Fourth and goal: closing in on the Identity Ecosystem Framework

It’s certainly too early to spike the ball, but yesterday the Identity Ecosystem Steering Group (IDESG) met another milestone by approving the initial set of baseline requirements for the Identity Ecosystem Framework (IDEF). These requirements are a critical element to building the IDEF—which the IDESG has been chartered to establish and govern. As identified in the NSTIC, successful establishment of the IDEF is a must-have in the ongoing successful development of online commerce, government efficiency, and effective and efficient communication among and between individuals, the private sector, and the public sector. The baseline requirements were developed by IDESG work committees to address minimum requirements for Identity Ecosystem participants in four key areas: privacy, security and resiliency, interoperability, and user experience. These areas align directly with the committee structure of the IDESG and with the Guiding Principles of the NSTIC.

The requirements will serve as the basis for the IDESG’s Self-Assessment Program—which is targeted to be operational later this year. Under this scheme, identity service providers and relying parties will be able to self-assess their own policies, procedures, and operations to the baseline requirements and attest to conformance to them. The IDESG will offer a public listing service for those organizations that self-assess and determine conformance to the baseline requirements. The functional model, requirements, Trustmark program scope, and scoping statement will comprise the initial version of the IDEF as envisioned in the strategic plan.

The IDESG Privacy, Security, Standards, and User Experience Committees, along with the IDESG Framework Management Office, have been working hard to develop the baseline requirements since last year. The Self-Assessment Program is intended to enable those service providers to apply the requirements to their own operations to determine where they meet the requirements—and to identify areas that may need some focused attention in order to conform to the baseline in the future.

It’s important to note that the baseline requirements are currently in the form of a set of requirement statements; the IDESG working committees are currently developing supplemental information for each of the requirement statements to further clarify and explain the requirements (and how they can be met at this stage). The supplemental information is intended to help explain the requirements to all audiences, but, in particular, is intended to help guide those organizations that intend to perform self-assessments against the requirements later this year. This supplemental information will be part of IDEF v1 release later this year.

The next IDESG plenary will take place at the Tampa, Florida, on September 24 and 25—co-located with the Global Identity Summit. The IDESG looks to complete the remaining aspects of IDEF v1—supplemental guidance, scoping statement, and self-attestation and listing service—in time for approval at this upcoming plenary. Kudos to the IDESG for accomplishing this major milestone, and we are looking forward to advancing further downfield this summer and getting IDEF v1 into the end zone.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

NIST joins the FIDO Alliance

Recently NIST joined the FIDO Alliance under its newly-created government membership class. The FIDO Alliance was formed in July of 2012 and aims to bring easy-to-use, privacy-enhancing authentication devices to the consumer mass market. FIDO-based credentials are designed to provide an anonymous key without any publicly available serial number or central authority. The FIDO 1.0 specifications allow for strong, multifactor credentials, a major point of focus in the National Strategy for Trusted Identities in Cyberspace.

NIST, which is home to the National Program Office for implementing the NSTIC, is committed to bringing stronger authentication to individuals – which makes this new partnership a logical and exciting next step toward achieving its mission. “We are thrilled that FIDO is welcoming government participation in this industry-led initiative, and we look forward to supporting the development of future specifications. We see this as a great opportunity to advance work on both sides and to bring NIST’s capabilities to the FIDO table,” said Mike Garcia, acting director of the NSTIC NPO.

Being a member of the FIDO Alliance will help government strengthen its role as an early adopter of new identity solutions. “I can see a day in the near future when some consumers will start to insist on leveraging a FIDO-based authenticator to access government services through Connect.Gov,” added Paul Grassi, NSTIC standards and technology lead. This partnership will also support the work of the Identity Ecosystem Steering Group (IDESG) as the goals of each organization are extremely complementary. The IDESG is a private sector-led organization developing a framework of requirements and policies—leveraging existing industry standards—for interoperability across the Identity Ecosystem.

