Public Webinar: NIST IR 8587 Protecting Tokens and Assertions from Forgery, Theft, and Misuse Friday, January 23, 2026

The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) invite you to a live webinar introducing the initial draft of Interagency Report 8587, "Protecting Tokens and Assertions from Forgery, Theft, and Misuse." During this session, CISA and NIST will walk through the report’s implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse. 

Report authors will familiarize the audience with the subject matter to encourage written feedback during the public comment period. Please submit comments and feedback by January 30, 2026, via email at iam@list.nist.gov.

What is included in this report?

Building on updates to NIST SP 800-53, the report outlines principles for cloud service providers (CSPs) and consuming agencies, details architectural considerations for identity providers and authorization servers, and recommends enhancements to key management, token verification, and lifecycle controls. The report also addresses threats demonstrated in recent high-profile attacks, emphasizes the importance of secure and configurable cloud services, and provides technical recommendations to safeguard single sign-on, federation, and application programming interface (API) access scenarios.

What kind of input are NIST and CISA seeking?

As an initial public draft, NIST IR 8587 is intended to gain critical feedback from stakeholders across government and industry. While comments are welcome and encouraged on all aspects of this document, NIST is particularly interested in the following five feedback areas: 

1. Signing Key Validity Periods. Feedback on the length of validity, the structure of the scenarios, and any additional feedback reviewers may have.
2. Token Validity Periods. Opinions on token validity lengths and compensating controls that may impact commenters, particularly their availability, adoption, and use in government systems.
3. Key Protection and Isolation. Feedback on the clarity and suitability of key management definitions and whether they are appropriately mapped to Federal Information Security Modernization Act (FISMA) system classification levels.
4. Key Scoping. Sharing of operational considerations, implementation challenges, and best practices that could strengthen these recommendations.
5. Emerging Standards. Comments about emerging standards and protocols that might support the technical achievement of token and assertion protection outcomes (e.g., Demonstrated Proof-of-Possession, Global Revocation).