A Retrospective Look: Eating our own dog food with dogged determination

It can be hard to serve as an early adopter of new technology. It usually means having very few (or no) examples to demonstrate what to do…and what not to do. Being the guinea pig is no easy feat, but we at the NSTIC NPO are embracing the challenge since we believe this is vital to facilitating the commercial adoption of identity solutions. After all, the NSTIC was clear that building a healthy identity ecosystem would require government to eat its own dog food.

An example of the federal government working as an early adopter is the partnership with the NSTIC NPO, the General Services Administration (GSA), and the U.S. Postal Service (USPS). We worked closely together to develop an “easy button” for agencies to provide an NSTIC-aligned way to improve services to constituents. Enter Connect.Gov (previously known as the Federal Cloud Credentialing Exchange, or FCCX). Connect.Gov creates a secure, privacy-enhancing service that allows individuals to use a digital credential they may already have—and that they can ideally use online at non-government sites—to connect to online government services and applications. Connect.gov allows an individual to access multiple agency websites and online services by signing in with an approved third-party sign-in partner.

In a blog from 2013, Naomi Lefkovitz explained the challenges faced by the government as an early adopter of federated identity:

No matter the elegance and simplicity of federated identity as a concept, we all know that it has been much more complicated to put into practice. Some may view the federal government’s attempts as failures, but we believe that it takes an iterative process to get a complex initiative right.

Time has passed since that first blog—and we continue to get closer to completing this complex initiative. For example, we are learning about how to address the issue of liability by setting liability limits as part of the credential service provider contract. Figuring out if we have the model right will take time and require tweaking, but the result will be impactful. We also have learned that simple and scalable relying party (RP) integration continues to be a challenge; we need to make standardized tools available to RPs.

We still face many challenges, but overcoming them will make our successes even sweeter. Along the way, the program can be proud that it has already:

  1. Built a platform with innovative architectural design that preserves individuals’ privacy through collaboration with USPS, agency relying parties and technology providers;
  2. Integrated two certified credential service providers at level of assurance (LOA) 2 and 3 and three more at LOA1; and
  3. Entered soft-launch production with our first agency applications and have several additional production implementations on track by the end of the year.

As Connect.Gov continues to progress by on-boarding more agencies and enhancing its capabilities, the benefits to both the user and agencies will increase. Additionally, our team of GSA, NIST, and USPS already has an eye toward the future. We currently have a testable protocol for encrypted attributes in an effort to explore additional privacy-preserving hub architectures and have an RFI out as part of a collaborative process with industry to develop appropriate business models for federated identity services.

We have a lot to look forward to and a lot to be proud of. We are excited to see how this capability will enable stronger online transactions for users in an easy-to-use and privacy-preserving way.

To learn more about how Connect.Gov simplifies access, protects privacy, and provides choice, please click here.

Follow the NSTIC NPO on Twitter for the latest updates.


Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A Retrospective Look: Smelling the roses in the IDESG

The Identity Ecosystem Steering Group (IDESG), now in its third year, is a key part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). It serves as a forum to build the core set of rules and standards to promote privacy, security, interoperability, and ease of use for online services. I wouldn’t say IDESG meetings are exactly like standards development meetings, but they are similar in that much of the contention and dissention makes me sure of two things:

  1. There is some good old-fashioned policymaking going on, and
  2. Something that really matters must be on the agenda.

If we hit the pause button and take a moment to reflect, it turns out there’s some really promising forest amongst all those trees. In the IDESG in 2014, we saw a Strategic Plan that sets in place a broad series of outcomes and a Framework Development Plan that more granularly describes how the work would get done. Implicit—and sometimes explicit—in those documents are a thousand decisions IDESG members must collectively make. Colin Soutar, a consultant who has supported our office the last two years and was previously chair of the IDESG security committee, likes to remind us that, “nothing raises folks’ level of attention like the whiff of a decision being made.” These decisions and deadlines are the smelling salts of policymaking and cross-organizational collaboration.

