The Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) have released an initial draft of Interagency Report (IR) 8597 Protecting Tokens and Assertions from Forgery, Theft, and Misuse for public comment from December TBD, 2025–January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.
Recent cybersecurity incidents at major cloud service providers have focused on stealing, modifying, or forging identity tokens and assertions to gain access to protected resources. This report covers the controls for identity access management (IAM) systems that rely on digitally signed assertions and tokens when making access decisions. It discusses how CSPs and cloud consumers, including government agencies, can better define their respective roles and responsibilities for managing IAM controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Design best practices, and to prioritize transparency, configurability, and interoperability, empowering consumers to better defend their diverse environments. It also calls upon federal agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment.
Comments on the report may be submitted to [email protected]. Please visit NIST’s site for more information.
