Digital Identity Vendor Questions for FY 2027 Buyers

Before you finalize an FY 2027 budget ask, run every digital identity vendor through 25 questions grouped into five areas: standards, threat resistance, procurement, integration, and proof. The right answers separate a deployed provider from a slide deck. Most public sector leaders are still using question banks written in 2023, before NIST finalized SP 800-63-4 and before generative AI broke remote identity proofing.

A 2023 question list cannot detect a 2026-ready vendor. The standard changed in July 2025. The threats changed faster. This article gives you the exact questions, the acceptable answers, and the red-flag responses that should end an evaluation. Each question is written so an OMB reviewer or appropriations staffer can use it to defend or challenge a budget line.

Key Takeaways
– NIST SP 800-63-4, finalized July 2025, replaced checklist compliance with a risk-based model and now recognizes mobile driver’s licenses and verifiable credentials as IAL2 evidence.
– Deepfake biometric fraud attempts rose 58% and injection attacks rose 40% year over year, breaking remote identity proofing built before 2025.
– A vendor already on a contract vehicle like NASA SEWP V removes a new competitive procurement cycle from your FY 2027 timeline.
– The strongest answer to any digital identity question names a live deployment, a specific standard, or a measured outcome, not a roadmap.

Why 2023 Digital Identity Question Banks Fail the FY 2027 Cycle

The questions agencies asked vendors in 2023 assumed a stable threat model and the older NIST SP 800-63-3 standard from 2017. Both assumptions are now wrong. Reusing those questions against a 2026 threat landscape produces a budget ask that auditors can pick apart.

Two shifts make the old questions obsolete:

The standard changed. NIST released the final SP 800-63-4 in July 2025 after a four-year process and nearly 6,000 public comments. It moved from a checklist to a risk-based Digital Identity Risk Management model and added mobile driver’s licenses and verifiable credentials as accepted identity evidence.
The threats changed. Attackers now inject deepfake video directly into the verification pipeline using webcam emulators. Deepfake-driven biometric fraud attempts surged 58% year over year, and injection attacks climbed 40%.

A state identity program director preparing a FY 2027 budget ask discovered this gap the hard way. The 2023 vendor questionnaire scored three finalists as equivalent. None of the questions covered injection attacks or the new assurance model, so the highest-scoring vendor turned out to be the least prepared for 2026 threats. Good digital identity vendor selection now depends on asking what the old forms never asked.

How to Use This 25-Question Digital Identity Framework

This framework organizes 25 questions into five categories of five. Ask every question, then grade the answer against two benchmarks: what a strong answer sounds like, and the red-flag response that signals risk. Strong identity vendor selection depends on grading answers, not collecting them.

Score each answer as acceptable, weak, or red flag.
Treat any red flag in Categories 1 or 3 as disqualifying for a FY 2027 budget ask.
Document each answer so your record supports OMB readiness and survives a legislative review.

The goal is defensibility in public sector procurement. A budget line backed by graded vendor answers is far easier to protect than one backed by a feature comparison. For a broader view of selection criteria, our guide on choosing a government identity platform complements the questions below.

Category 1: Standards and Assurance Under NIST SP 800-63-4

This category tests whether the vendor built for the current standard or is retrofitting language onto an older product. NIST SP 800-63-4 is the anchor for any federal or state digital identity program in FY 2027.

1. Which Identity Assurance Level do you support, and how do you reach IAL2?
Acceptable: a specific account of evidence validation and proofing that meets IAL2. Red flag: “we are compliant” with no IAL named.

2. Do you support the risk-based Digital Identity Risk Management model in the new standard?
Acceptable: the vendor describes how assurance levels adjust to risk. Red flag: they reference only the 2017 checklist approach.

3. Do you accept mobile driver’s licenses and verifiable credentials as identity evidence?
Acceptable: yes, with a description of how each is validated. Red flag: confusion about what these formats are.

4. Which phishing-resistant authenticators do you offer for AAL2 and AAL3?
Acceptable: FIDO passkeys or equivalent named directly. Red flag: SMS one-time codes presented as sufficient.

5. How do you document conformance for an auditor?
Acceptable: a mapping to the specific NIST publication. Red flag: a marketing PDF with no control references.

You can confirm a vendor’s claims against the official NIST SP 800-63-4 publication, which auditors will reference during review.

Category 2: Threat Resistance Against 2026 AI Attacks

Remote identity proofing built before 2025 assumed a human attacker holding a photo to a camera. The 2026 attacker injects synthetic video into the data stream. This category tests whether the vendor defends the pipeline, not just the camera.

6. How do you detect injection attacks that bypass the device camera?
Acceptable: signal analysis of the capture pipeline. Red flag: “our liveness check handles that” with no detail.

7. How does your liveness detection handle real-time deepfake video filters?
Acceptable: named detection methods and recent test results. Red flag: a generic claim of “advanced AI.”

8. What is your measured false-acceptance rate against synthetic identities?
Acceptable: a number with a test source. Red flag: no metric offered.

9. How fast can a compromised credential be revoked across all verifiers?
Acceptable: seconds, with revocation checked at every verification. Red flag: revocation measured in days or batch cycles.

10. What fraud telemetry do you report after deployment?
Acceptable: proofing outcomes, recovery attempts, and fraud rates tracked continuously. Red flag: no ongoing measurement.

A federal program sponsor reviewing a FY 2027 renewal asked question six and learned the incumbent vendor had no injection-attack defense at all. That single answer reshaped the budget request. For the broader pattern, our analysis of AI-powered identity verification covers how these attacks reach government systems.

