Table of Content

Federal agencies reported $186 billion in improper payments in FY2025, according to the GAO. A significant share of those failures trace to identity enrollment gaps. Applicants and contractors entered sensitive systems without adequate verification at the point of onboarding. The procurement decision that determines whether this happens starts with identity proofing software selection.

Federal IT and compliance evaluation teams face a specific problem: virtually every vendor claims conformance with NIST SP 800-63 identity proofing requirements. Most of those claims are not independently verified. This guide identifies what procurement teams must check before contract award, and what questions expose whether a vendor’s NIST 800-63 identity proofing claim is substantiated or a marketing assertion.

Key Takeaways
– NIST SP 800-63-3 defines three government identity assurance levels; most federal civilian systems handling sensitive data require IAL2
– IAL2 compliance requires identity document validation, biometric comparison, and liveness detection, all documented in a conformance assessment
– NIST SP 800-63-4, finalized July 2025, tightens remote proofing requirements that many existing systems do not yet address
– Vendors must provide a documented conformance assessment, not a marketing claim, before any federal contract award

What NIST SP 800-63-3 Requires From Identity Proofing Software

NIST SP 800-63-3 defines three government identity assurance levels for enrollment: IAL1, IAL2, and IAL3.

IAL1 requires no identity proofing. Users self-assert attributes, and the system accepts them. This level suits low-risk applications where identity verification does not affect the outcome.

IAL2 requires remote or in-person identity proofing with attribute verification against authoritative sources. The identity proofing software must validate a government-issued photo ID, perform a biometric comparison against the ID image, and detect presentation attacks through liveness detection. IAL2 is the baseline requirement for most federal civilian systems handling PII, benefits, or access credentials.

IAL3 adds supervised in-person proofing with trained operators and enhanced biometric capture. Federal law enforcement, national security programs, and high-assurance identity systems typically require IAL3.

Most federal civilian procurement targets IAL2. The identity proofing software an agency selects must demonstrate IAL2 compliance through documented technical capabilities, not marketing claims. The NIST SP 800-63-3 standard is publicly available and specifies exactly what evidence a vendor must produce.

Six Things Federal Buyers Must Verify Before Contract Award

Federal compliance teams should require answers to these six checks before signing any identity proofing software contract. Each maps directly to a NIST 800-63 identity proofing requirement.

1. Documented conformance assessment

Ask the vendor for a third-party or self-assessment document mapping their software’s capabilities to each NIST SP 800-63-3 IAL2 requirement. A vendor who cannot produce this document cannot substantiate their conformance claim.

2. Identity document validation capability

IAL2 requires the software to validate that a government-issued ID is genuine, checking security features, expiry, and registry alignment where technically feasible. Confirm which document types are validated and which registries the software checks.

3. Biometric comparison methodology

The software must compare a live-captured facial image against the photo on the identity document. Request the false acceptance rate and false rejection rate for the biometric module in the specific deployment configuration being procured.

4. Presentation attack detection level

Liveness detection is an IAL2 requirement. Ask whether the software meets PAD Level 1 or Level 2 per ISO/IEC 30107-3. Level 2 provides higher assurance against spoofing with printed photos or video replay attacks.

5. Audit trail and evidence retention

IAL2 requires that proofing session evidence, including identity document images, biometric captures, and comparison results, be retained for a defined period. Confirm the software generates an immutable audit trail and what retention periods apply to each data class.

6. Failure and exception handling

When proofing fails, the system must produce a deterministic outcome. Ask how the vendor handles edge cases: expired documents, image quality failures, and attempted fraud flags.

Federal IT identity management teams that document answers to all six checks before evaluation reduce procurement delays and audit exposure after contract award.

What NIST SP 800-63-4 Changed in July 2025

NIST finalized SP 800-63-4 in July 2025. Agencies procuring identity proofing software after that date should evaluate vendors against the updated standard, not just SP 800-63-3.

The changes most relevant to government identity assurance levels and procurement decisions:

  • Attribute verification expanded. SP 800-63-4 requires verification of identity attributes against multiple authoritative sources, not document validation alone.
  • Fraud signal integration required. The revised standard adds a requirement for vendors to incorporate active fraud signals into the proofing decision, rather than relying solely on document and biometric checks.
  • Remote IAL2 tightened. The update strengthens liveness detection requirements for fully remote proofing workflows. Software relying on passive liveness detection alone may no longer meet the IAL2 threshold under SP 800-63-4.
  • Supervised remote proofing, formally introduced. This modality sits between fully remote IAL2 and in-person IAL3. Agencies serving rural or low-bandwidth populations should confirm whether their vendor supports it.

