feat: add NIST SP 800-63 Rev 3 Digital Identity Guidelines skill#38
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
feat: add NIST SP 800-63 Rev 3 Digital Identity Guidelines skill#38sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Conversation
PLUGIN: nist-sp-800-63
VERSION: 1.0.0
SOURCE: NIST Special Publication 800-63 Rev 3 (June 2017) with errata March 2020
TITLE: Digital Identity Guidelines (four-volume suite: 800-63-3, 800-63A, 800-63B, 800-63C)
PLUGIN STRUCTURE
plugins/nist-sp-800-63/
.claude-plugin/plugin.json
skills/nist-sp-800-63/
SKILL.md
references/
assurance-levels.md
authenticator-requirements.md
identity-proofing.md
FRAMEWORK COVERAGE
NIST SP 800-63 Rev 3 establishes technical requirements for federal digital identity
services across three independently-selectable assurance dimensions: IAL, AAL, and FAL.
1. Identity Assurance Levels (IAL) — SP 800-63A
- IAL1: No identity proofing; self-asserted attributes accepted; appropriate for
anonymous or low-risk services
- IAL2: In-person or supervised remote proofing; documentary evidence required
(Superior, or Strong + 2 Fair); address confirmation; optional biometric binding
- IAL3: In-person proofing only; biometric collection and binding required;
trained operator; physical inspection of security features
2. Authenticator Assurance Levels (AAL) — SP 800-63B
- AAL1: Single-factor authentication; any SP 800-63B authenticator type permitted
- AAL2: Multi-factor authentication; two factors required; SMS/PSTN designated
RESTRICTED (permitted with documented risk assessment and alternative offered);
hardware FIDO2 keys and TOTP apps preferred
- AAL3: Phishing-resistant hardware multi-factor; verifier impersonation resistance
required; FIPS 140 Level 2 overall and Level 3 physical; PIV/CAC or FIDO2 hardware
key with PIN satisfy this requirement
3. Authenticator Types (nine types)
- Memorised Secret: 8-char minimum; no mandatory rotation; no complexity rules;
breach-corpus checks required; Argon2/bcrypt storage required
- Look-Up Secrets: single-use backup codes; AAL1 only
- Out-of-Band (SMS/PSTN): RESTRICTED at AAL2; email OTP not permitted
- Single-Factor OTP (TOTP/HOTP app): TOTP RFC 6238; 6+ digit codes; single-use
- Multi-Factor OTP Hardware: hardware token with PIN activation; FIPS 140 Level 2
- Single-Factor Cryptographic Software: private key in software; AAL1 only
- Single-Factor Cryptographic Device: hardware key with button press; AAL2 as 2nd factor
- Multi-Factor Cryptographic Software: key in software + PIN/biometric; AAL2
- Multi-Factor Cryptographic Device: PIV, CAC, FIDO2 with PIN; AAL2 and AAL3
4. Federation Assurance Levels (FAL) — SP 800-63C
- FAL1: Signed bearer assertions (OIDC RS256 ID token, SAML XML-DSig)
- FAL2: Signed and encrypted for RP (OIDC with RSA-OAEP; SAML with XML Encryption)
- FAL3: Holder-of-key assertions cryptographically bound to subscriber's key
5. Digital Identity Risk Assessment
- Harm categories: inconvenience/distress, financial loss, agency programme harm,
unauthorised information release, personal safety, civil/criminal violations
- Impact levels: Low, Moderate, High
- xAL selection table: Low = IAL1/AAL1/FAL1; Moderate = IAL2/AAL2/FAL2;
High = IAL3/AAL3/FAL3
- Three levels are selected independently (decoupled)
6. Credential Lifecycle — SP 800-63B
- Authenticator binding, enrollment, adding additional authenticators
- Account recovery requirements at AAL2/3 (no KBV as sole mechanism)
- Reauthentication timeouts: AAL1=30 days inactivity; AAL2=30 min/12 hr;
AAL3=15 min/12 hr
- Deprecated practices: mandatory periodic expiry, complexity rules, KBV, hints
7. Identity Proofing Process — SP 800-63A
- Three phases: Resolution, Validation, Verification
- Evidence strength classification: Superior, Strong, Fair, Weak
- Validation methods: automated MRZ/chip, visual inspection, AAMVA/SSA lookup
- Address confirmation: enrollment code via postal mail or USPS NCOA lookup
- KBV limitations: supplementary only; dynamic KBV only; max 3 attempts; 2-week
waiting period after failure; static KBV prohibited
- Privacy requirements: data minimisation, notice, use limitation, retention limits
REFERENCE FILES
references/assurance-levels.md
Detailed requirements tables for IAL1/2/3, AAL1/2/3, and FAL1/2/3. IAL2 and IAL3
proofing requirements in tabular format. AAL requirements with FIPS 140 levels,
phishing resistance, reauthentication times, and permitted/not-permitted factors.
FAL requirements with protocol examples. xAL selection matrix by impact level.
Allowed xAL combinations and notable decoupled use cases. OMB M-19-17 requirements.
