IAM Maturity Assessment for NIST SP 800-63B
NIST SP 800-63B, part of the Digital Identity Guidelines, defines Authentication Assurance Levels (AAL1 to AAL3) for digital authentication. It covers authenticator types, phishing resistance, session management, and account recovery, and is widely referenced for both workforce and customer authentication design.
- Maturity threshold
- 2.5 / 4.0
- Mapped questions
- 8
- IAM domains
- 3
- Assessment scope
- All scopes
What NIST SP 800-63B Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to NIST SP 800-63B citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Authentication assurance for workforce and customer populations, including adaptive and phishing-resistant MFA
- Account recovery flows that resist social engineering and identity spoofing
- Customer registration, identity proofing, and delegated administration aligned to assurance levels
AXIS Questions Mapped to NIST SP 800-63B
8 of the 37 questions in the AXIS bank carry NIST SP 800-63B citations, including 2 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | NIST SP 800-63B references |
|---|---|---|---|
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | NIST 800-63B r4; NIST 800-63B r4 AAL guidance |
| AUTH-02 | Auth/SSO | Single Sign-On (SSO) Coverage & Enforcement | NIST SP 800-63B r4; NIST SP 800-63B r4 AAL2+ |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | NIST SP 800-63B r4 AAL2; NIST SP 800-63B r4; NIST SP 800-63B r4 AAL3 |
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | NIST SP 800-63B r4 §6 (account recovery); NIST SP 800-63A r4 (identity proofing); NIST SP 800-63B r4 §6; NIST SP 800-63A r4 |
| CIAM-01 Domino | CIAM | Registration & Onboarding | NIST SP 800-63A r4 IAL2 |
| CIAM-04 | CIAM | B2B Delegated Administration & Partner Identity | NIST SP 800-63C |
| CIAM-05 | CIAM | Customer Onboarding, Identity Proofing & KYC | NIST SP 800-63A r4 IAL2 |
| CIAM-PAM-01 | CIAM × PAM | Customer-Admin Privilege Governance | NIST 800-63B r4 (AAL2) |
How AXIS Scores NIST SP 800-63B Alignment
A threshold model: each mapped control either meets the NIST SP 800-63B maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.5 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIST SP 800-63B, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for NIST SP 800-63B in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIST SP 800-63B citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
NIST SP 800-63B appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to NIST SP 800-63B Digital Identity Guidelines. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIST SP 800-63B applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against NIST SP 800-63B
Run the AXIS assessment and get your maturity score, NIST SP 800-63B alignment, and a prioritized roadmap in one pass. No signup required to start.