What is great about the IDESG is that it offers a public-private sector forum with broad, open membership, no cost for entry, and global availability for all plenary and committee meetings (with time zone apologies to our IDESG members overseas). With a consensus process that gives everyone multiple opportunities to present solutions and provide feedback, the IDESG is set up to address tough issues and get sometimes contentious deliverables done right. The process is not always smooth, of course. Indeed, the bumps in the road are often the hallmark of an inclusive and exhaustive process that is working toward products and programs of real consequence.

As the IDESG evolves in its third year, we are seeing work on the Identity Ecosystem Framework (IDEF) progressing deliberately and in an organized manner. The IDEF is a foundational document that presents the core requirements and standards, functional model, and means to assess and recognize conformance for the participants of the Identity Ecosystem. As noted, the IDESG issued a Framework Development Plan last year that calls for the IDESG committees to work collaboratively to implement the IDEF and a self-assessment and attestation program later this year. If you’ve been paying close attention, you’ve seen the IDESG committees set a real cadence. Key to this progress is the IDESG Framework Management Office, which was established last year to be the focal point across the IDESG for all framework development efforts. This past September the IDESG held one of its most significant meetings to date—approving its functional model, a strategic plan, and a framework development plan. At its January meeting, the IDESG continued this progress, assessing draft IDEF requirements and welcoming a new Executive Director. The wheels are turning and the IDESG is most definitely accelerating its pace.

There is no question that the rest of 2015 will be critical for the IDESG to build on its current momentum and deliver on its goals, but what exactly should this look like? For my money, the most important question is whether the IDESG can stay focused on getting two key things done right:

  1. Getting requirements approved and standards adopted. Two of the most essential components of the Identity Ecosystem Framework are requirements and standards—a fact emphasized in both the Strategic Plan and the Framework Development Plan.
  2. Establishing a self-assessment and attestation program. While not the ultimate end-state of the IDESG recognition program, it is a critical step for the IDESG.

Accomplishing these two objectives this year should jumpstart the ability of multiple organizations and online service providers to identify and adopt trusted identity solutions and improve their delivery of secure, efficient, and privacy enhancing online services.

With the Framework Management Office in full swing and ushering these processes along, a full-time executive director, dedicated communication support, and streamlining of governance and approval processes underway, the IDESG has the structures in place to continue increasing the pace of progress in accomplishing its goals. So too must our expectations. We should all continue to drive deliverables to help the IDESG in its mission to develop the IDEF. The IDESG is better positioned for success than it has ever been before and with continued effort, sharp focus, and clear prioritization, the organization is poised to demonstrate tangible and valuable progress to its members, stakeholders, and the identity market as a whole.

So what’s in store for the IDESG in the near future? I believe we will see some major products, such as the Identity Ecosystem Framework (v.1) and the Self-Assessment and Attestation Program (v.1). And if progress continues to accelerate, we might just find the IDESG coming up roses in 2015.

If you’re at RSA, attend the IDESG/NIST joint event today! April 22, 4:00pm PT, Moscone South, Room 300. Read more here.

Register to join the Identity Ecosystem Steering Group here.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

To the Identity Ecosystem and Beyond: It’s the NSTICiversary!

Today we celebrate the most special of days for the NSTIC National Program Office. Four years ago at the U.S. Chamber of Commerce in Washington, D.C., we released the President’s strategy to enhance the choice, efficiency, security, and privacy of online transactions.

As you are seeing this month in our retrospective blog series—two are posted with two more coming—this community has accomplished a great deal in the last four years. It’s clear we’ve come so far…but still have much work to do.

You’ve already seen this month isn’t just about April Fools’ Day pranks for us. Over the last three weeks, we’ve announced a new funding opportunity for privacy-enhancing technologies, opened a comment period on SP 800-63-2, and released a report on our pilots program.

We’re also preparing to transition the NPO’s leadership: at the end of April, Jeremy Grant will leave the public sector and I’ll step in to replace him. Through this transition, some things will change, but much of the great work we’ve been doing with the community will continue: running a pilots program that is moving the market toward broader use of strong, federated, privacy-enhancing credentials; supporting Connect.gov, which is in operation and driving government as an early adopter of NSTIC solutions; and participating in the IDESG as it enters the homestretch to finalize requirements and release v1 of the Identity Ecosystem Framework.

