Announcing Draft Special Publication 800-63-3: Digital Authentication Guideline!

Today, we’re releasing the public preview of draft Special Publication 800-63-3, Digital Authentication Guideline. We’re excited to share the updates we’ve made—along with the new process that enables our stakeholders to contribute to the document in a more dynamic way.

 

First things first

 There are too many changes to list in a blog, but let’s highlight a few of the biggest:

  • We broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions and provide three assurance levels for each of identity proofing and authenticators. We provide guidance to keep this compatible with OMB 04-04 and the four existing levels of assurance while OMB revises existing identity policy.
  • There are now multiple volumes consisting mostly of normative language. By cutting down on the informative language, each volume is now a one-stop shop for mandatory requirements and recommended approaches.
  • Identity proofing got a major overhaul, for which we owe many thanks to our UK and Canadian peers. Plus, the draft guidance supports in-person proofing over a virtual channel—though under a strict set of requirements.
  • We’ve clarified that knowledge-based verification (nee authentication) is limited to specific portions of the identity proofing process and never sufficient on its own. Emailing a one-time password (OTP) is gone too—and we’ve deprecated SMS OTP, so it’s in there but we expect to remove it in a future revision.
  • We address the security required for centralized biometric matching.
  • We have terminology updates to clarify language across the identity space. For example, remember ‘token’? It’s ‘authenticator’ now, since ‘token’ has plenty of other definitions and uses in the real world. It just didn’t make sense to stick with it.

Last, but not least, we modernizing our feedback process to allow greater, more dynamic participation in the development of this document. We’re releasing it on GitHub, a public-facing, simple to use interface, and we’ll solicit comments via GitHub and respond to them and make edits continually over multiple document iterations this summer.

Once these summer iterations come to a close, we‘ll hold a more traditional 30- or 60-day public comment period with comment matrices and email, as an additional option to using GitHub. But for the current public preview, GitHub is place to be!

What we’re looking for from you

Now is your chance to let us know: Did we miss anything? Have we gotten ahead of what is available in the market? Have we made appropriate room for innovations on the horizon?

In this public preview, we’re focused on getting the technical content right. So you’ll probably find an uncrossed ‘t’ and dot-less ‘i’ here and there. We ask that you focus your suggestions in this phase on the substantive (think technical and procedural requirements). Unless they impact the meaning of the statement, we’ll get to minor grammatical issues in due time—but we’ll gladly accept them if you can’t contain your inner grammarian.

GitHub uses markdown for editing, so the document may look a shade different from what you’d typically expect. But don’t let that put you off. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a simple form. There, you can summarize your suggested changes and submit them for further discussion in a forum-style format. You and your fellow reviewers can then can consider the changes, discuss them, and suggest new ones as the conversation develops. More instructions are available online. And while we want this process to be interactive, we prefer suggested changes over forum chatter.

How we’ll review your comments

Our 800-63-3 team will review and update the draft document by looking over each issue. After careful review, we can incorporate changes directly into the draft and close the issue. The process will be fluid; comment periods will lead to new updates, which in turn will generate new opportunities for public collaboration and more updates. Our team will regularly update the document, so you can see changes as they occur over time. And after these cycles, we’ll end up with a completed version this winter built on community participation.

Now, please, go forth and contribute! We look forward to engaging with the community in this new process for 800-63-3 and developing effective, updated guidance.

Twitter: @NSTICnpo

What’s GitHub?

GitHub is an open source collaboration and development tool that will allow us to share the document and track your comments and suggestions. You can learn more about GitHub and how to sign up for an account here: https://github.com/

Posted in Uncategorized | Tagged , , , , , , , , , , , , | 1 Comment

WHOA-OH! WE’RE HALFWAY THERE! Happy NSTICiversary!