Executive director of the FIDO Alliance Brett McDowell said, “Cross-sector collaboration is vital to wide adoption of FIDO specifications, and we consider NIST an ideal government member. There is little doubt that the NSTIC, and the work of the NSTIC NPO, have had a direct and positive influence on several of the contributors in the FIDO Alliance, and I’m optimistic about the great things we can accomplish working together directly to promote stronger authentication.”

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | 1 Comment

Summer homework: NIST welcomes comments until 7/31 on draft privacy risk management framework

Update: Deadline extended to 7/31 at 5:00 PM ET!

Earlier today, the privacy engineering team at NIST released its draft NIST Internal Report 8062, Privacy Risk Management for Federal Information Systems, and is seeking comments on that draft. This report introduces a privacy risk management framework (PRMF) for anticipating and addressing privacy risks that result from the processing of personal information in federal information technology systems. In particular, it focuses on three privacy engineering objectives—predictability, manageability, and disassociability—and a privacy risk model.

In developing the PRMF, the team also created a privacy risk assessment methodology (PRAM) to leverage this new framework (appendix D in the report). Thanks go to the NSTIC pilots who decided to use the PRAM to support their alignment with the NSTIC privacy-enhancing and voluntary guiding principle and provide feedback. This effort reflects the cooperative and open process we value so highly with our stakeholders.

The PRMF is modeled after the NIST Risk Management Framework for managing cybersecurity risk and is intended to be a repeatable and measurable tool for improving the understanding, prioritization, and mitigation of privacy risks in information systems. However, more work needs to be done. The privacy engineering team is considering, for future work, how to provide guidance on the selection of technical, policy, and operational controls to address specific privacy risks.

NIST is soliciting input on the report through an open comment period. All feedback is welcome; particularly on the several specific questions for reviewers, available here. Please send all comments to privacyeng@nist.gov by July 31, 2015, at 5:00pm ET using the comment matrix provided.

We see the release of this draft report as a critical step in the process of how to address privacy concerns in the Identity Ecosystem in a more meaningful and consistent way. The public comment process is critical to building the best product possible – so please share the draft report far and wide and share your thoughts on it with us!

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

A Retrospective Look: Eating our own dog food with dogged determination

It can be hard to serve as an early adopter of new technology. It usually means having very few (or no) examples to demonstrate what to do…and what not to do. Being the guinea pig is no easy feat, but we at the NSTIC NPO are embracing the challenge since we believe this is vital to facilitating the commercial adoption of identity solutions. After all, the NSTIC was clear that building a healthy identity ecosystem would require government to eat its own dog food.

An example of the federal government working as an early adopter is the partnership with the NSTIC NPO, the General Services Administration (GSA), and the U.S. Postal Service (USPS). We worked closely together to develop an “easy button” for agencies to provide an NSTIC-aligned way to improve services to constituents. Enter Connect.Gov (previously known as the Federal Cloud Credentialing Exchange, or FCCX). Connect.Gov creates a secure, privacy-enhancing service that allows individuals to use a digital credential they may already have—and that they can ideally use online at non-government sites—to connect to online government services and applications. Connect.gov allows an individual to access multiple agency websites and online services by signing in with an approved third-party sign-in partner.

In a blog from 2013, Naomi Lefkovitz explained the challenges faced by the government as an early adopter of federated identity:

No matter the elegance and simplicity of federated identity as a concept, we all know that it has been much more complicated to put into practice. Some may view the federal government’s attempts as failures, but we believe that it takes an iterative process to get a complex initiative right.

Time has passed since that first blog—and we continue to get closer to completing this complex initiative. For example, we are learning about how to address the issue of liability by setting liability limits as part of the credential service provider contract. Figuring out if we have the model right will take time and require tweaking, but the result will be impactful. We also have learned that simple and scalable relying party (RP) integration continues to be a challenge; we need to make standardized tools available to RPs.

We still face many challenges, but overcoming them will make our successes even sweeter. Along the way, the program can be proud that it has already:

  1. Built a platform with innovative architectural design that preserves individuals’ privacy through collaboration with USPS, agency relying parties and technology providers;
  2. Integrated two certified credential service providers at level of assurance (LOA) 2 and 3 and three more at LOA1; and
  3. Entered soft-launch production with our first agency applications and have several additional production implementations on track by the end of the year.