As the pace of change increases in the marketplace so must the pace of our efforts. Over the next several months, we’ll be announcing a host of initiatives to show just how the NPO plans to see the job through. Check back often for updates – we’ll continue to post about our progress throughout this leadership transition and beyond. In the meantime, happy NSTICiversary!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

A Retrospective Look: NSTIC pilots catalyzing the Identity Ecosystem

Oh NSTIC pilots, the places you’ll go… ! It’s no secret that the NSTIC Pilots Program is important to the successful implementation of the NSTIC. Pilots are arguably the most visible initiatives we’ve launched in the NSTIC National Program Office (along with the Identity Ecosystem Steering Group and Connect.gov). We have made the pilots a priority because they are a key component in advancing the NSTIC vision, complementing the work of the IDESG and Connect.gov; they are laying the groundwork for a vibrant new marketplace of identity solutions by developing and deploying technology, models, and frameworks that wouldn’t otherwise exist.

As the pilots progress, their work sheds light on common challenges in catalyzing and operating in the identity marketplace. At the NSTIC National Program Office (NPO), we believe that sharing these challenges is important to help inform other stakeholders and advances in the Identity Ecosystem. Thus, the NSTIC NPO just released a publication that explores these ‘common themes’. For example, from a technical perspective, pilots expanded upon the critical role of componentization of identity functions in establishing sustainable solutions.

The pilots have also uncovered key themes around business drivers and the marketplace. As a non-technical example, the pilots determined – among many other things – that it was necessary to present their solutions in a way that spoke to revenue generation and customer retention for RPs. In addition to exploring these themes, the publication provides summaries and outcomes of the NSTIC pilots.

And while our pilots have been busy uncovering important themes and lessons learned for the Identity Ecosystem, they’ve also been making substantial progress in their own identity solutions in the past year. The pilots’ progress is notable as they have collectively enabled veterans, children, college students, and others to engage online in more trusted ways.

  • ID.me enables close to 1 million service members, veterans, teachers, first responders, and students to access discounts and benefits online from more than 200 commercial organizations (e.g., Sears, Sea World, Under Armour), government entities, and non-profit organizations without having to share sensitive documents or personally identifiable information each time they want to prove eligibility.
  • Privacy Vaults Online, Inc. (PRIVO) offers parents a single portal to learn about the privacy practices of relying parties (RPs) that use PRIVO’s solutions, then provide and revoke consent for sharing their children’s personal information with these applications and websites. More than 247,000 accounts are under management by PRIVO, thus providing a unique location for parents to assert their identities and implement their online parental rights. The solution gives parents more granular view and control over which specific attributes get shared with which RPs on a feature by feature basis.
  • Internet2 is developing tools and initiatives to advance privacy-enhancing technology for the Identity Ecosystem. Their work has catalyzed adoption in the research and education community; currently, over 140 universities have begun to deploy a variety of multi-factor authentication (MFA) technologies. By addressing MFA management at the enterprise level, this work has provided a vital missing piece for scaling MFA.
  • Criterion has successfully deployed a user-centric online attribute exchange network (AXN) that enables individuals to enhance their existing credentials (e.g., email, social network providers) for use in secure transactions. Criterion piloted the AXN solution at Broadridge, enabling customers to securely access mobile delivery of financial services content, bill presentment, and bill pay. Criterion then launched with a new Broadridge/Pitney Bowes joint venture, offering secure digital delivery to 140 million customers.

We are proud of our pilots’ achievements, and are excited to share more details of their work with all of you. While the report does explore important themes for all organizations operating in the identity marketplace, it also highlights the need for the NPO to maintain a strong pilots program. In the long-term, the focus of the Pilots Program will shift its focus from addressing broad barriers to filling critical gaps in the Identity Ecosystem, continually evolving to help address market impediments as they emerge. The NPO’s recently released solicitation specifically focused on advancing privacy-enhancing technologies (PETs) marks a first step in this evolution. As we wrap up finalist selections for this year’s first round of NSTIC pilot funding and await applications for the second, we look forward to the great potential for progress in 2015 and beyond.

