Investor-focused NSTIC Pilot Demonstrates Identity Management is no Longer Just a Cost Center

Websites often struggle with the trade-offs between increased security and user convenience. Many of the NSTIC pilots are confronting this challenge head-on, piloting solutions that demonstrate enhanced security and privacy is not at odds with convenience.

ID/Dataweb, through its NSTIC Pilot with Broadridge Financial Solutions, is enabling just this type of solution. A subsidiary of Criterion Systems, ID/Dataweb is allowing customers the convenience of “bring your own identity” without sacrificing security and privacy.

Broadridge is a leading provider of investor communications – if you own a stock or mutual fund, odds are that the mail your brokerage sends you is sent through a service run by Broadridge. Given all the Americans who have brokerage accounts, that’s a lot of paper, and it costs a lot of money – about $3 billion each year. Digital delivery could save dollars and trees; however, because brokerage services are regulated, digital delivery is difficult without a robust identity solution that can bind email addresses to real identities.

ID/Dataweb, as part of its NSTIC pilot, has successfully deployed an Attribute Exchange Network (AXN) that brings together multiple identity providers such as Google, Verizon, Symantec, AOL, Facebook, LinkedIn, Amazon, and attribute providers including LexisNexis, Experian, Equifax, and PacificEast. The AXN platform enables a user-centric experience, allowing users to choose from multiple identity providers while permitting them to manage their attributes both during the authentication flow and via a user managed console.

Using ID Dataweb’s (IDW) AXN, Broadridge customers are now able to access digital content delivered via their Kindle or other mobile device, without having to create a new account or get a new credential. Furthermore, this provides Broadridge with the ability to verify the identity of the customer before granting access to sensitive documents, such as investment account financial statements and phone bills. Going forward, the pilot operations are transitioning to Inlet, a new joint venture launched by Broadridge and Pitney Bowes to accelerate the delivery of digital content in financial services. The ID/Dataweb solution provides the crucial identity layer necessary to enable these services to be delivered online.

ID/Dataweb is not working only with Broadridge in the financial sector, but across several sectors. One example is a partnership with DHS, enabling first responder access to an online incident response platform (the Next-Generation Incident Command System). In another area, ID/Dataweb is piloting the AXN with a Fortune 100 company to test enterprise, partner, and consumer access using third party credentials and verified attributes to support real time access decisions.

By shifting digital efforts to consumer-focused approaches, ID/Dataweb is demonstrating how NSTIC-aligned identity systems are creating value for consumers and companies alike.

Posted in Uncategorized | Tagged , | Leave a comment

REMINDER: 10th IDESG Plenary Meeting in Tampa, September 17-19

The 10th meeting of the Identity Ecosystem Steering Group (IDESG) is quickly approaching. This no-cost event will take place September 17-19 in Tampa, Florida; you can attend in-person or virtually!

The IDESG is coming off of a momentous summer, with the organization making a number of significant advancements toward enabling all Americans to more easily start using secure, convenient, privacy-enhancing credentials in lieu of passwords everywhere they go online.  This summer saw the IDESG:

  • Launch a formal Framework Development Plan – laying out steps that the organization will take to create an Identity Ecosystem Framework over a handful of iterations.
  • Launch a new strategic planning effort, focused on growing and maturing the organization.
  • Receive a $1.6 million cooperative agreement from NIST, enabling IDESG to fund technical resources and subject matter experts that will help the organization’s committees accelerate the pace of deliverables.

With a renewed focus on accelerating the Framework, this plenary meeting will be heavily focused on socializing the proposed Framework Development Plan and deciding on a plan of action across the organization’s committee structure to achieve it.

The IDESG board will present a plan on Wednesday detailing how to bring Framework components together in a phased implementation over the next 18 months. The Board presentation will be followed by a full group discussion and opportunity to provide feedback and influence the development process.

Additional agenda highlights:

New NSTIC Pilots to be Announced

The NSTIC National Program Office expects to announce the winners of the latest NSTIC pilots competition.

Pilot Presentations

NSTIC’s 11 pilots are seeding the marketplace with solutions for privacy-enhancing, secure, interoperable, and convenient online identity. Six of these pilots will present updates on their pilots at the plenary:

  • Daon
  • ID/Dataweb
  • American Association of Motor Vehicle Administrators
  • Internet2
  • Michigan Department of Human Services
  • Commonwealth of Pennsylvania

Functional Model

The Security Committee led development of a Functional Model to provide consistency upon which to center descriptions of identity solutions. It is a representation of online identity interactions and the various components needed to execute those interactions. In Tampa, the plenary will consider this model for formal approval.