As Connect.Gov continues to progress by on-boarding more agencies and enhancing its capabilities, the benefits to both the user and agencies will increase. Additionally, our team of GSA, NIST, and USPS already has an eye toward the future. We currently have a testable protocol for encrypted attributes in an effort to explore additional privacy-preserving hub architectures and have an RFI out as part of a collaborative process with industry to develop appropriate business models for federated identity services.

We have a lot to look forward to and a lot to be proud of. We are excited to see how this capability will enable stronger online transactions for users in an easy-to-use and privacy-preserving way.

To learn more about how Connect.Gov simplifies access, protects privacy, and provides choice, please click here.

Follow the NSTIC NPO on Twitter for the latest updates.

 

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A Retrospective Look: Smelling the roses in the IDESG

The Identity Ecosystem Steering Group (IDESG), now in its third year, is a key part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). It serves as a forum to build the core set of rules and standards to promote privacy, security, interoperability, and ease of use for online services. I wouldn’t say IDESG meetings are exactly like standards development meetings, but they are similar in that much of the contention and dissention makes me sure of two things:

  1. There is some good old-fashioned policymaking going on, and
  2. Something that really matters must be on the agenda.

If we hit the pause button and take a moment to reflect, it turns out there’s some really promising forest amongst all those trees. In the IDESG in 2014, we saw a Strategic Plan that sets in place a broad series of outcomes and a Framework Development Plan that more granularly describes how the work would get done. Implicit—and sometimes explicit—in those documents are a thousand decisions IDESG members must collectively make. Colin Soutar, a consultant who has supported our office the last two years and was previously chair of the IDESG security committee, likes to remind us that, “nothing raises folks’ level of attention like the whiff of a decision being made.” These decisions and deadlines are the smelling salts of policymaking and cross-organizational collaboration.

What is great about the IDESG is that it offers a public-private sector forum with broad, open membership, no cost for entry, and global availability for all plenary and committee meetings (with time zone apologies to our IDESG members overseas). With a consensus process that gives everyone multiple opportunities to present solutions and provide feedback, the IDESG is set up to address tough issues and get sometimes contentious deliverables done right. The process is not always smooth, of course. Indeed, the bumps in the road are often the hallmark of an inclusive and exhaustive process that is working toward products and programs of real consequence.

As the IDESG evolves in its third year, we are seeing work on the Identity Ecosystem Framework (IDEF) progressing deliberately and in an organized manner. The IDEF is a foundational document that presents the core requirements and standards, functional model, and means to assess and recognize conformance for the participants of the Identity Ecosystem. As noted, the IDESG issued a Framework Development Plan last year that calls for the IDESG committees to work collaboratively to implement the IDEF and a self-assessment and attestation program later this year. If you’ve been paying close attention, you’ve seen the IDESG committees set a real cadence. Key to this progress is the IDESG Framework Management Office, which was established last year to be the focal point across the IDESG for all framework development efforts. This past September the IDESG held one of its most significant meetings to date—approving its functional model, a strategic plan, and a framework development plan. At its January meeting, the IDESG continued this progress, assessing draft IDEF requirements and welcoming a new Executive Director. The wheels are turning and the IDESG is most definitely accelerating its pace.

There is no question that the rest of 2015 will be critical for the IDESG to build on its current momentum and deliver on its goals, but what exactly should this look like? For my money, the most important question is whether the IDESG can stay focused on getting two key things done right:

  1. Getting requirements approved and standards adopted. Two of the most essential components of the Identity Ecosystem Framework are requirements and standards—a fact emphasized in both the Strategic Plan and the Framework Development Plan.
  2. Establishing a self-assessment and attestation program. While not the ultimate end-state of the IDESG recognition program, it is a critical step for the IDESG.

Accomplishing these two objectives this year should jumpstart the ability of multiple organizations and online service providers to identify and adopt trusted identity solutions and improve their delivery of secure, efficient, and privacy enhancing online services.