Read NSTIC Pilots: Catalyzing the Identity Ecosystem here or here.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A Retrospective Look: Advancing standards for strong identity and authentication in the Identity Ecosystem

As the NSTIC pilots develop and implement innovative identity solutions, they are confronting head-on the challenges of attempting to convince the marketplace to adopt them. We are enthusiastic about organizations that are pioneering new identity technologies, but recognize that widespread adoption of these technologies require that they be interoperable. Standards are essential here; without them, consumers and businesses have no way to easily adopt these technologies, or judge how – if at all – to trust them.

Recently, we have been excited to see the market start to respond to this need, creating new standards that make strong identity and authentication more convenient for businesses and their users. And with this, we’ve seen the IDESG Standards Coordination Committee (SCC) start to identify where there are gaps in the current set of standards – either places where existing standards need to be revised and improved, or where brand new standards may be needed to fill gaps.

One example of the latter involves knowledge-based authentication (KBA). While KBA is widely used today, there is no performance standard for KBA solutions – something that many of the NSTIC pilots have flagged as a significant challenge. The SCC is pursuing approaches to work with industry in developing a performance standard for KBA, with the goal of allowing organizations that issue credentials – and those that accept them – to be confident that users accessing their site are who they say they are. The addition of metrics to dynamic KBA may allow organizations to make well-informed decisions that reduce the risk of unauthorized disclosure, while increasing the overall trustworthiness and efficacy of the Identity Ecosystem. Additionally, they could give a greater level of control to the organization making the risk decision.

Outside of the IDESG, the health sector is also making strides here by initiating a project to standardize the secure exchange of health information in a way that puts the individual first. Through the Open Identity Foundation’s Health Relationship Trust (HEART) project – with support from the Office of the National Coordinator (ONC) for Health IT – industry is working to ensure that patient consent and authorization to health records will no longer be a tedious, paper-based, and confusing task. HEART is targeted at health information sharing, but more largely it represents a holistic effort to enhance the security and privacy of three standards – OAUTH, OpenID Connect, and UMA.

Mobile applications have also seen substantial advancements this past year with organizations like the FIDO Alliance (Fast Identity Online) broadening the aperture on how individuals can use devices they already have to replace passwords, or support more convenient, easy-to-use multi-factor authentication. With this standardization, individuals have more choice than ever in how they authenticate, whether it is with biometrics (like fingerprints or facial recognition) or traditional hardware and software tokens (like SMS passcodes or USB keys).

While there has clearly been serious standardization progress lately, there is still great work to come. As we continue to develop these new standards, it’s important to keep in mind that privacy by design and user friendly authorization must be inherent in standards and technology.

In addition to these familiar concepts, standards need to take new technologies into consideration. For example, the emerging Internet of Things (IOT) offers exciting new possibilities, but also raises privacy and security concerns. NIST is starting to explore how standards may help to jumpstart these innovative technologies and provide frameworks to address potential risks.

NIST recognizes the advancements in standards occurring throughout the private sector. In order for the government to benefit from these advances in the marketplace, it is imperative for NIST to evolve our standards accordingly. As such, the NIST Computer Security Division has issued a “Note to Reviewers” to explore new ways to apply innovation within Special Publication (SP) 800-63, Electronic Authentication Guidelines, across all levels of assurance. While SP 800-63 is required for federal agencies only, a potential future revision could benefit consumer-facing services the government offers, including Connect.gov and the private sector identity service providers that are intrinsic to the delivery of strong authentication to the government. Public and private sector input will be imperative in shaping this important document, and the impact it could have on the Identity Ecosystem.

Solid standards are imperative to the implementing the NSTIC. They help drive the adoption of strong authentication technologies by increasing the interoperability and ease of use of identity solutions. We are thrilled with the recent advancements, and are eager to see new challenges addressed through standards in 2015 and beyond.

Follow the NSTIC NPO on Twitter for the latest updates.


Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

A new look at levels of assurance

Spring is a great time for change, and here at the NSTIC NPO, we like to think we’re always ready for change. When we catch wind of a change in the world of online identity, we like to prepare early.

We also like to think we listen to our stakeholders. The message has come through clear and simple: four levels of assurance simply aren’t enough. We’ve heard you, and we’re ready for change. It’s a good thing, too, because we’ve recently heard a rumor of a possible new memorandum coming out of OMB and, because we prepared early, we know exactly what we have to do.

If the early indications are accurate, OMB’s M-15-15 will redefine the way we do online authentication. Just as its predecessor OMB M-04-04 defined the four levels of assurance, M-15-15 is responsive to the needs of government for e-authentication and creates a workable framework understandable to all. Today we’re responding to the call for M-15-15 and its 15 levels of assurance. Without further ado, we think our multi-stakeholder approach to establishing these levels has really hit the mark:

Level 1: The stranger

Level 2: Meh

Level 3: Not if you were the last credential on earth

Level 4: Dude. Dude. DUDE.

Level 5: I’m never gonna let you in

Level 6: Reasonable confidence subject is not wearing a cape

Level 7: A bear? Oh don’t apologize, I get it all the time

Level 8: 4realz?

Level 9: I hope you are I hope you are I hope you are

Level 10: I think therefore you are

Level 11: I am what I am and that’s all that I am

Level 12: I think you are I think you are I think you are

Level 13: Identity matrix

Level 14: Abso-freakin-lutely

Level 15: Totes McGoats

Industry response to this effort has been fantastic and we thank our partners for their efforts. World-renowned identity guru Ian Glazer says, “Sure, sometimes you need to know whether someone is a fictional character or an actual carbon-based entity, but it’s just not important whether it’s Darth Vader or Little Bo Peep. That’s why we needed level 6, and that’s exactly what we got. Way to go, NIST.”

Kim Sutherland, plenary chair of the IDESG, was more concerned about higher levels of assurance. “The old approach just didn’t have the quantitative depth that we needed for our work. With the new level 13, we can finally conduct the matrix multiplication necessary to properly authenticate in today’s complex risk environment. I can’t thank NIST enough.”

Just doin’ our jobs, ma’am.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged | 3 Comments

As NSTIC Turns 4…

Next month, the National Strategy for Trusted Identities in Cyberspace will celebrate its fourth “NSTICiversary” – marking four years since President Obama called for industry, advocates, agencies, academics, and individuals to collaborate to make online transactions more secure for businesses and consumers alike.

Over the past four years, we’ve been privileged to work with thousands of stakeholders to jumpstart an Identity Ecosystem where all Americans can choose from a variety of interoperable tools that they can use for more secure, convenient, privacy-enhancing experiences online.

With this anniversary, I’ll be leaving my role as head of the NSTIC National Program Office (NPO), off to find the next great adventure. I’m thrilled that Mike Garcia, the NPO’s Deputy Director, will be stepping into my role, and I’m excited to see what he and the rest of the NSTIC team accomplish in the next phase of this important program.

As I prepare to leave, I’ve been asked by a lot of colleagues “where do you think we are with NSTIC?”

My answer has been that the country is in a great spot. At its core, NSTIC called for the marketplace to lead in advancing the Identity Ecosystem, and the marketplace has responded.

  • Today, many of the firms we all do business with online are offering new, standards-based two-factor authentication solutions, enabled by new specifications like OpenID Connect and the Fast Identity Online (FIDO) Alliance’s Universal Two-Factor (U2F) and Universal Authentication Framework (UAF) specifications – enabling consumers to have more secure, easy to use alternatives to passwords to protect themselves online.
  • 15 NSTIC pilots have helped to catalyze the identity marketplace, impacting students, senior citizens, veterans, and consumers of all types. The pilots are collectively laying the groundwork for a vibrant new market; they are developing and deploying solutions, models, and frameworks for online identity that didn’t previously exist. And, they are informing the development of the Identity Ecosystem Framework being developed by the Identity Ecosystem Steering Group (IDESG).
  • Connect.gov is launching with several agencies, ensuring that a veteran who wants to not only get access to digital services at the VA – but also access digital government applications at the State Department, GSA, and NIST – can use the same strong credential interoperably across all of those sites, without having to create a new account at each. Moreover, that credential, in most cases, won’t even be issued by the government – because connect.gov is built to allow people use a credential they already have, rather than get something new. Because of President Obama’s Executive Order this past October, other major US agencies will also soon be integrating their digital applications with connect.gov, enabling a wide new range of secure, privacy-enhancing services for citizens.
  • The IDESG is now an independent, non-profit corporation, and is making great progress toward delivering version one of an Identity Ecosystem Framework later this year. This Framework will deliver a baseline set of standards and policies that enables individuals and organizations to start using a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.