Strategic Plan

The IDESG Board has been busy drafting the organization’s first formal strategic plan, which is due to be finalized by September 20th. The plan will be shared with participants in Tampa, and attendees will have a chance to provide feedback to shape the direction of the document and the IDESG itself.

Note that this IDESG event is collocated with the Global Identity Summit (GIS) at the Tampa Convention Center.  While the IDESG kicks off on Wednesday, the GIS begins Tuesday – and the Summit organizers have graciously offered to waive the registration fee (normally $595 or more) for IDESG attendees on Tuesday the 16th.  The NSTIC National Program Office will have two sessions on Tuesday:

  • At 10:40 am, NSTIC Deputy Michael Garcia will discuss “The Economics of Online Identity” and NIST’s Senior Standards and Technology Advisor Paul Grassi will discuss “New Directions in Identity”.
  • At 3:50 pm, NSTIC Identity Strategist Phil Lam will lead a session on “NSTIC Pilots in the Wild”.

In addition, NSTIC NPO head Jeremy Grant will deliver a keynote address to the Global Identity Summit at 8:30 am on Wednesday, September 17 – immediately before the 10 am kickoff of the IDESG.

We hope to see you in Tampa next week. View the IDESG plenary agenda and register to attend here!

 

Posted in Uncategorized | 1 Comment

Competing on Privacy in the Tower of Babel

In recent months, there’s been much talk about the idea of companies competing on privacy. In theory, this sounds great. Consumers can make choices based on their privacy preferences, and the marketplace will respond. In practice, there are some significant challenges. The NSTIC pilots are learning about these challenges first hand.

The NSTIC calls for the Identity Ecosystem to be privacy-enhancing and voluntary and provides some high-level considerations around these concepts. The pilots are expected to develop identity solutions that adhere to these concepts. But how do they move from high-level considerations to actual implementation? Moreover, how do they achieve an implementation that demonstrates effective privacy protections in consistent and repeatable ways?

In cybersecurity, for example, there are tools such as risk models, control catalogs and technical standards that provide consistent and repeatable results. If an NSTIC pilot wants to securely transmit an attribute, its engineers don’t sit down at their computers and start coding from scratch. There are existing protocols they can select that have been widely evaluated and that demonstrate effective attribute transmission. But what if a pilot wants to collect user consent for the transmission of that attribute? What standard exists for user consent?

The privacy field lags behind other fields such as cybersecurity and safety risk management in providing the types of models and tools that support measurable and consistent outcomes. It is much more difficult for consumers to make informed choices if organizations are marketing their privacy practices with different or, even worse, no measures of effectiveness.

To address this gap, NIST has launched a new privacy engineering effort that focuses on providing design guidance to information system users, owners, developers and designers that handle personal information. Such guidance can be used to decrease risks related to privacy harms and to make purposeful decisions about resource allocation and effective implementation of controls. In April, NIST held the first of a series of workshops. Based on this first workshop, NIST has proposed a set of privacy engineering objectives and a risk model to mitigate privacy harms to individuals. NIST is co-sponsoring a second workshop with the International Association of Privacy Professionals (IAPP) to discuss these proposals and inform the development of a NIST report on privacy engineering. This free workshop will be held in San Jose, California, on September 15-16, 2014.

In the story of the Tower of Babel, God was concerned that a people who spoke one language could take over the world. He prevented this by causing people to speak many languages. I’m no theologian, so I won’t theorize on the merits of God’s actions, but the story does illustrate the power of unity. In privacy, we need to begin speaking with a consistent terminology and using models and tools that provide us with the capability to better measure the effectiveness of privacy design in information systems.

There are many good privacy efforts underway today – but the way to make them   BETTER and enable true competition is for experts in various disciplines to collaborate on identifying and adapting measurement capabilities that have worked in other areas. We encourage system designers, engineers and privacy subject matter experts to participate in the next NIST privacy engineering workshop or provide feedback to NIST at privacyeng@nist.gov. Together, we can develop the foundational components that will enable the Identity Ecosystem Steering Group to achieve the full vision of the NSTIC Identity Ecosystem; one that is secure and privacy-enhancing.

Posted in Uncategorized | Leave a comment

Shout it Out Loud: Enhancing Privacy Can Increase Profits!