With the Framework Management Office in full swing and ushering these processes along, a full-time executive director, dedicated communication support, and streamlining of governance and approval processes underway, the IDESG has the structures in place to continue increasing the pace of progress in accomplishing its goals. So too must our expectations. We should all continue to drive deliverables to help the IDESG in its mission to develop the IDEF. The IDESG is better positioned for success than it has ever been before and with continued effort, sharp focus, and clear prioritization, the organization is poised to demonstrate tangible and valuable progress to its members, stakeholders, and the identity market as a whole.

So what’s in store for the IDESG in the near future? I believe we will see some major products, such as the Identity Ecosystem Framework (v.1) and the Self-Assessment and Attestation Program (v.1). And if progress continues to accelerate, we might just find the IDESG coming up roses in 2015.

If you’re at RSA, attend the IDESG/NIST joint event today! April 22, 4:00pm PT, Moscone South, Room 300. Read more here.

Register to join the Identity Ecosystem Steering Group here.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

To the Identity Ecosystem and Beyond: It’s the NSTICiversary!

Today we celebrate the most special of days for the NSTIC National Program Office. Four years ago at the U.S. Chamber of Commerce in Washington, D.C., we released the President’s strategy to enhance the choice, efficiency, security, and privacy of online transactions.

As you are seeing this month in our retrospective blog series—two are posted with two more coming—this community has accomplished a great deal in the last four years. It’s clear we’ve come so far…but still have much work to do.

You’ve already seen this month isn’t just about April Fools’ Day pranks for us. Over the last three weeks, we’ve announced a new funding opportunity for privacy-enhancing technologies, opened a comment period on SP 800-63-2, and released a report on our pilots program.

We’re also preparing to transition the NPO’s leadership: at the end of April, Jeremy Grant will leave the public sector and I’ll step in to replace him. Through this transition, some things will change, but much of the great work we’ve been doing with the community will continue: running a pilots program that is moving the market toward broader use of strong, federated, privacy-enhancing credentials; supporting Connect.gov, which is in operation and driving government as an early adopter of NSTIC solutions; and participating in the IDESG as it enters the homestretch to finalize requirements and release v1 of the Identity Ecosystem Framework.

As the pace of change increases in the marketplace so must the pace of our efforts. Over the next several months, we’ll be announcing a host of initiatives to show just how the NPO plans to see the job through. Check back often for updates – we’ll continue to post about our progress throughout this leadership transition and beyond. In the meantime, happy NSTICiversary!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

A Retrospective Look: NSTIC pilots catalyzing the Identity Ecosystem

Oh NSTIC pilots, the places you’ll go… ! It’s no secret that the NSTIC Pilots Program is important to the successful implementation of the NSTIC. Pilots are arguably the most visible initiatives we’ve launched in the NSTIC National Program Office (along with the Identity Ecosystem Steering Group and Connect.gov). We have made the pilots a priority because they are a key component in advancing the NSTIC vision, complementing the work of the IDESG and Connect.gov; they are laying the groundwork for a vibrant new marketplace of identity solutions by developing and deploying technology, models, and frameworks that wouldn’t otherwise exist.

As the pilots progress, their work sheds light on common challenges in catalyzing and operating in the identity marketplace. At the NSTIC National Program Office (NPO), we believe that sharing these challenges is important to help inform other stakeholders and advances in the Identity Ecosystem. Thus, the NSTIC NPO just released a publication that explores these ‘common themes’. For example, from a technical perspective, pilots expanded upon the critical role of componentization of identity functions in establishing sustainable solutions.

The pilots have also uncovered key themes around business drivers and the marketplace. As a non-technical example, the pilots determined – among many other things – that it was necessary to present their solutions in a way that spoke to revenue generation and customer retention for RPs. In addition to exploring these themes, the publication provides summaries and outcomes of the NSTIC pilots.

And while our pilots have been busy uncovering important themes and lessons learned for the Identity Ecosystem, they’ve also been making substantial progress in their own identity solutions in the past year. The pilots’ progress is notable as they have collectively enabled veterans, children, college students, and others to engage online in more trusted ways.