To be clear, none of these efforts takes place in a vacuum. Rather, they each are integral pieces to solving the complex online identity puzzle. And because of the progress on each, four years into the effort, we are well on pace to meeting the interim benchmarks that were laid out in the Strategy itself. In honor of NSTIC’s fourth anniversary, we will be publishing a series of blogs on standards, our pilots, Connect.gov, and the IDESG—and will be looking at the progress that has been made, as well as laying out the work still to be done. And to be clear, there is still a lot to do, and many ways for people to still get involved. But the progress that this effort has made these last few years is notable. At a time when concerns about security and privacy continue to keep the Internet from reaching its full potential, the philosophy underpinning the NSTIC is more vital than ever.

As President Obama noted when he signed the Strategy:

“The simple fact is, we cannot know what companies have not been launched, what products or services have not been developed, or what innovations are held back by the inadequacy of tools, like secure passwords, long ago overwhelmed by the fantastic and unpredictable growth of the Internet.

What we do know is this: by making online transactions more trustworthy and enhancing consumers’ privacy, we will prevent costly crime; we will give businesses and consumers new confidence; and we will foster growth and innovation, online and across our economy – in some ways we can predict, and in others ways we can scarcely imagine.”

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | 1 Comment

BREAKING NEWS: New Privacy Pilot Federal Funding Opportunity

The NSTIC NPO has just announced a new funding opportunity with a special focus on privacy enhancing technologies. NSTIC is soliciting applications from eligible applicants to pilot privacy-enhancing technologies that embrace and advance the NSTIC vision and contribute to the maturity of the Identity Ecosystem the NSTIC envisions: promote secure, privacy-enhancing, and user-friendly ways to give individuals and organizations convenience in their online interactions. 

Despite many recent improvements to the security and usability of online identities, the marketplace continues to struggle with the privacy-enhancing Guiding Principle of the NSTIC. This Guiding Principle is intended to address concerns that the development of more trusted and federated identity solutions could create risks for privacy and civil liberties, including risks that arise from the crossing of contextual boundaries (e.g., risks to privacy created by entities in different sectors linking individuals’ transactions) and the capacity for more tracking and profiling of individuals. Solutions in the identity marketplace tend to rely on policy-based mitigations to privacy risks even though, in many cases, privacy-enhancing technologies or architectural design choices could be more effective.

Barriers also exist to the implementation of privacy-enhancing technologies (PETs), including a lack of: protocols or standards for deployment of PETs that can be readily integrated with existing technologies in the marketplace; awareness that specific PETs exist and the types of risks these technologies can effectively mitigate; usability of PETs; and demonstrated proof of performance and scalability. Thus, the NSTIC NPO is interested in funding projects with innovative approaches to overcoming these barriers that align with all four of NSTIC’s Guiding Principles. Ideal projects will provide practical, market-ready solutions that appropriately balance policy and technical controls to mitigate specific identified privacy or civil liberties risks.

Examples of objectives that projects may strive to achieve include, but are not limited to:

  • Create and demonstrate technical standards or solutions for enabling the exchange of specific attributes associated with identities while minimizing the disclosure of incidental or non-operational personal information, including:
    • Operational technical standards or protocols to obscure intermediaries’ visibility into the identity attributes being shared in the online transactions they are facilitating;
  • Solve contextual boundary concerns that discourage user adoption of federated identity solutions such as blinding identity providers from relying parties, and vice versa.
  • Improving the usability of PETs, especially in establishing user understanding of what is occurring with user data.
  • Balancing transparency to individual users and ease-of-use.