Among the questions we’re asked most frequently about NSTIC is: why are trusted identities good for business? The NSTIC pilots have collectively started to answer that question, highlighting how better privacy, security and convenience are enabling new online business models, and driving higher sales and profits.

One of the better examples of this has been the work done by NSTIC pilot awardee ID.me. In 2013, ID.me received a $2.8M cooperative agreement from NIST to pilot its trusted identity solution, which enables members of the military community and their families, First Responders, and students to access exclusive benefits and services online both securely and efficiently without having to share sensitive information with the brands directly. While this easy-to-use and interoperable solution aligns with the NSTIC guidelines, it also benefits partner companies’ bottom line.

Among ID.me’s many successful collaborations is with KISS. When KISS wanted to offer discounted concert tickets to the military community, the band faced a challenge: how could they verify that the people trying to access the tickets actually were service members or Veterans? ID.me’s solution enabled KISS to easily validate this single attribute, without requiring the band’s fans to share additional information about themselves. This partnership was just what the doctor (of love) ordered; KISS went on to sell more than 5,400 tickets to ID.me verified service members and Veterans as of July 14th.

While identity management is traditionally only seen as a risk mitigation capability, ID.me is helping partners like KISS leverage it to grow sales while simultaneously reducing fraud. ID.me, acting as a trusted intermediary, reduces the amount of information a company needs to collect in order to verify an attribute about its customers.

Previously, service members and Veterans had to bring physical military ID cards or hard copies of their military discharge documentation to claim benefits in-person. This process was inconvenient and vulnerable as the transported paperwork contained all sorts of personal information beyond what was needed for the transaction. Veterans’ discharge papers (DD-214), for example, reveal: blood type, home address before and after active service, social security number, date and place of birth, details of active service, and reasons for separation from the military – not exactly the type of information Veterans should have to carry with them, let alone share with companies to get a discount.

ID.me has transformed this experience, allowing service members and Veterans to access benefits by verifying a single attribute: that they have served our country. This has an incredible impact on user privacy, allowing consumers to leave their discharge papers – and related PII – securely at home.

KISS’s story isn’t the only example of an identity management effort that produced tangible positive results. Under Armour saw a 30% growth in affiliate revenue after partnering with ID.me to extend its long-standing in-store military 10% discount online. According to the case study, 70% of those who used ID.me credentials at checkout since November 2012 were first time customers to Under Armour.

These examples demonstrate how investing in new NSTIC-aligned identity solutions may not only increase security and privacy – they can also positively impact a company’s bottom line. As these platforms enhance privacy and reduce the risk of fraud for consumers, they also create more user-friendly online processes that attract customers eager for simpler ways to complete a transaction. They make targeted discounts and services easier for companies to disseminate. They make the need for a plethora of unique passwords a problem of the past. And by giving the user transparency around the information needed to access a given benefit, they increase trust online.

The FICAM Trust Framework Solutions (TFS) Program approved ID.me as a Credential Service Provider at OMB Levels of Assurance (LoA) 1, 2 and 3, following an assessment from Kantara. This means that the same credentials can not only be used to buy concert tickets and access discounts, but can now also be used by Veterans to log in to government services. This is a textbook example of the NSTIC vision: enabling consumers to use the same secure, privacy-enhancing credential to log in to both commercial and public sector sites.

As identity platforms evolve, it is important to recognize the wealth of benefits online service providers and consumers reap. When a company chooses to work with one of these platforms, it is not only about risk mitigation, but also a business growth opportunity. And, it demonstrates that privacy and security are not just good for consumers, but also good for business. New customers, increased profits, and reduced fraud are within reach.

When President Obama visited DC startup incubator 1776, he spent time with the founders of ID.me to discuss its work and partnership with NSTIC. (July 3, 2014)

When President Obama visited DC startup incubator 1776, he spent time with the founders of ID.me to discuss its work and partnership with NSTIC. (July 3, 2014)

Posted in Uncategorized | Leave a comment

Passwords, Dr. Evil and a Solution in Tampa

1.2 billion.

It’s a number that inspires people to conjure up their best Dr. Evil impression, although it’s no laughing matter.  1.2 billion compromised passwords is a remarkably stunning and shocking number.

It’s also one that has inspired a wave of articles asking “what can we do about this?” Telling people to reset all their passwords isn’t a real answer – we just got through telling them to do the same thing in April after the Heartbleed bug was discovered, and most Americans don’t have the stomach or the time to keep doing this every few months.

