The initial statement was: "The Wikimedia Security team has chosen to base our requirements on the National Institute of Standards and Technology guidelines."
Now, that very paper states its scope as:
"These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose."
I guess, the English phrase for this is: "to take a sledgehammer to crack a nut"
How much of a federal agency is Wikimedia? ;-)