Identity and Access Management Standards

IAM Standards

Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies for ensuring that the right users (in an enterprise) have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources, but also the hardware and applications employees need to access. Identity and access management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex

ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques WG5 Identity Access Management and Privacy techniques) has done some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of identity-related terms. 

The published standards and current work items includes the following:

1.  ISO/IEC 24760-1:2019 IT Security and Privacy - A framework for identity management - Part 1: Terminology and concepts
2. ISO/IEC 24760-2:2015 Information technology - Security techniques - A framework for identity management - Part 2: Reference architecture and requirements
3. ISO/IEC 24760-3:2016 Information technology - Security techniques - A framework for identity management — Part 3: Practice
4. ISO/IEC 29115:2013 Information technology - Security techniques - Entity authentication assurance framework
5. ISO/IEC 29146:2016 Information technology - Security techniques - A framework for access management
6. ISO/IEC 29100:2011 Information technology - Security techniques - Privacy framework
7. ISO/IEC 29101:2018 Information technology - Security techniques - Privacy architecture framework
8. ISO/IEC TS 29003:2018 Information technology - Security techniques - Identity proofing
9. ISO/IEC 29134:2017 Information technology - Security techniques - Guidelines for privacy impact assessment

NIST

Identity and Access Management is a fundamental and critical cybersecurity capability. Simply put, with its focus on foundational and applied research and standards, NIST seeks to ensure the right people and things have the right access to the right resources at the right time.

NIST Projects

1. NIST Special Publication 800-63 Digital Identity Guidelines
2. Personal Identity Verification (PIV)
3. NCCOE Identity and Access Management
4. Biometrics at NIST
5. Control Policy Test Technologies (ACPT and ACRLCS)
6. Policy Machine and Next Generation Access Control

NIST Roadmaps

OMB Policy Memo M-19-17 assigned the Department of Commerce (NIST) the responsibility to publish and maintain a roadmap for developing new and updating existing NIST guidance related to Identity and Access Management (ICAM). NIST Information Technology Laboratory will publish and update this Roadmap at the NIST Identity and Access Management Resource Center. The Roadmap presents milestone activities, projected activity completion dates by fiscal year quarter, and explanatory notes for the following activities:

• NIST Special Publication 800-63 
  • NIST SP 800-63-3 Implementation Resources
  • NIST SP 800-63A and SP 800-63B Conformance Criteria
    
• NIST Special Publication 800-63 Revision 4
  
• Personal Identity Verification (PIV) Guidance (FIPS 201 Revision3)
  
• NCCOE Identity Projects