NIH Update August 2023: Making Sure Your Identity Proofing Processes Are Ready
By Tom Barton, InCommon Research Consultant, Internet2
Estimated reading time: 3 minutes
On April 20, InCommon hosted a briefing on the InCommon community’s readiness to support access to National Institutes of Health services (NIH) (see “Key Resources from MFA and Identity Requirements Webinar”).
As discussed during the briefing, over time all NIH sensitive data services will require some form of identity assurance in addition to multifactor authentication (MFA) to protect access to their sensitive data.
- Identity assurance – confidence that a person’s claimed identity is their real identity, expressed as a level or degree of confidence.
- Identity proofing – the process by which identity information about a person is collected, validated, and verified to pertain to them.
Mapping NIST to REFEDS Global Federation Standards
From a federal agency compliance perspective, sensitive data services are required to enforce an “IAL2” level of identity proofing as defined by NIST SP 800-63. However, many will also accept an “IAP high” level of proofing as defined by the REFEDS Assurance Framework (RAF) as a compensating control. This is motivated, in part, by the need to support extramural researchers who are not U.S.-based and are unlikely to be able to meet the U.S.-centric IAL2 requirements.
More than half of all InCommon Federation members have active NIH researchers; hence campus identity and access management (IAM) teams have a stake in ensuring that an upcoming new version of RAF, v2.0, addresses their specific circumstances.
The current version 1.0 of RAF refers the specific requirements for IAP high to one of two external specifications. A draft of RAF 2.0 has been completed that in-sources all requirements for IAP high, intended to make the specifications a bit clearer for both implementers at campuses and for relying parties like NIH. It also specifically addresses “unsupervised remote” identity proofing, an entirely automated self-service means of proving identity that is not properly addressed in either of the external standards referenced by RAF 1.0. You share feedback or questions by sending a message to email@example.com.
Get and Stay NIH Ready
Be sure to check our Get NIH Ready wiki for updates and other information.
Key Resources from MFA and Identity Requirements Webinar
On April 20, InCommon hosted a briefing on the InCommon community’s readiness to support NIH, featuring Jeff Erikson, chief of identity and access management at NIH, with Ann West, associate vice president, Trust & Identity at Internet2, moderating and taking questions. There were quite a few, and we created an updated FAQ based on the questions we received from community members and their corresponding answers.