Citizen Portal
Sign In

Draft interagency guidance NISTIR 8587 urges shorter token lifetimes and stronger key protections

Cybersecurity and Infrastructure Security Agency (CISA) / National Institute of Standards and Technology (NIST) webinar · January 30, 2026

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

NIST and CISA presenters summarized draft NISTIR 8587, urging hardware-backed key storage for moderate/high systems, shorter token and key lifetimes, improved revocation signaling and public comment by Jan. 30.

Christine Vascono, a senior cyber operations planner at the Cybersecurity and Infrastructure Security Agency(CISA), opened a webinar introducing NISTIR 8587 and said the draft is out for public comment through January 30.

Ryan Belluzzo, identity program lead at the National Institute of Standards and Technology(NIST), said the report responds to recent incidents and an executive order directing NIST to work with DHS/CISA and GSA to develop guidance to "securely manage tokens themselves, as well as the cryptographic keys that underpin trust" in those tokens.

The interagency report, the presenters said, builds on an IA-13 identification and authentication control in the NIST control catalog and aims to provide implementation guidance that agencies and cloud service providers can adopt or use to inform procurement and FedRAMP decisions. "We put out our initial public draft," Belluzzo said, "and we had a just about 45 day public comment period that closes on January 30."

Panelists emphasized three central themes: protect keys as the root of trust, narrow the scope of keys and tokens to limit blast radius when keys are compromised, and shorten lifetimes of keys and tokens where feasible while automating rotation and detection. Andy Rangenschad, who leads NIST's cryptographic technology group, said key protection and isolation are critical because "if an attacker gets access to them, they can forge tokens to gain access to downstream resources."

The webinar highlighted that the guidance is intended as implementation guidance (NIST IR), not a binding regulation, using normative language where appropriate (the draft uses "must" for baseline controls and "should" for recommendations). NIST will adjudicate public comments and said it may finalize the IR or run a second comment period depending on feedback and scheduling.

The report and the webinar also pointed participants to emerging standards and collaborative mechanisms to improve revocation, including IETF token status lists and the OpenID Foundation's shared signals approaches. The panelists stressed agencies must assess their detection and revocation capabilities and configure cloud services appropriately.

The session closed with contact details for written feedback (Iam@list.nist.gov) and an invitation to submit comments before the stated deadline.