Standards & Certifications

IAM Maturity Assessment for NIST SP 800-63B

NIST SP 800-63B, part of the Digital Identity Guidelines, defines Authentication Assurance Levels (AAL1 to AAL3) for digital authentication. It covers authenticator types, phishing resistance, session management, and account recovery, and is widely referenced for both workforce and customer authentication design.

Maturity threshold
2.5 / 4.0
Mapped questions
8
IAM domains
3
Assessment scope
All scopes
Identity Expectations

What NIST SP 800-63B Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to NIST SP 800-63B citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Authentication assurance for workforce and customer populations, including adaptive and phishing-resistant MFA
  • Account recovery flows that resist social engineering and identity spoofing
  • Customer registration, identity proofing, and delegated administration aligned to assurance levels
Question Mapping

AXIS Questions Mapped to NIST SP 800-63B

8 of the 37 questions in the AXIS bank carry NIST SP 800-63B citations, including 2 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to NIST SP 800-63B, with domain, capability, and framework references
QuestionDomainCapabilityNIST SP 800-63B references
AUTH-01
Domino
Auth/SSOAdaptive MFANIST 800-63B r4; NIST 800-63B r4 AAL guidance
AUTH-02Auth/SSOSingle Sign-On (SSO) Coverage & EnforcementNIST SP 800-63B r4; NIST SP 800-63B r4 AAL2+
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityNIST SP 800-63B r4 AAL2; NIST SP 800-63B r4; NIST SP 800-63B r4 AAL3
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceNIST SP 800-63B r4 §6 (account recovery); NIST SP 800-63A r4 (identity proofing); NIST SP 800-63B r4 §6; NIST SP 800-63A r4
CIAM-01
Domino
CIAMRegistration & OnboardingNIST SP 800-63A r4 IAL2
CIAM-04CIAMB2B Delegated Administration & Partner IdentityNIST SP 800-63C
CIAM-05CIAMCustomer Onboarding, Identity Proofing & KYCNIST SP 800-63A r4 IAL2
CIAM-PAM-01CIAM × PAMCustomer-Admin Privilege GovernanceNIST 800-63B r4 (AAL2)
Scoring Model

How AXIS Scores NIST SP 800-63B Alignment

A threshold model: each mapped control either meets the NIST SP 800-63B maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.5 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIST SP 800-63B, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for NIST SP 800-63B in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIST SP 800-63B citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

NIST SP 800-63B appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to NIST SP 800-63B Digital Identity Guidelines. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIST SP 800-63B applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against NIST SP 800-63B

Run the AXIS assessment and get your maturity score, NIST SP 800-63B alignment, and a prioritized roadmap in one pass. No signup required to start.