In the short term, there aren’t any silver bullets: nobody likes the security or usability of passwords, but we’ve had them for a long time because the market has struggled to develop compelling alternatives. These struggles were a major driver behind the issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC).  Some good technologies exist, but higher costs and burdens associated with these technologies mean they are not feasible unless we can use them across multiple sites.

As identity virtuoso Tim Bray noted in an article in Time this past week:

“The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.”

A great thing about my job at NIST is: I get to lead a team of some of the smart people working on this.

An even better thing about the job: we’ve been joined by more than 200 companies and organizations in the Identity Ecosystem Steering Group (IDESG) – a private organization established to help support the implementation of NSTIC by tackling the creation of an Identity Ecosystem Framework – essentially the “cooperation and infrastructure” that Bray talks about.

IDESG has done awesome work over these last two years, and is making progress each week on version 1.0 of this Identity Ecosystem Framework, with a release target set for early next year. The Framework will provide a set of standards and operating rules that organizations can use to reduce their vulnerability to hackers – enabling their customers to use a set of more secure, privacy-enhancing, easy-to-use, interoperable solutions in lieu of passwords.

While we need more work done in the IDESG, we also need more of you. Many hands make light work and many minds make great work.  The more participants we can attract to the effort, the faster we can make progress.  IDESG is set to meet later next month in Tampa, September 17-19, alongside the Global Identity Summit.  Registration is free.  We look forward to you joining us there. While face-to-face working sessions are more productive, if you simply can’t get to Tampa that week, we always offer options for online participation. Check out www.idecosystem.org for more info.

Posted in Uncategorized | Leave a comment

Creating More Options to Improve Privacy and Security Online

It’s well established that diversity of thought and backgrounds strengthens organizations of all kinds and that diversity is a key component of a strong economy. At the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office (NPO), we believe diversity is also the key to establishing a vibrant marketplace of options to replace outdated passwords with reliably secure, privacy-enhancing and convenient ways to prove who you are online.

The Identity Ecosystem Steering Group (IDESG) was launched under the auspices of the NPO but is a privately led group laying the groundwork for that marketplace through policy and standards development. The group held its ninth plenary meeting this week at the National Institute of Standards and Technology in Gaithersburg, Md. The meeting brought together a broad coalition of individuals and representatives from industry, privacy and civil liberties advocacy groups, consumer advocates, government agencies, and more, focused on giving people choices when they conduct secure transactions online.

Instead of giving up lots of personal information every time you go online, you could choose who gets what information about you by allowing a trusted third-party to verify your online identity and then assert specific attributes on your behalf—only as needed for a transaction.

At the IDESG meeting, we heard from pilot participant ID.me, which is collaborating with vendors such as Under Armour to provide discounts to military families and first responders. ID.me is in the process of receiving higher level certification for its solution so that users can access government services and medical records.

Pilot recipient PRIVO and its partners are helping online sites that cater to children obtain verifiable parental consent—giving parents new ways to protect their kids online. The Georgia Tech Research Institute and TSCP are each working on frameworks and tools that provide supporting infrastructure to enable increased interoperability—allowing different systems to work together. Even among companies not involved in the IDESG and NSTIC, we are seeing improved identity and authentication options in the marketplace.

The steering group and pilots are providing safe environments for competitors and organizations with diverse policy goals to work together to innovate and solve some of the underlying challenges to online authentication. Together, they are working on identity solutions that follow the NSTIC principles of being privacy-enhancing and voluntary, secure and resilient, interoperable, and cost-effective and easy to use.

We understand that not everyone will be comfortable with the same identity providers. Some might prefer to trust their information to a well-established company or government agency; others may prefer a non-profit or advocacy group, or a combination of these organizations. Through the IDESG and a series of pilot grants, NSTIC is fostering a diverse marketplace that will give users options.

This week we were fortunate to have representatives from AARP, the American Civil Liberties Union, the NAACP and the National Federation of the Blind to highlight the diversity of the online community. We encourage organizations such as these to join IDESG – and to explore partnerships to create identity solutions that look out for the interests of their communities in this new marketplace.

The more organizations that engage with the IDESG, the better the organization can lay the foundation for a full spectrum of trusted online ID providers. Online, as in life, we’ll find strength through diversity.

