We use digital identities daily to access some of our most essential personal and professional assets. Many of these digital identities are used to create trust between us and the organization or system we’re seeking to interact with online, from online banking to social media accounts.

But this process is not risk free. There’s the potential for miscommunication, mishaps, and even mistaken identities.

Because of these risks, the U.S. National Institute of Standards and Technology (NIST) has provided guidance on the best ways to harness digital identities while managing the risks they pose. In August 2025, NIST released its fourth revision of to its Digital Identity Guidelines (Special Publication 800-63)—the first revision since 2017.

“These guidelines are ultimately intended to make navigating the digital world more secure and convenient by providing a framework to understand online risks and controls that can better protect our critical online services,” according to a blog post from NIST on the new guidelines.

In the guidelines, NIST shares an overview of the digital identity risk management (DIRM) process. It outlines five steps that organizations should take for effective DIRM that meets NIST’s requirements. 

1. Define the Online Service

First, the organization should document a description of the online service’s functional scope, user groups it will serve, the types of online transactions available to each user group, and the underlying data the online service processes through its interfaces.

For instance, a hospital creating an online health portal for patients to connect with primary care doctors would need to assess how patients would use the system, what services should be offered in the portal (like appointment making or follow-up questions for doctors), and the patient data the system will need access to provide those services.

Organizations should also determine the entities that will be impacted by the online service and the broader business process it is part of.

“It is imperative to consider unexpected and undesirable impacts, as well as the scale of impact, on different entities that result from an unauthorized user gaining access to the online service due to a failure of the digital identity system,” NIST explained. “For example, if an attacker obtained unauthorized access to an online service that controls a power plant, the actions taken by the bad actor could have devastating environmental impacts on the local populations that live near the facility and cause power outages for the localities served by the plant.”

2. Conduct an Initial Impact Assessment

In this step, organizations should assess how an identity system would impact the compromise of the online service documented in step one. Each function of the online service should be assessed against a defined set of harms and impact categories, and each user group should be considered separately based on the transactions available to that user group. The harms assessed should include degradation of mission delivery; damage to trust, standing, or reputation; unauthorized access to information; financial loss or liability; and loss of life or danger to human safety, human health, or environmental health.

“For example, for an online service that allows for the control, operation, and monitoring of a water treatment facility, each group of users (e.g. technicians who control and operate the facility, auditors and monitoring officials, system administrators) is considered separately based on the transactions available to that user group through the online service,” NIST explained. “The impact analysis assesses the level of impact (i.e. Low, Moderate, or High) on various impacted entities (e.g., citizens who drink the water, the organization that owns the facility, auditors, monitoring officials) for each of the impact categories being considered if a bad actor obtains unauthorized access to the online service as a member of a user group.”

3. Select Initial Assurance Levels

Next, organizations should evaluate the impact categories and impact levels from step two to determine the initial assurance levels to protect the online service from unauthorized access and fraud. Using those assurance levels, the organizations will then identify baseline controls for the Identity Assurance Level (mitigates risks from identity spoofing), Authentication Assurance Level (mitigates risks from authentication failures), and Federation Assurance Level (mitigate risks from federation failures) for each user group based on outlined requirements in NIST companion volumes SP800-63A, SP800-63B, and SP800-63C.

“Organizations should consider the legal, regulatory, or policy requirements that govern online services when making decisions regarding the application of authentication assurance levels and authentication mechanisms,” NIST explained.  

4. Tailor and Document Assurance Level Determinations

Organizations should then conduct or leverage detailed assessments to determine the potential impact of the assurance levels and their controls on privacy, customer experience, and resistance to the current threat environment. These results may need to modify the initially assessed assurance level and the identification of compensating or supplemental controls. Organizations will then use this information to create a digital identity acceptance statement that lays out a defined and implementable set of assurance levels and a final set of controls for the online service.

“While identity system costs are not specifically included as an input for DIRM processes or as a metric for continuous evaluation, the costs and cost effectiveness of implementation and long-term operation are inherent considerations for responsible program and risk management,” NIST added. “Based on their available funding and resources, organizations will likely need to make trade-offs that can be more effectively informed by the DIRM process and its outputs.”

5. Continuously Evaluate and Improve

Organizations should gather and evaluate the performance of the identity management approach they have created. The evaluation should include business impacts, fraud rate effects, and user community impacts. It can be used to determine if the current assurance levels and controls meet the mission, business, security, and program integrity needs. This process can help the organization monitor for unintended harms that impact privacy and access. Organizations should also consider where the process can be improved, such as investing in new technologies or methodologies to counter new threats, improve customer experience, or enhance privacy.

“Continuous improvement is a critical tool for keeping pace with the threat and technology environment and identifying programmatic gaps that need to be addressed to balance risk management objectives,” NIST explained.

Megan Gates is editor-in-chief of Security Technology. Connect with her at [email protected] or on LinkedIn.

MOST POPULAR ARTICLES

1. From ‘Send Me the Video’ to Governance: How Privacy Makes Security Systems Defensible

2. Preventing Workplace Violence: Holistic Support Starts with Listening to Nurses

3. 3 Tools Providing Privacy Protections in Video Systems