The National Institutes of Health: Identity Assurance Requirement

Estimated reading time: 3 minutes

June 22, 2021

This is the third in a series of emails regarding new login requirements from the National Institutes of Health (NIH). Effective September 15, 2021, the NIH electronic Research Administration (eRA), will require you:

1. To provide a small set of identifying information (Research and Scholarship attributes), which are detailed below.
2. To perform multi-factor authentication (MFA) for those using eRA
3. To communicate the use of MFA using the REFEDS MFA profile

The first two emails focused on the Research and Scholarship and MFA requirements. This email discusses identity assurance, which is not currently a requirement for eRA, but soon will be for some NIH resources.  

What is the Identity Assurance Requirement?

In the near future, some NIH services will begin asking for identity assurance information in addition to MFA. These services will want identity providers to demonstrate that users are well identity-proofed and  credentials are well-bound to the user. 

NIH will use the REFEDS Assurance Framework, which has four levels of assurance: low, medium, high, and local-enterprise. The first three (low, medium, high) require increasing levels of identity proofing. The other, local enterprise, means that identity proofing and the issuing of a credential is done in a way that qualifies the user to access the organization’s internal administrative systems, such as finance or the student information system. 

The local-enterprise option may be the easiest first step for most organizations, since institutions already demonstrate their acceptance of whatever risk is inherent with operation of its critical internal systems. Some NIH services may determine that local-enterprise will suffice, given the identity provider organization trusts that user with access to critical and/or sensitive information. 

For details on implementing an identity assurance program, please see the “Get NIH-Ready” wiki page and the implementation guide for the REFEDS Assurance Framework, published by the Assured Access Working Group. 

What are the benefits of doing this?

1. This is what federation was made for. Your faculty, researchers, and scientists will enjoy the benefits of single sign-on with any NIH service in the Federation, as well as those from other federal agencies, non-profits, and many other collaboration services.
2. You will provide a superior user experience for your faculty and staff.
3. Doing the work now positions your institution for the future, when NIH adds these requirements to other services and other research organizations follow suit.
4. Providing federated login means you are in a better position to troubleshoot any problems your users have, again making for a better experience.

Available Resources

A number of resources provide additional information:

• April 2021 IAM Online – “National Institutes of Health and Identity Management Requirements”
• May 2021 IAM Online – “Increasing Identity Assurance and Improving NIH Readiness”
• A detailed roadmap to “get NIH-ready” on the InCommon wiki
• NIH Office Hour recording (March 10, 2021)

Please contact help@incommon.org with any questions about the NIH requirements.