Posted in Uncategorized | Leave a comment

Join Senior Administration Officials at Upcoming IDESG Plenary, June 17-19, Washington, D.C

Implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is in full stride. Our three complementary initiatives – partnering with the private-sector led Identity Ecosystem Steering Group (IDESG), launching the Federal Cloud Credential Exchange (FCCX), and catalyzing the marketplace through NSTIC pilots– are hitting major milestones in 2014, contributing significantly to the emerging Identity Ecosystem envisioned in the strategy. We hope you will join us outside our nation’s capital at the NIST campus in Gaithersburg, Maryland June 17-19 to learn more, network with those engaged in NSTIC initiatives, and join in the important ongoing work of the IDESG. Virtual participation will also be available. Agenda highlights include:

White House Update. Michael Daniel, White House Cybersecurity Coordinator and Special Assistant to the President, will provide perspectives on the NSTIC as a key Administration identity and privacy initiative, including the importance of NSTIC to the Administration’s efforts to improve cybersecurity.

Department of Commerce Update.  Bruce Andrews, the nominee for Deputy Secretary of Commerce (and currently its Chief of Staff) will discuss how NSTIC fits in with broader Commerce Department and Obama Administration initiatives around privacy, innovation, and economic growth.

Trusted Identities for Electronic Health Records.  A senior representative of the Office of the National Coordinator for Health Information Technology (ONC) will kick off a session focusing on joint ONC-NSTIC activities in leveraging trusted identities to secure the exchange of health information online.  Panelists will discuss how the IDESG Health Working Group and HIMSS Identity Task Force will collaborate to inform ONC work.

NSTIC Pilot Update.   2013 pilot awardees ID.me, TSCP, GTRI, and Privo are currently deploying their innovative solutions in the marketplace, going into production in multiple industry segments including financial services and retail.  Join this session to see how these innovative solutions are meeting the increasing need for more secure, privacy-enhancing identity solutions online.

IDESG plenary and committee meetings. The IDESG – now newly incorporated as an independent, 501(c)(3) not-for-profit corporation – will focus discussion on building an Identity Ecosystem Framework of standards, policies and business rules to support the implementation of the NSTIC.  IDESG is driving toward this with support and resources from a broad and diverse array of stakeholders in the public and private sectors. The current focus is on building requirements and processes needed to establish trust mark and certification programs by the end of 2014.  We hope you will join us for an exciting three days for the NSTIC and the IDESG. For more information and to register, visit http://www.idecosystem.org/9thPlenary

Posted in Uncategorized | Leave a comment

My heart bleeds for better identity solutions, my brain is excited by the progress

Last week marked three years since President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC). In the NSTIC, the President called for a new private-public sector partnership to create an Identity Ecosystem, where all consumers could choose from a variety of credentials that could be used in lieu of passwords to enable more secure, convenient and privacy-enhancing transactions everyplace they go online. 

Looking back over the last three years, one thing that stands out is how much easier it has become to make people understand the problems with passwords – the recent Heartbleed bug is only the latest in a seemingly endless series of incidents highlighting this issue – and the need to embrace multifactor authentication as a way to protect themselves against attacks. 

While it’s been great to see the marketplace respond with increased support for two factor authentication solutions – the reality is that consumers aren’t going to respond to an effort to replace the 25-30 passwords most of us manage today with 25-30 separate, stove piped two-factor solutions. We have to do better.

To truly improve security, we need to also improve convenience.  And that requires interoperability of strong credentials – at both a technical and a policy level – enabling consumers to use (should they so choose) the same strong credential at multiple sites.

To that end, it was great to see more than 170 people gather in person at Symantec’s headquarters in Mountain View, California earlier this month – joined by another 70 online – for the 8th plenary meeting of the Identity Ecosystem Steering Group (IDESG).  The IDESG was formed 20 months ago specifically to create a framework of standards, policies and business rules for the Identity Ecosystem that would enable this interoperability. 