  • ID.me enables close to 1 million service members, veterans, teachers, first responders, and students to access discounts and benefits online from more than 200 commercial organizations (e.g., Sears, Sea World, Under Armour), government entities, and non-profit organizations without having to share sensitive documents or personally identifiable information each time they want to prove eligibility.
  • Privacy Vaults Online, Inc. (PRIVO) offers parents a single portal to learn about the privacy practices of relying parties (RPs) that use PRIVO’s solutions, then provide and revoke consent for sharing their children’s personal information with these applications and websites. More than 247,000 accounts are under management by PRIVO, thus providing a unique location for parents to assert their identities and implement their online parental rights. The solution gives parents more granular view and control over which specific attributes get shared with which RPs on a feature by feature basis.
  • Internet2 is developing tools and initiatives to advance privacy-enhancing technology for the Identity Ecosystem. Their work has catalyzed adoption in the research and education community; currently, over 140 universities have begun to deploy a variety of multi-factor authentication (MFA) technologies. By addressing MFA management at the enterprise level, this work has provided a vital missing piece for scaling MFA.
  • Criterion has successfully deployed a user-centric online attribute exchange network (AXN) that enables individuals to enhance their existing credentials (e.g., email, social network providers) for use in secure transactions. Criterion piloted the AXN solution at Broadridge, enabling customers to securely access mobile delivery of financial services content, bill presentment, and bill pay. Criterion then launched with a new Broadridge/Pitney Bowes joint venture, offering secure digital delivery to 140 million customers.

We are proud of our pilots’ achievements, and are excited to share more details of their work with all of you. While the report does explore important themes for all organizations operating in the identity marketplace, it also highlights the need for the NPO to maintain a strong pilots program. In the long-term, the focus of the Pilots Program will shift its focus from addressing broad barriers to filling critical gaps in the Identity Ecosystem, continually evolving to help address market impediments as they emerge. The NPO’s recently released solicitation specifically focused on advancing privacy-enhancing technologies (PETs) marks a first step in this evolution. As we wrap up finalist selections for this year’s first round of NSTIC pilot funding and await applications for the second, we look forward to the great potential for progress in 2015 and beyond.

Read NSTIC Pilots: Catalyzing the Identity Ecosystem here or here.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A Retrospective Look: Advancing standards for strong identity and authentication in the Identity Ecosystem

As the NSTIC pilots develop and implement innovative identity solutions, they are confronting head-on the challenges of attempting to convince the marketplace to adopt them. We are enthusiastic about organizations that are pioneering new identity technologies, but recognize that widespread adoption of these technologies require that they be interoperable. Standards are essential here; without them, consumers and businesses have no way to easily adopt these technologies, or judge how – if at all – to trust them.

Recently, we have been excited to see the market start to respond to this need, creating new standards that make strong identity and authentication more convenient for businesses and their users. And with this, we’ve seen the IDESG Standards Coordination Committee (SCC) start to identify where there are gaps in the current set of standards – either places where existing standards need to be revised and improved, or where brand new standards may be needed to fill gaps.

One example of the latter involves knowledge-based authentication (KBA). While KBA is widely used today, there is no performance standard for KBA solutions – something that many of the NSTIC pilots have flagged as a significant challenge. The SCC is pursuing approaches to work with industry in developing a performance standard for KBA, with the goal of allowing organizations that issue credentials – and those that accept them – to be confident that users accessing their site are who they say they are. The addition of metrics to dynamic KBA may allow organizations to make well-informed decisions that reduce the risk of unauthorized disclosure, while increasing the overall trustworthiness and efficacy of the Identity Ecosystem. Additionally, they could give a greater level of control to the organization making the risk decision.

Outside of the IDESG, the health sector is also making strides here by initiating a project to standardize the secure exchange of health information in a way that puts the individual first. Through the Open Identity Foundation’s Health Relationship Trust (HEART) project – with support from the Office of the National Coordinator (ONC) for Health IT – industry is working to ensure that patient consent and authorization to health records will no longer be a tedious, paper-based, and confusing task. HEART is targeted at health information sharing, but more largely it represents a holistic effort to enhance the security and privacy of three standards – OAUTH, OpenID Connect, and UMA.

