NIST 800-63-3 is a set of guidelines published by the National Institute of Standards and Technology (NIST) for digital identity management and authentication. These guidelines provide recommendations for digital identity proofing, authentication protocols, and federation models. NIST 800-63-3 is widely recognized as a valuable resource for organizations looking to improve the security of their digital identity systems and reduce the risk of fraud and identity theft.

It is also essential for government agencies because it works. For instance, state governments using solutions aligned with NIST Identity Assurance Level 2 (IAL2) standards saw a significant decrease in fraudulent COVID-19 unemployment claims. Whether adapting to changing mandates or incorporating industry standards such as NIST 800-63-3, Karsun has a solution to ease the adoption of security best practices during modernization.

The NIST 800-63-Standard

NIST 800-63-3 was released in June 2017. The guidelines were intended to improve online identity verification’s security and usability while addressing new threats and challenges that have emerged in recent years.

The guidelines are organized into three parts:

  1. Digital Identity Guidelines: Guides establishing digital identity proofing and authentication procedures.
  2. Authentication and Lifecycle Management Guidelines: Describes implementing and managing identity credentials and authentication.
  3. Federation and Assertions Guidelines: Provides guidance for federated identity systems and how to use assertions to share identity information between systems.

Since introducing NIST 800-63-3, these standards have become industry best practices for identity management. In addition to NIST 800-63-3 compliance, agencies are prioritizing Zero Trust as a key component of securing the User and App pillar. For example, the FAA’s 2022 AIT annual report states, “[its] network environment now operates within a Zero Trust security model, which requires users to be authenticated, authorized, and continuously validated to be granted access to a network, system, or application.” The agency’s cybersecurity-related improvement activities support the transition to Zero Trust, as well as its implementation of a new multi-factor authentication (MFA) service for users who would like to access the FAA’s network, systems, and applications.

Complementing Secure By Design Architecture

At Karsun, incorporating NIST 800-63-3 standards is part of designing secure digital architecture. Incorporating these guidelines into a secure by design architecture involves creating systems and applications with security considerations at every stage of the development process, from design to deployment.

The guidelines recommend using risk-based authentication (RBA) to assess the risk associated with each access attempt. We design systems and applications with RBA in mind and implement automated risk assessment tools to make real-time decisions about access requests.

Key to our solutions is NIST 800-63-3 adherent identity proofing. This process involves verifying user identities using multiple sources of data. We incorporate these guidelines into the design process to ensure that user identities are verified before granting access. We also consider federation and assertions. We integrate NIST 800-63-3 standards into the design process if the system or application interacts with other systems or applications.

In addition, NIST 800-63-3’s guidelines on digital identity proofing can help organizations implement identity verification procedures consistent with the zero trust principle of “never trust, always verify.” By using a risk-based approach to identity proofing, organizations can better assess the trustworthiness of each user and device and limit access to sensitive data and applications only to those users and devices verified to be trustworthy.

We design systems and applications with secure coding practices in mind and follow best practices for secure coding throughout development. In our implementation, we automated mobile testing via functional testing tools like Appium. We used code scanning and container image scanning tools to identify and mitigate vulnerabilities earlier and address those issues before deployment.

By incorporating NIST 800-63-3 guidelines and a zero trust framework into a secure by design architecture, agencies can develop systems and applications that are secure by default and can better protect sensitive data and resources.

Complexities to Implementing Authentication

While adhering to these standards is essential to building a secure application, it introduces added complexity to modernization projects. The standards specify appropriate authentication approaches based on different risk levels. Each has extensive rules, and the requirements for various authenticators may be overwhelming, unclear, ambiguous, and conflicting. Addressing each of these Authentication Levels across devices effectively can hinder the successful adoption of the security standards.

Identity Reference Framework

To meet this challenge, Karsun introduced an Identity, Credential and Access Management (ICAM) reference implementation. We customized the Keycloack open source tool via a specific Service Provider Interface (SPI) to address the complex NIST authenticator requirements while accelerating the adoption of those standards. Our team began with a risk based assessment, identifying the authentication workflows and their requirements based on risk level.

Next, using Keycloak, we created custom implementations for each workflow. Using these workflows, we created custom templates for new user sign-up forms. We also adapted these custom templates to adhere to US Digital Services (USDS) standards. This approach created a repeatable identify framework we could implement as a plug-in that can be deployed over an open source Keycloak container. 

