NIST and CISA’s draft Interagency Report Protecting Tokens and Assertions from Forgery, Theft, and Misuse is now available for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.
This report emphasizes the need for CSPs and cloud consumers, including government agencies, to better define their respective roles and responsibilities in managing identity and access management (IAM) controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Design best practices, and to prioritize transparency, configurability, and interoperability—empowering cloud consumers to better defend their diverse environments. It also calls upon government agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment.
Comments on the report may be submitted to iam@list.nist.gov
Please visit NIST’s site for more information.