Mobile applications have also seen substantial advancements this past year with organizations like the FIDO Alliance (Fast Identity Online) broadening the aperture on how individuals can use devices they already have to replace passwords, or support more convenient, easy-to-use multi-factor authentication. With this standardization, individuals have more choice than ever in how they authenticate, whether it is with biometrics (like fingerprints or facial recognition) or traditional hardware and software tokens (like SMS passcodes or USB keys).

While there has clearly been serious standardization progress lately, there is still great work to come. As we continue to develop these new standards, it’s important to keep in mind that privacy by design and user friendly authorization must be inherent in standards and technology.

In addition to these familiar concepts, standards need to take new technologies into consideration. For example, the emerging Internet of Things (IOT) offers exciting new possibilities, but also raises privacy and security concerns. NIST is starting to explore how standards may help to jumpstart these innovative technologies and provide frameworks to address potential risks.

NIST recognizes the advancements in standards occurring throughout the private sector. In order for the government to benefit from these advances in the marketplace, it is imperative for NIST to evolve our standards accordingly. As such, the NIST Computer Security Division has issued a “Note to Reviewers” to explore new ways to apply innovation within Special Publication (SP) 800-63, Electronic Authentication Guidelines, across all levels of assurance. While SP 800-63 is required for federal agencies only, a potential future revision could benefit consumer-facing services the government offers, including Connect.gov and the private sector identity service providers that are intrinsic to the delivery of strong authentication to the government. Public and private sector input will be imperative in shaping this important document, and the impact it could have on the Identity Ecosystem.

Solid standards are imperative to the implementing the NSTIC. They help drive the adoption of strong authentication technologies by increasing the interoperability and ease of use of identity solutions. We are thrilled with the recent advancements, and are eager to see new challenges addressed through standards in 2015 and beyond.

Follow the NSTIC NPO on Twitter for the latest updates.

 

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

A new look at levels of assurance

Spring is a great time for change, and here at the NSTIC NPO, we like to think we’re always ready for change. When we catch wind of a change in the world of online identity, we like to prepare early.

We also like to think we listen to our stakeholders. The message has come through clear and simple: four levels of assurance simply aren’t enough. We’ve heard you, and we’re ready for change. It’s a good thing, too, because we’ve recently heard a rumor of a possible new memorandum coming out of OMB and, because we prepared early, we know exactly what we have to do.

If the early indications are accurate, OMB’s M-15-15 will redefine the way we do online authentication. Just as its predecessor OMB M-04-04 defined the four levels of assurance, M-15-15 is responsive to the needs of government for e-authentication and creates a workable framework understandable to all. Today we’re responding to the call for M-15-15 and its 15 levels of assurance. Without further ado, we think our multi-stakeholder approach to establishing these levels has really hit the mark:

Level 1: The stranger

Level 2: Meh

Level 3: Not if you were the last credential on earth

Level 4: Dude. Dude. DUDE.

Level 5: I’m never gonna let you in

Level 6: Reasonable confidence subject is not wearing a cape

Level 7: A bear? Oh don’t apologize, I get it all the time

Level 8: 4realz?

Level 9: I hope you are I hope you are I hope you are

Level 10: I think therefore you are

Level 11: I am what I am and that’s all that I am

Level 12: I think you are I think you are I think you are

Level 13: Identity matrix

Level 14: Abso-freakin-lutely

Level 15: Totes McGoats

Industry response to this effort has been fantastic and we thank our partners for their efforts. World-renowned identity guru Ian Glazer says, “Sure, sometimes you need to know whether someone is a fictional character or an actual carbon-based entity, but it’s just not important whether it’s Darth Vader or Little Bo Peep. That’s why we needed level 6, and that’s exactly what we got. Way to go, NIST.”