What stood out about this most recent meeting was how much progress the IDESG is making – in both committees and in the full plenary – on advancing the Identity Ecosystem Framework (IEF): 

  • Incoming Plenary Chair Kim Little-Sutherland and Management Council Chair Peter Brown presented on plans to craft version 1 of the Identity Ecosystem Framework by the end of 2014.  This would create a baseline for entities to self-attest to compliance with the IEF and set the stage for development of a comprehensive compliance and conformance program in 2015.  Based on the draft presented, the IDESG committees will work this year to finalize the rules, policies, standards references, and other components needed to support the Identity Ecosystem envisioned in the NSTIC.
  • We saw the Security committee present version 1 of Identity Ecosystem functional elements that will help to guide other IDESG deliverables going forward.  Adam Madlin of host Symantec shared with the plenary guidelines on how IDESG committees can leverage these functional elements and a set of requirement derived from the NSTIC to develop IEF functional requirements specific to the committees’ domains, and components necessary for the framework.
  • We saw the first round of NSTIC pilots report on their progress in catalyzing a marketplace of trusted identity solutions: Criterion, AAMVA, Internet2 and Daon participated in a panel discussion exploring the challenges in balancing the four NSTIC guiding principles in pilot design and execution.  They also stressed the importance of articulating a clear value proposition for individuals in using trusted identities to conduct online transactions to ensure pilot success.
  • We heard from two new NSTIC pilots focused on state governments: Michigan and Pennsylvania detailed how their pilots will improve online delivery of state government services by leveraging trusted identity solutions.
  • And we saw a new NSTIC cross-pilot collaboration working group meet in person in Mountain View, focused on ways to capitalize on the lessons learned in the pilots and translate these into concrete recommendations to the IDESG.  Of note, Ryan Fox of the ID.me NSTIC pilot, in a presentation to the Standards Coordination Committee, described common challenges in identity proofing across multiple pilots, including the need in the market for metrics to better measure the performance of Knowledge-Based Authentication (KBA) solutions.  Such metrics could enable relying parties, such as financial services institutions, health care providers, and retailers to assess the comparative reliability of commercially available KBA solutions to conduct online identity verification, including user authentication.  The cross-pilot working group suggested that the IDESG contemplate proposing development of a new KBA performance standard in an appropriate Standards Development Organization – a potentially very useful standard to reference in the IEF.

The role of the pilots in supporting the IDESG – and of the IDESG in supporting the pilots – continues to expand with each plenary.  As both efforts advance, they are together helping to influence the marketplace, address barriers to marketplace adoption of better identity solutions, and create a framework to support a viable Identity Ecosystem.

Three years in there is still much work to be done – but there is also tremendous progress.  With the IDESG incorporating as a formal not-for-profit corporation, the formal launch of the Federal Cloud Credential Exchange (FCCX) later this spring and a third round of NSTIC pilots set to launch in September, 2014 looks to continue to be a very exciting year. 

We appreciate the efforts so many of you have made over the last three years – and look forward to working more with you over the months and years to come as we drive material improvements in the way we enable trusted identities in cyberspace. However much it pains us to see yet another failing of poor authentication systems, it only serves to validate our efforts to date and motivate us to work harder towards the NSTIC vision.

We look forward to seeing you all at the Ninth IDESG plenary, which we are pleased to host at NIST June 17-19.

Posted in Uncategorized | 3 Comments

REMINDER: 8th IDESG Plenary Meeting in Silicon Valley, April 1-3

We cordially invite you to join us at the 8th in-person plenary meeting of the Identity Ecosystem Steering Group (IDESG), hosted by Symantec at their headquarters in Mountain View, Calif., April 1 – April 3.  In-person and virtual participation is free and open to all stakeholders interested in building an environment that ensures transparency, confidence and privacy online in a way that is easy to use and understand for businesses, governments and individuals.

Register to attend here. Review the agenda for the April plenary meeting here.

Three things stood out during the  last plenary meeting in Atlanta:

  1. The National Strategy for Trusted Identities in Cyberspace (NSTIC) pilots are starting to drive the conversation.
  2. Trustmarks matter, and the work being done in some of the NSTIC pilots is helping to drive new concepts for trustmarks forward.
  3. The White House challenge to the IDESG: develop a basic trustmark scheme for the Identity Ecosystem and get backing from a handful of high profile early adopters.

The upcoming April IDESG plenary will further advance progress on these issues and more; stay tuned for more details on what to expect in Mountain View April 1-April 3.

Since the IDESG first launched in August 2012, it has willingly taken on the complex and messy challenges of crafting a framework for identity solutions that can replace passwords, allow individuals to prove online that they are who they claim to be, and enhance privacy. Since that first meeting (more about the very first IDESG meeting here), more than 200 organizations and individual members—your colleagues, your partners and perhaps even your competitors—have joined together to help move the Identity Ecosystem Framework forward.  We look forward to you joining us in April.