Vendors who last updated their conformance documentation against SP 800-63-3 may not satisfy SP 800-63-4 requirements. Ask for the date of the vendor’s most recent conformance review and confirm whether it references the July 2025 revision.

A structured procurement checklist aligned to SP 800-63-4 requirements will surface these gaps before evaluation scores are finalized.

Red Flags in Identity Proofing Vendor Claims

Federal compliance teams should treat the following as disqualifying unless the vendor immediately resolves the concern with documentation.

“NIST-compliant” with no conformance document. NIST does not certify or accredit identity proofing software. Any vendor claiming NIST certification misrepresents how the standard works. Conformance is self-declared or assessed by a third party, not granted by NIST.

No liveness detection. A vendor who cannot confirm liveness detection capability does not meet IAL2 compliance. Document validation alone is insufficient under NIST 800-63 identity proofing requirements.

No audit trail per proofing session. If a vendor cannot describe what evidence is retained per session and for how long, the software will not support federal audit readiness requirements.

Conformance documentation referencing only SP 800-63-3. Given the July 2025 SP 800-63-4 update, a vendor whose conformance review predates that revision may be selling software already out of alignment with current federal standards.

Bundled IAL1 and IAL2 configurations. Some vendors offer IAL1 as default with IAL2 as a paid add-on. The IAL2 module must be the specific configuration procured and tested, not inferred from base product marketing materials.

Public sector credentials programs that conduct these checks before RFP issuance avoid the cost of failed deployments and compliance gaps discovered during federal audits.

What EveryCRED Delivers for Federal Identity Proofing

We built EveryCRED’s identity proofing capability to align with NIST SP 800-63-4 requirements for federal agency deployments. Our Trust Method product handles IAL2-aligned proofing workflows, including identity document validation, biometric comparison, and liveness detection, with full audit trail retention per session and blockchain anchoring for tamper-evident evidence storage.

Federal agencies can access EveryCRED through NASA SEWP V (NNG15SC03B/NNG15SC27B) and ITES-SW2 (W52P1J-20-D-0042) via Carahsoft, without opening a new competitive procurement cycle. Our deployments include live government identity programs with documented compliance outcomes.

Book a demo to review our conformance documentation against NIST SP 800-63-4 and see the IAL2-aligned proofing workflow in a live walkthrough.

Conclusion

Federal agencies procuring identity proofing software cannot rely on vendor claims alone. NIST SP 800-63 sets specific, testable requirements for government identity assurance levels, and conformance must be documented, not assumed. IAL2 compliance requires identity document validation, biometric comparison, liveness detection, and a complete audit trail per proofing session. NIST SP 800-63-4, finalized July 2025, has raised those requirements further. Evaluation teams that verify conformance before contract award protect their agencies from enrollment gaps that create fraud exposure and audit liability. The six-point checklist above provides a structured starting point for any procurement team assessing NIST 800-63 identity proofing vendors.

FAQs

What is IAL2 compliance under NIST SP 800-63?

IAL2 compliance requires identity document validation, biometric comparison, liveness detection, and immutable audit trail retention per proofing session.

Does NIST certify or accredit identity proofing software vendors?

No. NIST does not certify identity proofing products; vendors produce self-declared or third-party conformance assessments against the SP 800-63 standard.

What did NIST SP 800-63-4 change compared to SP 800-63-3?

SP 800-63-4 strengthens remote IAL2 liveness requirements, adds mandatory fraud signal integration, and expands multi-source attribute verification.

How can federal agencies procure NIST-compliant identity proofing software?

Federal agencies procure through contract vehicles, including NASA SEWP V and ITES-SW2, eliminating the need for new competitive procurement cycles.

What is the difference between IAL1, IAL2, and IAL3 in government identity proofing?

IAL1 requires no proofing; IAL2 requires document and biometric verification; IAL3 requires supervised in-person proofing with enhanced biometric capture.

Discover the Benefits of EveryCRED for Our Customers and Users

case-study
Blockchain-Powered Decentralized Identity and Verifiable Credentials Platform
case-study
Prevent Credential Fraud with EveryCRED’s Blockchain Technology
case-study
5 Reasons Every Industry Needs Decentralized Credential Issuer for Accreditation
Talk to our expert
Not sure where to start? Contact our sales team and we'll help you find the best solution for your needs.
Talk to our expert