Kim Sutherland, plenary chair of the IDESG, was more concerned about higher levels of assurance. “The old approach just didn’t have the quantitative depth that we needed for our work. With the new level 13, we can finally conduct the matrix multiplication necessary to properly authenticate in today’s complex risk environment. I can’t thank NIST enough.”

Just doin’ our jobs, ma’am.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged | 3 Comments

As NSTIC Turns 4…

Next month, the National Strategy for Trusted Identities in Cyberspace will celebrate its fourth “NSTICiversary” – marking four years since President Obama called for industry, advocates, agencies, academics, and individuals to collaborate to make online transactions more secure for businesses and consumers alike.

Over the past four years, we’ve been privileged to work with thousands of stakeholders to jumpstart an Identity Ecosystem where all Americans can choose from a variety of interoperable tools that they can use for more secure, convenient, privacy-enhancing experiences online.

With this anniversary, I’ll be leaving my role as head of the NSTIC National Program Office (NPO), off to find the next great adventure. I’m thrilled that Mike Garcia, the NPO’s Deputy Director, will be stepping into my role, and I’m excited to see what he and the rest of the NSTIC team accomplish in the next phase of this important program.

As I prepare to leave, I’ve been asked by a lot of colleagues “where do you think we are with NSTIC?”

My answer has been that the country is in a great spot. At its core, NSTIC called for the marketplace to lead in advancing the Identity Ecosystem, and the marketplace has responded.

  • Today, many of the firms we all do business with online are offering new, standards-based two-factor authentication solutions, enabled by new specifications like OpenID Connect and the Fast Identity Online (FIDO) Alliance’s Universal Two-Factor (U2F) and Universal Authentication Framework (UAF) specifications – enabling consumers to have more secure, easy to use alternatives to passwords to protect themselves online.
  • 15 NSTIC pilots have helped to catalyze the identity marketplace, impacting students, senior citizens, veterans, and consumers of all types. The pilots are collectively laying the groundwork for a vibrant new market; they are developing and deploying solutions, models, and frameworks for online identity that didn’t previously exist. And, they are informing the development of the Identity Ecosystem Framework being developed by the Identity Ecosystem Steering Group (IDESG).
  • Connect.gov is launching with several agencies, ensuring that a veteran who wants to not only get access to digital services at the VA – but also access digital government applications at the State Department, GSA, and NIST – can use the same strong credential interoperably across all of those sites, without having to create a new account at each. Moreover, that credential, in most cases, won’t even be issued by the government – because connect.gov is built to allow people use a credential they already have, rather than get something new. Because of President Obama’s Executive Order this past October, other major US agencies will also soon be integrating their digital applications with connect.gov, enabling a wide new range of secure, privacy-enhancing services for citizens.
  • The IDESG is now an independent, non-profit corporation, and is making great progress toward delivering version one of an Identity Ecosystem Framework later this year. This Framework will deliver a baseline set of standards and policies that enables individuals and organizations to start using a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.

To be clear, none of these efforts takes place in a vacuum. Rather, they each are integral pieces to solving the complex online identity puzzle. And because of the progress on each, four years into the effort, we are well on pace to meeting the interim benchmarks that were laid out in the Strategy itself. In honor of NSTIC’s fourth anniversary, we will be publishing a series of blogs on standards, our pilots, Connect.gov, and the IDESG—and will be looking at the progress that has been made, as well as laying out the work still to be done. And to be clear, there is still a lot to do, and many ways for people to still get involved. But the progress that this effort has made these last few years is notable. At a time when concerns about security and privacy continue to keep the Internet from reaching its full potential, the philosophy underpinning the NSTIC is more vital than ever.

As President Obama noted when he signed the Strategy:

“The simple fact is, we cannot know what companies have not been launched, what products or services have not been developed, or what innovations are held back by the inadequacy of tools, like secure passwords, long ago overwhelmed by the fantastic and unpredictable growth of the Internet.

What we do know is this: by making online transactions more trustworthy and enhancing consumers’ privacy, we will prevent costly crime; we will give businesses and consumers new confidence; and we will foster growth and innovation, online and across our economy – in some ways we can predict, and in others ways we can scarcely imagine.”

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | 1 Comment