In Effect United States Government, Federal Contractors, Healthcare

NIST SP 800-63 (IAL2/IAL3)

NIST Special Publication 800-63 Digital Identity Guidelines – Identity Assurance Levels

Federal agencies must use NIST 800-63 IAL2 or IAL3 identity proofing for digital service access. Contractors serving federal agencies must meet the same standard.

Effective: June 22, 2017 Verified: July 2026 Official source

What this covers

NIST SP 800-63 defines three Identity Assurance Levels: IAL1 (self-asserted, no verification), IAL2 (remote or in-person identity proofing with document verification and binding to a biometric), and IAL3 (in-person or supervised remote proofing with a trained CSP representative).

Federal agencies must use IAL2 or IAL3 for most sensitive services. If you're building for a government contract or serving VA, IRS, Social Security, or similar programs, your identity verification vendor needs to support 800-63 IAL2 at minimum. IAL3 is required for high-value transactions or access to classified systems.

The 800-63-4 revision is in draft. It tightens biometric performance requirements and adds provisions for continuous authentication. Vendors certified for 800-63-3 should confirm 800-63-4 readiness with their compliance team before the final publication date.

Frequently asked questions

What is the difference between IAL1, IAL2, and IAL3?

IAL1 requires no identity proofing (self-asserted). IAL2 requires remote or in-person identity proofing with document verification and biometric binding. IAL3 requires in-person or supervised remote proofing with a trained CSP representative.

Which federal programs require NIST 800-63 IAL2?

Programs that grant access to sensitive government data or systems. Common examples: healthcare.gov enrollment, IRS e-services, VA.gov, and state-level Medicaid systems. Also required for PIV/CAC credential issuance.

Does NIST SP 800-63-4 change anything for vendors?

The draft 800-63-4 revision strengthens requirements for continuous authentication and biometric performance standards. Vendors currently certified for 800-63-3 IAL2 should confirm 800-63-4 readiness with their compliance team.