Posted in Uncategorized | 1 Comment

Putting the Fed in Federation (Part 3): A New Way to Buy Identity Services

Co-authored by: Dave McClure, Associate Administrator, Office of Citizen Services and Innovative Technologies, GSA; Jeremy Grant, Senior Executive Advisor, Identity Management, NIST; and Randy Miskanic, Vice President Secure Digital Solutions, USPS

As part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), President Obama directed Federal agencies to be early adopters of the Identity Ecosystem – which NSTIC defines as “an online environment where individuals and organizations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”  Specifically, NSTIC calls upon agencies to:

“… lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework.  By adopting Identity Ecosystem solutions as a service provider, the Federal government will raise individual’s expectations and thus drive individuals’ demand for interoperability in their transactions with the private sector and other levels of government.   As a subject, the Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions.”

In simple terms, this means that the Federal government should leverage the benefits of a privately-led Identity Ecosystem to offer better online services for citizens and businesses. To do this, we need:

1. A way for all agencies to leverage their purchasing power to buy standardized identity and authentication services that are interoperable across agencies.

2. A common infrastructure – the Federal Cloud Credential Exchange (FCCX) – that will allow agencies to integrate with these services with minimal effort.

3. A compelling business case that encourages the private sector to get their identity and authentication solutions approved for government use via the GSA Trust Framework Solutions program.

We’ve made good progress in establishing the common infrastructure – the US Postal Service (USPS) awarded a contract last summer to stand up the FCCX.  GSA also recently updated its Trust Framework Solutions program.  Both of these actions will make it easier for government and industry to partner on identity solutions that are standardized, interoperable, and offer value to all parties.

We still have work to do on establishing a way for agencies to buy standardized identity and authentication services.  While FCCX is the infrastructure to enable shared authentication services, we still have a hole in terms of standardizing credentials and how we buy them.  As a result, some agencies that have been moving forward with non-PKI solutions at levels of assurance (LOA) 2 and 3 have been doing so with solutions that do not interoperate with each other.  This is a problem for all of us as taxpayers and as citizens – we should not be asked to obtain and manage multiple credentials to do business with the government online.  As former White House Cybersecurity Coordinator Howard Schmidt noted in a blog post:

“…a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has…Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts.”

A government-wide acquisition strategy is vital to realizing this vision – because agencies can only benefit if they are able to leverage a wide pool of interoperable credentials, and because our private sector partners need a clear and consistent understanding of how government will pay for their services.

GSA, NIST and USPS are working on an integrated strategy that creates an approach for government to purchase standardized identity solutions using a government-wide contract.

The approach we will be pursuing is one that is fundamentally different from the way that the government has procured these kinds of services in the past.  Rather than pay for credentials we intend to pay for authentication and attribute validation services.  This is fundamentally different for two reasons:

1. It provides industry flexibility in pricing its service to include elements like identity proofing and token issuance.

2. It allows industry to be compensated for the authentication of – and attribute exchange involving – credentials that were not originally issued for government purposes.  So long as the credentials are approved for government use, credentials issued originally for commercial purposes could also be the source of additional revenues the first time the credential is used at a government site.

This model shifts the government’s acquisition focus to what it needs:  services that provide authentication and attributes. Credentials are of course a necessary element of these services – but that fact alone does not mean the government should embrace a model where it pays for citizen credential issuance. Our strategy enables the NSTIC vision of a vibrant Identity Ecosystem where the same credentials can be used across the public and private sector.

While this long-term strategy is being fleshed out, the GSA’s Federal Acquisition Service (FAS) earlier this month released a Request for Proposals (RFP) under its Alliant vehicle seeking a limited quantity of authentication services to support the first phase of the FCCX pilot.

This RFP is intended solely to support authentications services at LOA 2 and 3 for the FCCX pilot.  It does not represent the government’s long term acquisition strategy for these services.  The next logical step – which we will pursue over the next year – is an acquisition vehicle that can support millions of authentication transactions for government services each year, and that will create a path for newly certified solutions to gain a spot on this acquisition vehicle.  As we seek to benefit from the broadest array of choices in the market, we need to let the marketplace know “if you are certified, you’ll be eligible to sell to us.”

Our long term goal is to have a vibrant ecosystem where citizens can choose to use a credential they already have to access most government sites and services, as well as creating a compelling value proposition for identity providers to meet government requirements and provide identity services.

Our offices are working through this strategy now and intend to develop it further over the next few months through collaboration both with government and industry. There is more to come, so stay tuned!

Posted in Uncategorized | Leave a comment