-#
DRAFT NIST Special Publication 800-63
+#
NIST Special Publication 800-63
# Revision 3
@@ -21,7 +21,7 @@ https://doi.org/10.6028/NIST.SP.800-63-3
-# DRAFT NIST Special Publication 800-63-3
+# NIST Special Publication 800-63-3
# Digital Identity Guidelines
diff --git a/sp800-63-3/sec5_DIRM.md b/sp800-63-3/sec5_DIRM.md
index f4c799d2..86f3614b 100644
--- a/sp800-63-3/sec5_DIRM.md
+++ b/sp800-63-3/sec5_DIRM.md
@@ -89,7 +89,7 @@ The three potential impact values are:
The assurance level determination is only based on transactions that are part of a digital system. An online transaction may not be equivalent to a complete business process that requires offline processing, or online processing in a completely segmented system. In selecting the appropriate assurance levels, the agency should assess the risk associated with online transactions they are offering via the digital service, not the entire business process associated with the provided benefit or service. For example, in an online survey, personal information may be collected, but it is never made available online to the submitter after the information is saved. In this instance, it is important for the information to be carefully protected in backend systems, but there is no reason to identity proof or even authenticate the user providing the information for the purposes of their own access to the system or its associated benefits. The online transaction is solely a submission of the data. The entire business process may require a significant amount of data validation, without ever needing to know if the correct person submitted the information. In this scenario, there is no need for any identity proofing nor authentication.
-Another example where the assessed risk could differ if the agency evaluated the entire business process rather than the online transaction requirements is a digital service that accepts résumés to apply for open job postings. In this use case, the digital service allows an individual to submit--or at least does not restrict an individual from submitting--a résumé on behalf of anyone else, and in subsequent visits to the site, access the résumé for various purposes. Since the résumé information is available to the user in later sessions, and is likely to contain personal information, the agency must select an AAL that requires MFA, even though the user self-asserted the personal information. In this case, the requirements of [EO 13681](#eo13681) apply and the application must provide at least AAL2. However, the identity proofing requirements remain unclear. The entire business process of examining a résumé and ultimately hiring and onboarding a person requires a significant amount of identity proofing. The agency needs a high level of confidence that the job applicant is in fact the subject of the résumé submitted online if a decision to hire is made. Yet this level of proofing is not required to submit the résumé online. Identity proofing is not required to complete the digital portion of the transaction successfully. Identity proofing the submitter would create more risk than required in the online system as excess personal information would be collected when no such information is needed for the portion of the hiring process served by the digital job application portal and may reduce usability. Therefore, the most appropriate IAL selection would be 1. There is no need to identity proof the user to successfully complete the online transaction. This decision for the online portal itself is independent of a seemingly obvious identity proofing requirement for the entire business process, lest a job be offered to a fraudulent applicant.
+Another example where the assessed risk could differ if the agency evaluated the entire business process rather than the online transaction requirements is a digital service that accepts résumés to apply for open job postings. In this use case, the digital service allows an individual to submit--or at least does not restrict an individual from submitting--a résumé on behalf of anyone else, and in subsequent visits to the site, access the résumé for various purposes. Since the résumé information is available to the user in later sessions, and is likely to contain personal information, the agency must select an AAL that requires MFA, even though the user self-asserted the personal information. In this case, the requirements of [EO 13681](#EO13681) apply and the application must provide at least AAL2. However, the identity proofing requirements remain unclear. The entire business process of examining a résumé and ultimately hiring and onboarding a person requires a significant amount of identity proofing. The agency needs a high level of confidence that the job applicant is in fact the subject of the résumé submitted online if a decision to hire is made. Yet this level of proofing is not required to submit the résumé online. Identity proofing is not required to complete the digital portion of the transaction successfully. Identity proofing the submitter would create more risk than required in the online system as excess personal information would be collected when no such information is needed for the portion of the hiring process served by the digital job application portal and may reduce usability. Therefore, the most appropriate IAL selection would be 1. There is no need to identity proof the user to successfully complete the online transaction. This decision for the online portal itself is independent of a seemingly obvious identity proofing requirement for the entire business process, lest a job be offered to a fraudulent applicant.
#### 5.3.2 Impacts per Category
diff --git a/sp800-63a/cover.md b/sp800-63a/cover.md
index 24655209..e6b70aed 100644
--- a/sp800-63a/cover.md
+++ b/sp800-63a/cover.md
@@ -1,6 +1,6 @@
-#
DRAFT NIST Special Publication 800-63A
+#
NIST Special Publication 800-63A
@@ -32,7 +32,7 @@ https://doi.org/10.6028/NIST.SP.800-63a
-# DRAFT NIST Special Publication 800-63A
+# NIST Special Publication 800-63A
# Digital Identity Guidelines
diff --git a/sp800-63a/sec3_definitions.md b/sp800-63a/sec3_definitions.md
index 6f6090a2..64597067 100644
--- a/sp800-63a/sec3_definitions.md
+++ b/sp800-63a/sec3_definitions.md
@@ -4,4 +4,4 @@
## 3 Definitions and Abbreviations
-See [800-63, Appendix A](https://pages.nist.gov/800-63-3/sp800-63-3.html#def-and-acr) for a complete set of definitions and abbreviations.
\ No newline at end of file
+See [800-63, Appendix A](sp800-63-3.html#def-and-acr) for a complete set of definitions and abbreviations.