Category 3: Procurement and Budget Defensibility

This category protects your FY 2027 timeline and your budget narrative. In public sector procurement, a vendor that requires a fresh competitive procurement can add months to deployment and weaken your OMB readiness position.

11. Are you available on an existing federal contract vehicle?
Acceptable: a named vehicle such as NASA SEWP V or ITES-SW2. Red flag: a new full procurement is required.

12. What is your total cost per verification at our volume?
Acceptable: a per-check figure that scales. Red flag: opaque enterprise pricing with no unit cost.

13. What is your FedRAMP authorization status or path?
Acceptable: a clear status and timeline. Red flag: avoidance of the question.

14. How do you support a budget line that survives legislative review?
Acceptable: documented outcomes and cost comparisons. Red flag: only a feature list.

15. Where are you least transparent about delivery risk?
Acceptable: an honest account of dependencies. Red flag: a claim that there is no risk.

Manual verification costs $15 to $25 per check, while automated digital identity verification can run under $0.10 per check. At 500,000 verifications a year, that difference is a budget defense in itself. Our verification procurement checklist details how public sector procurement teams structure these requirements.

Category 4: Integration and Interoperability

A digital identity platform that cannot connect to existing systems becomes a second silo. This category tests integration depth and standards-based portability, which together protect you from vendor lock-in.

16. Do you integrate through a documented REST API?
Acceptable: yes, with developer documentation. Red flag: integration requires custom professional services for every connection.

17. How do you connect to legacy HR, ERP, or grant systems?
Acceptable: API-based connection with no front-end changes. Red flag: a rip-and-replace requirement.

18. Can credentials you issue be verified by another agency?
Acceptable: cross-agency verification using open standards. Red flag: verification works only inside the vendor’s system.

19. Do you follow W3C Verifiable Credentials and DID standards for portability?
Acceptable: W3C VC 2.0 and DID named directly. Red flag: a proprietary format with no export path.

20. Where does identity data reside, and who controls it?
Acceptable: clear data residency and selective disclosure to minimize stored data. Red flag: vague answers about a central database.

Standards-based answers here protect the budget you defend this year. Our overview of federal IT identity management shows how interoperability decisions compound across agencies.

Category 5: Proof, Audit, and Accountability

The final category separates vendors who have deployed from vendors who present. For BOFU digital identity vendor selection, proof outranks every feature claim.

21. Name a live government deployment and the outcome it produced.
Acceptable: a named client with a measured result. Red flag: pilots only, or unnamed references.

22. Do you maintain an immutable audit trail of every credential event?
Acceptable: a permanent, timestamped record for each event. Red flag: logs that can be edited or do not exist.

23. What measurable outcome did a real deployment deliver?
Acceptable: a specific metric, such as a verification time reduction. Red flag: only projected savings.

24. Can verification work offline, with no network connection?
Acceptable: cached cryptographic verification described in detail. Red flag: every check needs connectivity.

25. How does a customer exit your platform with their data intact?
Acceptable: a documented export in open formats. Red flag: no exit path, which is the clearest lock-in signal.

As proof of what an acceptable answer to questions 21 and 23 sounds like, the Maharashtra Police deployment cut officer credential verification from 30 minutes to under 10 seconds and reduced administrative overhead by 85%.

Red Flags That Should End an Evaluation

Some answers are disqualifying on their own. Watch for these across all five categories:

The vendor cannot name a single Identity Assurance Level it meets.
Revocation takes days rather than seconds.
Remote proofing has no defense against injection attacks.
Pricing has no per-verification unit cost.
There is no documented path to export your data.

Any one of these in a FY 2027 budget cycle should send you back to the shortlist.

How EveryCRED Answers These 25 Questions

We built EveryCRED to answer every question in this framework with a deployment, a standard, or a number. We comply with NIST SP 800-63-4 and the W3C Verifiable Credentials Data Model 2.0, revoke credentials in seconds, and log every event to an immutable audit trail. Our platform integrates through a REST API with no front-end changes, verifies offline using cached cryptographic signatures, and is available to US agencies through Carahsoft on NASA SEWP V, ITES-SW2, NASPO ValuePoint, and OMNIA Partners. That removes a new procurement cycle from your FY 2027 timeline. To pressure-test your shortlist before budget submission, book a FY 2027 readiness consultation with our public sector team.

Conclusion

The FY 2027 budget cycle arrives with a new standard and a new threat model. NIST SP 800-63-4 reset the rules for identity assurance, and AI-driven injection attacks reset the rules for fraud. A 2023 question bank cannot account for either, which is why so many budget asks rest on weak vendor comparisons.

Use these 25 questions to grade every digital identity vendor against acceptable and red-flag answers across standards, threats, procurement, integration, and proof. Document each answer to support OMB readiness and legislative review. The vendors that answer with deployments and numbers are the ones worth funding. The ones that answer with roadmaps are the slide decks you can now identify before they reach your budget line.

FAQS

What digital identity questions should government buyers ask vendors in 2026?

Ask about NIST SP 800-63-4 assurance levels, injection-attack defense, contract-vehicle availability, standards-based interoperability, and named live deployments with measured outcomes.

Why is NIST SP 800-63-4 important for FY 2027 budget planning?

It replaced checklist compliance with a risk-based model in July 2025, so vendors built for the older standard no longer meet current requirements.

How do AI deepfakes affect digital identity vendor selection?

Deepfake injection attacks bypass camera-based liveness checks, so vendors must defend the verification pipeline, not just the device, to remain trustworthy.

How does contract-vehicle availability improve OMB readiness?

A vendor already on NASA SEWP V or similar vehicles removes a new competitive procurement cycle, shortening the timeline and strengthening the budget narrative.