NIST and CISA Release Draft Interagency Report on Protecting Tokens and Assertions from Tampering Theft and Misuse for Public Comment
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have released a draft report aimed at enhancing the security of identity tokens and assertions used in cloud environments. This report, open for public comment until January 30, 2026, responds to recent incidents where attackers have stolen or forged these tokens to gain unauthorized access to sensitive information. It outlines guidelines for federal agencies and cloud service providers (CSPs) to strengthen their identity access management systems. The report stresses the need for CSPs to adopt secure design practices while clarifying roles and responsibilities for managing security in cloud settings. This initiative is crucial for improving the overall cybersecurity posture of government entities and their cloud partners, particularly in light of recent vulnerabilities in the sector.
Key Takeaways
- Affected Systems: Identity access management systems, federal agencies, cloud service providers
- Action Required: Implement Secure by Design best practices, define roles and responsibilities in IAM controls, enhance understanding of CSP architecture and deployment models.
- Timeline: Newly disclosed
Original Article Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) have released an initial draft of Interagency Report (IR) 8597 Protecting Tokens and Assertions from Forgery, Theft, and Misuse for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse. Recent cybersecurity incidents at major cloud service providers have focused on stealing, modifying, or forging identity tokens and assertions to gain access to protected resources. This report covers the controls for identity access management (IAM) systems that rely on digitally signed assertions and tokens when making access decisions. It discusses how CSPs and cloud consumers, including government agencies, can better define their respective roles and responsibilities for managing IAM controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Design best practices, and to prioritize transparency, configurability, and interoperability, empowering consumers to better defend their diverse environments. It also calls upon federal agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment. Comments on the report may be submitted to iam@list.nist.gov. Please visit NIST’s site for more information.
Impact
Identity access management systems, federal agencies, cloud service providers
Exploitation Status
No active exploitation has been reported at this time. However, organizations should still apply patches promptly as proof-of-concept code may exist.
Timeline
Newly disclosed
Remediation
Implement Secure by Design best practices, define roles and responsibilities in IAM controls, enhance understanding of CSP architecture and deployment models.
Additional Information
This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.