PIV/CAC placement in the 800-63B framework. Deprecated practices list.
references/authenticator-requirements.md
Per-authenticator-type definitions, requirements, and AAL eligibility for all nine
types. Memorised secret verifier requirements including hash algorithm requirements.
TOTP/HOTP algorithm requirements. SMS RESTRICTED status explanation and compliance
steps. FIPS 140 requirements per AAL. Reauthentication timeout table. Authenticator
binding, enrollment, and recovery lifecycle. CSP and verifier security requirements.
Commonly used authenticator combinations by use case.
references/identity-proofing.md
Evidence type classification (Superior, Strong, Fair) with examples and required
combinations per IAL. Validation methods (automated, visual, database lookup).
Verification methods for IAL2 (in-person, supervised remote) and IAL3 (in-person
with biometric). Address confirmation requirements and enrollment code requirements.
KBV limitations and waiting periods. Proofing privacy requirements (minimisation,
notice, use limitation, retention). Failed proofing handling. Special scenarios:
mobile, minors, applicants without government-issued ID.
INTEGRATION POINTS
- SP 800-53 Rev 5 (IA family): IA-2 (AAL requirements), IA-5 (authenticator management),
IA-8 (non-organisational users), IA-12 (identity proofing at IAL) directly reference
SP 800-63 assurance levels
- FISMA/OMB M-19-17: Agencies must select xALs based on risk; OMB requires AAL2 minimum
for all federal applications; phishing-resistant auth required for HVAs
- FedRAMP: Uses xAL selection to define authentication requirements in FedRAMP baselines
- PIV (FIPS 201): PIV card is a Multi-Factor Cryptographic Device satisfying IAL2/3,
AAL3, FAL3 when used with TLS channel binding
TESTS
Passed: tests/test_plugin_structure.py - 10/10 (nist-sp-800-63)
test_plugin_json_exists PASSED
test_plugin_json_is_valid PASSED
test_plugin_json_required_fields PASSED
test_plugin_version_semver PASSED
test_skills_directory_exists PASSED
test_skills_directory_has_one_skill_folder PASSED
test_skill_md_exists PASSED
test_skill_md_not_empty PASSED
test_no_files_outside_skill_folder PASSED
test_references_are_markdown PASSED
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-63 Rev 3 — Digital Identity Guidelines
Source Publication: NIST Special Publication 800-63 Rev 3, June 2017 (with errata March 2020)
CSRC URL: https://csrc.nist.gov/publications/detail/sp/800-63/3/final
This pull request adds a complete Claude skill plugin for NIST SP 800-63 Rev 3, the four-volume Digital Identity Guidelines suite. The skill supports identity architects, IAM engineers, federal agencies, and application developers in selecting assurance levels, implementing identity proofing, and choosing authenticators.
Files Added
Framework Coverage
IAL — Identity Assurance Level (SP 800-63A): IAL1 (no proofing), IAL2 (documentary evidence + supervised remote or in-person proofing), IAL3 (in-person with biometric binding). Full evidence type classification (Superior, Strong, Fair) with examples and required combination tables.
AAL — Authenticator Assurance Level (SP 800-63B): All nine authenticator types documented with AAL eligibility, FIPS 140 requirements, and phishing resistance classification. AAL1 (single-factor), AAL2 (MFA with SMS RESTRICTED), AAL3 (hardware cryptographic MFA with verifier impersonation resistance). Deprecated practices documented (mandatory rotation, complexity rules, KBV, hints).
FAL — Federation Assurance Level (SP 800-63C): FAL1 (signed bearer), FAL2 (signed and encrypted), FAL3 (holder-of-key with subscriber key binding). OIDC and SAML protocol examples per level.
Digital Identity Risk Assessment: SP 800-63-3 Section 6 risk assessment process for selecting xALs. Harm category taxonomy, impact level definitions, and xAL selection matrix by maximum impact level. Decoupled xAL selection guidance with example scenarios.
Credential Lifecycle: Authenticator binding, enrollment, adding new authenticators, account recovery (no KBV as sole mechanism). Reauthentication timeouts per AAL. PIV/CAC placement in the 800-63B framework.
Reference Files
references/assurance-levels.md— Full IAL2/3 requirements in tabular format. AAL1/2/3 requirements with FIPS 140 levels, reauthentication timeouts, and phishing resistance. FAL1/2/3 requirements with protocol examples. xAL selection matrix and allowed xAL combinations. OMB M-19-17 supplemental requirements. PIV placement. Deprecated practices.references/authenticator-requirements.md— Per-type requirements for all nine authenticator types. TOTP/HOTP algorithm requirements. SMS RESTRICTED compliance steps. FIPS 140 requirements per AAL. Verifier and CSP security requirements. Commonly used authenticator combinations by use case.references/identity-proofing.md— Evidence type classification and required combinations. Validation methods (automated, visual, database). Verification methods for IAL2 and IAL3. Address confirmation and enrollment code requirements. KBV limitations and waiting periods. Privacy requirements. Failed proofing handling procedures.Integration Points
Tests