Not only does this approach reduce complexity, but it is also a more secure implementation. It allows the user, when appropriate, to use authentication other than a simple password. When using an authentication type such as FIDO2, the user enters a PIN or uses biometrics to authenticate successfully, then the authenticator uses the key in the device to sign the challenge from the identity provider. Thus the key never leaves the device. Using this highest-level-without-password/passwordless approach was more secure while simultaneously providing a better user experience.

Additionally, by using Keycloak to build our own identity reference framework library, we addressed a common concern with implementing open source tools. Using a template library created a clear separation between Keycloak and our ability to update the plug-in. We designed the library to keep the templates up to date and maintain the application’s security rather than relying on Keycloak itself.

Accelerating Identity and Access Management Adoption

Like many Karsun toolkit components, these identity reference framework resources are available to our team members to use through our InnerSource library. Evolving from an Innovation Center research and development project to a validated implementation, it can now be used as one of our readymade toolkits. All Karsun teams now have access to these vital resources and ensure that our teams can accelerate the implementation of emerging identity and ICAM standards in your agency’s modernization efforts. 

Content from this post initially appeared from Pavan Kurkal as part of Karsun’s Monthly Innovation Town Hall series. These events present innovative solutions from our delivery teams across Karsun. Pavan is an engineer with the Karsun Innovation Center specializing in identity and access management.

HERNDON, VA – Capitalizing on rapid growth across its portfolios, Karsun Solutions, an enterprise modernization firm serving the U.S. government, announced the appointment of multiple IT industry leaders to key business development and client solutions roles. Those appointments include industry veterans Neal Smith to Senior Director of Digital Transformation, PJ Henry to Director and Megan Mattingly to Capture Manager. Karsun Solutions also announced an expansion of Director Jason Marceau’s responsibilities into the firms expanding Business Solutions Practice.

Karsun Solutions serves customers at agencies including the Department of Homeland Security (DHS), Department of Transportation (DOT) and General Services Administration (GSA). The firm won multiple $100 million plus contracts growing its revenue by more than 1500% over its first ten years. In September 2019 it moved into a new 75,000 square foot headquarters, a reflection of the more than 2400% growth in headcount.

“As a rapidly growing company, Karsun Solutions exists in a space different from more established firms with similar-sized contracts,” said Senior Director of Business Development Juan Robles.  “Growing our capture and solutions teams gives Karsun the ability to leverage resources not typically available to smaller organizations.”

With a strong pipeline, leadership at Karsun Solutions is prioritizing the growth of its capture and solutions infrastructure as it launches into the next decade. The Karsun Solutions Capture Team adds industry veteran PJ Henry. Henry, a 25-year industry veteran, joins as a Director of Business Development. With extensive public sector experience, his resume includes time as a capture lead for the Department of Homeland Security, Department of Justice and Department of Transportation at Booz Allen Hamilton. Henry was also previously a senior business development lead for the Department of Homeland Security, Department of Justice and the State Department at LMI.

In addition to a growing capture infrastructure, Karsun Solutions has also named Neal Smith a Senior Director of Digital Transformation in its Business Solutions Practice. Smith is a seasoned digital transformation executive. Prior to Karsun Solutions, he served at Salient CRGT and Maga Design. Smith has over 23 years of experience in IT services sales, delivery.  Smith brings together customer focus and technical innovation to solutions for the federal government.

Megan Mattingly also recently joined Karsun Solutions as a Capture Manager. Bringing nine years in capture and business development, her background includes deep experience in Mergers and Acquisitions.

About Karsun Solutions

Karsun Solutions

Karsun Solutions serves customers at agencies including DHS, DOT and GSA. It is guided by an innovation-based and performance-driven culture. Its teams deliver extraordinary software development, cloud and advanced analytics solutions to its customers.

In November 2019 GSA awarded the company a spot on its COMET BPA. It also has work at GSA under the $35 million Database and Middleware Systems (DMS) Task Order awarded in October 2018. Last year the company also began work in its FEMA GMM program. DHS awarded Karsun Solutions this five-year single award BPA with a ceiling value of $80 million. It was the first award won by Karsun Solutions under a Full and Open Competition. The company also continues to work under the FAA SSD contract, a five-year Indefinite Delivery/Indefinite Quantity (IDIQ) contract with a $145 million ceiling value.

Growth across the firm’s public sector portfolios resulted in a bevy of national and regional awards. This includes both repeated recognition on the Inc. 5000 and in the Washington Business Journal.  Its commitment to quality includes a DCAA Approved Accounting System, AWS Government Competency, a CMMI Level 5 – DEV appraisal plus ISO 9001, ISO 20000 and ISO 27001 certifications.