Not all PII is protected

[JasmesGraham]

This is a flawed guidance. Your section on IAL1 states that MFA is required for any PII. In a public site that allows user to create an account for convenience and we are only requiring name and email we now have to implement MFA or write an Acceptance of Risk. Government is required to be accessible to our citizens MFA adds a burden and is a road block to open government.

OMB clearly outlines what is PROTECTED PII (see below) Name and Email are defined as Publicly available PII. MFA should only apply to PROTECTED PII. We did our risk assessment and determined the risk is LOW but because IAL1 leaves no room for exclusions we are forced to either make the access to the government over burdened or write an AOR.

SP 800-63-3
At IAL1, it is possible that attributes are collected and made available by the digital identity service. Any PII or other personal information — whether self-asserted or validated — requires multi-factor authentication. Therefore, agencies SHALL select a minimum of AAL2 when self-asserted PII or other personal information is made available online.

OMB 200
§ 200.79 Personally Identifiable Information (PII). PII means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information that is considered to be PII is available in public sources such as telephone books, public Web sites, and university listings. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual.

§ 200.82 Protected Personally Identifiable Information (Protected PII). Protected PII means an individual’s first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother’s maiden name, criminal, medical and financial records, educational transcripts. This does not include PII that is required by law to be disclosed. (See also §200.79 Personally Identifiable Information (PII)).

SP 800-63-3 Has Been Published

The SP 800-63-3 document suite has been finalized and published. It is publicly available at https://pages.nist.gov/800-63-3/

As the document has been finalized in its current revision, requests for normative changes will be held for adjudication for possible inclusion in a future revision of the SP 800-63 document suite. Editorial changes and internal clarifications may be incorporated in an errata set for this revision. Additional context and discussion may be addressed by the FAQ (https://pages.nist.gov/800-63-FAQ/) or other publications and resources.