\ No newline at end of file
diff --git a/sp800-63a/sec4_ial.md b/sp800-63a/sec4_ial.md
index 3a7ec368..5d479eb4 100644
--- a/sp800-63a/sec4_ial.md
+++ b/sp800-63a/sec4_ial.md
@@ -267,10 +267,10 @@ _This section is informative._
Requirement | IAL1 | IAL2 | IAL3
------------|-------|-------|-------
Presence|No requirements|In-person and unsupervised remote.|In-person and supervised remote.
-Resolution|No requirements|The minimum attributes necessary to accomplish identity resolution.
KBV may be used for added confidence.| Same as IAL2
+Resolution|No requirements|The minimum attributes necessary to accomplish identity resolution.
KBV may be used for added confidence.| Same as IAL2.
Evidence|No identity evidence is collected| - One piece of SUPERIOR or STRONG evidence depending on strength of original proof and validation occurs with issuing source, or
- Two pieces of STRONG evidence, or
- One piece of STRONG evidence plus two (2) pieces of FAIR evidence.|- Two pieces of SUPERIOR evidence, or
- One piece of SUPERIOR evidence and one piece of STRONG evidence depending on strength of original proof and validation occurs with issuing source, or
- Two pieces of STRONG evidence plus one piece of FAIR evidence.
Validation|No validation|Each piece of evidence must be validated with a process that is able to achieve the same strength as the evidence presented.|Same as IAL2.
Verification| No verification |Verified by a process that is able to achieve a strength of STRONG.|Verified by a process that is able to achieve a strength of SUPERIOR.
Address Confirmation|No requirements for address confirmation|Required. Enrollment code sent to any address of record. Notification sent by means different from enrollment code.|Required. Notification of proofing to postal address.
Biometric Collection|No|Optional|Mandatory
-Security Controls|N/A|[SP 800-53](#SP800-53) Moderate Baseline (or equivalent federal or industry standard)|[SP 800-53](#SP800-53) High Baseline (or equivalent federal or industry standard)
+Security Controls|N/A|[SP 800-53](#SP800-53) Moderate Baseline (or equivalent federal or industry standard).|[SP 800-53](#SP800-53) High Baseline (or equivalent federal or industry standard).
diff --git a/sp800-63b/cover.md b/sp800-63b/cover.md
index 41aa1c03..67f994ec 100644
--- a/sp800-63b/cover.md
+++ b/sp800-63b/cover.md
@@ -1,7 +1,7 @@
-#
DRAFT NIST Special Publication 800-63B
+#
NIST Special Publication 800-63B
@@ -30,8 +30,8 @@ Yee-Yin Choong
Kristen K. Greene
Mary F. Theofanos
-This publication is available free of charge from:
-https://doi.org/10.6028/NIST.SP.800-63b
+This publication is available free of charge from:
+https://doi.org/10.6028/NIST.SP.800-63b
@@ -39,7 +39,7 @@ https://doi.org/10.6028/NIST.SP.800-63b
-# DRAFT NIST Special Publication 800-63B
+# NIST Special Publication 800-63B
# Digital Identity Guidelines
@@ -88,9 +88,8 @@ Mary F. Theofanos
*Information Access Division
Information Technology Laboratory*
-This publication is available free of charge from:
-https://doi.org/10.6028/NIST.SP.800-63b
-
+This publication is available free of charge from:
+https://doi.org/10.6028/NIST.SP.800-63b
Month TBD 2017
@@ -123,8 +122,6 @@ National Institute of Standards and Technology Special Publication 800-63B
Natl. Inst. Stand. Technol. Spec. Publ. 800-63B, xxx pages (MonthTBD 2017)
CODEN: NSPUE2
-
-
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-63b
diff --git a/sp800-63c/cover.md b/sp800-63c/cover.md
index cacdbe6f..7a42f3e9 100644
--- a/sp800-63c/cover.md
+++ b/sp800-63c/cover.md
@@ -1,6 +1,6 @@
-#
DRAFT NIST Special Publication 800-63C
+#
NIST Special Publication 800-63C
@@ -33,7 +33,7 @@ https://doi.org/10.6028/NIST.SP.800-63c
-# DRAFT NIST Special Publication 800-63C
+# NIST Special Publication 800-63C
# Digital Identity Guidelines
diff --git a/sp800-63c/sec8_security.md b/sp800-63c/sec8_security.md
index 46411821..e0511f3c 100644
--- a/sp800-63c/sec8_security.md
+++ b/sp800-63c/sec8_security.md
@@ -45,7 +45,7 @@ Mechanisms that assist in mitigating the threats identified above are identified
| | Send assertion over an authenticated protected channel authenticating the IdP | [7.1](#back-channel), [7.2](#front-channel) |
| | Include a non-guessable random identifier in the assertion | [6.2.1](#assertion-id) |
| Assertion disclosure | Send assertion over an authenticated protected channel authenticating the RP | [7.1](#back-channel), [7.2](#front-channel) |
-| | Encrypt assertion for a specific RP (may be accomplished by use of a mutually authenticated protected channel) | [6.2.3](#encrypted-assertion) | [6.2.3] |
+| | Encrypt assertion for a specific RP (may be accomplished by use of a mutually authenticated protected channel) | [6.2.3](#encrypted-assertion) |
| Assertion repudiation by the IdP | Cryptographically sign the assertion at the IdP with a key that supports non-repudiation; verify signature at RP | [6.2.2](#signed-assertion) |
| Assertion repudiation by the subscriber | Issue holder-of-key assertions; proof of possession of presented key verifies subscriber's participation | [6.1.2](#holderofkey) |
| Assertion redirect | Include identity of the RP ("audience") for which the assertion is issued in its signed content; RP verifies that they are intended recipient | [6](#assertions), [7.1](#back-channel), [7.2](#front-channel) |