The NSTIC privacy pilot program is new. NIST anticipates that awards will be in the range of approximately $750,000 to $1,500,000 per year per project for up to two years. For more details about the pilot program (along with deadlines and submission information), please visit http://go.usa.gov/3CSAk. Feel free to also share this important news with anyone you think may be interested!

Helpful information:

The deadline to apply is: Thursday, May 28, 2015 by 11:59 p.m. Eastern Time

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

The IDESG hits a big milestone on the road to creating the Identity Ecosystem Framework

The Identity Ecosystem Steering Group (IDESG) has been hard at work delivering on version 1 of the Identity Ecosystem Framework (IDEF). This week, the steering group hit a major milestone: meeting a March 16th deadline for developing baseline requirements for the IDEF. While this is a big milestone for the IDESG, it also marks an important moment for private sector stakeholders interested in participating in the Identity Ecosystem (IE), since the upcoming IDEF – due out this summer – will enable individuals and organizations to start using a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.

The IDEF is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the IE. This framework ultimately provides a baseline set of standards and policies that apply to all of the IE participants. Over the last year, four IDESG committees (privacy, user experience, security, and standards)—each of which is dedicated to building parts of the IDEF—have been working toward the IDEF by developing requirements. The committees have been dutifully mapping these requirements to the IDESG functional model, which breaks down all aspects of an identity interaction. All four committees have officially submitted these requirements to the IDESG Framework Management Office, which will now work to harmonize the committees’ efforts into one cohesive deliverable.

The IDESG will soon use these requirements for its self-assessment program, set to launch this summer; organizations will be able to attest that they comply with these version 1 “baseline” functional requirements. Heading into the next phase of work, the IDESG will then determine the mechanics of how organizations will self-assess compliance.

We’re thrilled to see IDESG members hit this major milestone. This marks the fulfillment of a major goal of the NSTIC—to define what an “interoperable, easy to use, secure, and privacy-enhancing” IE really looks like. We look forward to what is next for IDESG and are proud of the tireless efforts of its staff and many great volunteers!

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | Leave a comment

BREAKING NEWS: NSTIC NPO Announces 2015 Pilot Project Funding

The NSTIC NPO has just announced a 4th round of pilot program funding in 2015 for fresh and innovative identity solutions! The Strategy calls for the private sector to lead the development of an identity ecosystem where individuals can choose from a variety of credentials to use in lieu of passwords for interactions online. These pilots will ultimately address barriers to the identity ecosystem and seed the marketplace with “NSTIC-aligned” solutions to enhance privacy, security, and convenience in online transactions. We are excited to share this news with innovators of all kinds so they will apply for funding in order to address the toughest challenges in identity management. Pilots should create and demonstrate solutions that can help jumpstart the adoption of trusted strong authentication technologies in lieu of passwords, in alignment with the NSTIC.

Specifically, we are seeking to fund pilots that address challenges such as:

  • Concerns about the impact on privacy and civil liberties arising from the crossing of contextual boundaries and the capacity for more tracking and profiling inherent in federated identity solutions
  • The usability of strong authentication technologies
  • Balancing transparency to individual users and ease-of-use
  • Building security, privacy, and usability into commonly used architectures (e.g., RESTful API architectures) to manage access to personal data
  • Limited deployment of successful trust frameworks—especially addressing multiple sectors
  • Lack of commonly accepted technical standards for interoperability among solutions
  • Lack of strong authentication solutions that can be used across multiple sectors and relying parties (RPs)
  • Lack of clarity on liability and other complex economic issues (e.g., “who is liable if something goes wrong in a transaction?”  “How – if at all – should transactions be monetized?”)

The NSTIC pilot program was first launched in 2012, and to date has provided approximately $30 million for innovative identity projects.

For more details about the pilot program (along with deadlines and submission information), please visit http://go.usa.gov/3qEjV. Feel free to also share this important news with anyone you think may be interested!

Helpful information:

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , | 2 Comments