that voice of the relying party understood and help relying parties like that lounge or people do in KYC understand how that fits into their overall context, their regulatory environment, to be able to say... Because again, you can have this great technology, but if the relying parties aren't aware of how it functions, aren't aware of how it aligns to regulation, they're not going to adopt it, which means you just have a digital technology that's not as valuable as it could be. So we really want to make sure that we start to understand how it fits into actual process at the relying party side, how it fits into risk risk scenarios at the relying party side.
And that's why within the mobile driver's license project, we're focused on essentially three core sectors, like looking at what's being done from a KYC customer identification program perspective and financial institutions and how MDL can fit there or verifiable credential fit there. Looking at the government sector, so how does it actually fit in practice into our own guidance and guidelines. And then third, looking at the healthcare perspective and how it can support certain use cases there as well too. And we're not confining ourselves to strictly mobile driver's license there. So if you're out there and you're thinking about not just driver's license, but other forms of digital credentials you'd be interested in, that's something we're exploring as well too.
Christine Owen:
Yeah, I think that's really important because that's essentially what FIDO had to deal with, with passkeys. So what was it? Two and a half years ago, they did a big splash at RSA and said passkeys, and then came the real work was getting relying parties to actually use passkeys. Since then, they've had a massive adoption rate, not only of end users actually signing up and obtaining passkeys, but also of very large U.S., and actually there's a large APEC, lots of people in APEC are doing this too, where those relying parties are using them generally for consumers, but also for internal workforce. Because again, passkeys is a big umbrella, it essentially means FIDO. So I think that that piece is the devil in the details of getting that adoption. And that's definitely, I think you're right. I think we have, the technology is getting better and it's definitely getting there. And so then now we have to have, for example, IDPs be able to consume verifiable credentials or MDLs. And currently in the marketplace there are a couple IDPs, but not all of them can. So getting IDPs either to move to that or creating a federation, be able to push it over. So there's just a lot to definitely continue to do for the wallet space, but I think it's going to be really cool when we get there and I think we're going to get there pretty soon.
Ryan Galluzzo:
There's certainly no lack of work in this space.
Christine Owen:
There's never lack of work in this space. So I have to end with my favorite question to you, and you know exactly what this question is because it's the hill will die on, and I tell you this all the time, which is why you pull apart? So why won't you pull apart AAL2?
Ryan Galluzzo:
So we've had a lot of conversations about this and back and forth, and I think the challenge with assurance levels, no matter how you structure them, is that you can always shift the lines left and right a little bit. And with authentication it becomes in particularly really challenging because of the diversity of authenticators that I think we have today, including things like passkeys and what becomes AAL2 versus what's not AAL2. And how do you represent that? We could draw the line on one side of SMS OTP, or we can draw the line on OTPs in general or just phishing resistant. And then we've got, oh, what about phishing resistant plus device bound? We could end up with seven assurance levels. Who knows?
I think what we're hoping to see happen with a lot of this and what we're working on is how can you represent a more rich set of authentication content and context in assertions that can allow for agencies to one, say, this is what I want, so that an IDP can respond to it appropriately, but also make sure the IDP can tell you, Hey, look, this is a phishing resistant authentication event.
So ideally we would like for some of that granularity to not necessarily be handled in the assurance levels, but potentially as authentication context within assertions and within technical protocol exchanges to allow those kinds of risk-based decisions. And also, they can be handled in policy as well too. So when you're setting up your federation and say, look, I am happy to accept the following kinds of authenticators. I'm not happy to accept these other ones. So that's where we stand on it because again, drawing lines within the assurance levels is really hard, particularly when you've got that large diversity of authenticators. And in practice, I'm not sure how much it would change the actual implementation of most public facing application. So that's where we currently stand on it. I know you don't necessarily agree, but.
Christine Owen:
I don't. It's okay. I'm going to keep writing my comments.
Ryan Galluzzo:
We have public comment periods.
Christine Owen:
They're my favorite comments to write. I actually need to go dig up one of my comments so I can double down on it. But yeah, no, I hear you. I understand it. But I think that too many IDPs are not having the level of veracity that they need, especially when it comes to a federated environment. This is something that I also, that's another hill I will die on and something I talked about a lot when I was practitioner. And so I think that that's a really important piece. But I understand also the amount of ripple effect that would occur within the federal space, and that's the other issue.
So it's been fun as always talking with you. I do want to highlight for one of my friends out there, Timmy, who better watch the show, that you have a very cute Mini Me & You and a [inaudible 01:00:20] outfit right behind you. And I love it. It's so cute. But thank you so much for joining. I love it. I love it. I can't wait to see you probably next week because there's so much going on in DC next week on identity.
Ryan Galluzzo:
We got Identity Week next week.
Christine Owen:
I know. It's crazy. Which probably will not be next week by the time this comes out, but I feel like Identity Week has blown up this year. I didn't think it was going to be as big, but it seems like it's going to be pretty big, so.
Ryan Galluzzo:
It's always a good opportunity to have people in town. It's not often that we get to stay put and have everyone come to us, so it's a good chance to get in touch with people.
Christine Owen:
Yeah, it's a lot of fun. All right, well thanks so much and have a wonderful day everybody.