NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-12 — Identity Proofing
Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; Resolve user identities to a unique individual; and Collect, validate, and verify identity evidence.
Supplemental Guidance
Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
Practitioner Notes
Identity proofing is the process of verifying that a person is who they claim to be before issuing them an account. This happens before authentication — you need to confirm their real-world identity first.
Example 1: During onboarding, require new employees to present government-issued photo ID and complete an I-9 verification before HR authorizes IT to create their account.
Example 2: For remote identity proofing, use a NIST SP 800-63A compliant service that performs document verification, photo matching, and knowledge-based verification.