It’s a little hard to believe, but today marks the 5th anniversary of the NSTIC, the strategy for achieving trusted digital identities in a private sector-led identity ecosystem. Let’s take a glimpse back in time to where we were five years ago:

It’s 2011. Most (79%) American adults use the Internet. The average user needs 10 different passwords for their daily online activity, according to a UK study, and 3 out of 4 Americans don’t use sufficiently strong passwords for their most sensitive accounts. It’s also a year of unprecedented data breaches. In fact, “2011 boasts the second-highest data loss since [Verizon] started keeping track in 2004,” with 855 incidents and 174 million compromised records. Some companies are getting more aggressive in pursuing better security; 2011 is the year Google released two-factor authentication (2FA). While companies are beginning to adopt more secure solutions, they’re still uncommon, even in services with the most sensitive data: in 2011, only 35% of non-Federal short-term care hospitals have the capability for 2FA.

NSTIC circle graphic

2011 is also the year the U.S. government released an ambitious strategy to improve digital identity and online interactions and achieve the NSTIC vision that individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

Since then, the market has evolved and matured – and we are much closer to the Identity Ecosystem. Here at NIST, we’re focused on advancing standards, technology, and measurement science to drive commercial and government adoption of trusted digital identity solutions—and to do so, we’re executing on four primary tactics: partnerships, publications, market intelligence, and communications.

I’ll be perfectly clear: we have a lot of work left to do. But as we continue our drive to ubiquitous use of quality digital identity solutions, we oughtn’t overlook the extraordinary progress this community has made. As the market has changed so has the work of NIST and its partners. Here’s a look at just how far we’ve come…

Development of standards is increasing the interoperability of identity solutions. The last five years have brought great progress harnessing collective experience in the community to develop identity-focused security and privacy standards, protocols, and profiles that can be utilized across sectors.

On January 12-13, 2016, the Applying Measurement Science in the Identity Ecosystem workshop, hosted by NIST, brought together 224 public and private sector stakeholders to discuss the feasibility of and approaches to measure and compare attribute metadata and confidence scoring, strength of authentication, and strength of identity proofing.

 

Government adoption is increasing. Since 2011, the government has shown dedication to enhanced security and privacy through marked progress in government-wide practices.

In 2013, with funding from the Office of Management and Budget’s Partnership Fund for Program Integrity, NIST awarded two state-focused pilots, which have enabled over 800,000 Michigan citizens to prove their identity online to digitally access state benefits and services, and Pennsylvania citizens to electronically submit claims to the Pennsylvania Human Resources Commission. 


Commercial adoption of trusted identity solutions is increasing
. The NSTIC calls for the private sector to “lead the development and implementation of this Identity Ecosystem,” and organizations have stepped up, improving how they do identity.

  • In the last five years, many companies have enabled versions of MFA (sometimes 2FA or 2-step verification) for users: Google and Facebook did so in 2011; Apple, Twitter, and LinkedIn first offered the feature in 2013; Slack, Snapchat, and Amazon followed suit in 2015; and Instagram began rolling out 2FA in early 2016.
  • Since 2012, we’ve funded 18 pilots to facilitate the adoption of innovative, NSTIC-aligned identity solutions. The pilots have impacted over 3.8 million individuals, with advances occurring across 11 sectors.

Under Armour’s military and first responder market segment saw 30% revenue growth in its first year relying on NSTIC pilot ID.me for identity attribute verification and credentialing.


Individual adoption is increasing as well
. The success of the Identity Ecosystem, according to the NSTIC, “depends, in large part, on encouraging individuals and organizations to adopt it,” because “the greater the number of participants in the Identity Ecosystem, the greater the value that each will obtain from participation.”

The Cybersecurity National Action Plan calls for an awareness campaign that focuses on broad adoption of MFA. The National Cyber Security Alliance will build off the Stop.Think.Connect. campaign and efforts stemming from the NSTIC, partnering with technology companies and civil society to promote this effort and make it easier for millions of users to secure their accounts online.

 

So what does all of this mean for the development of the Identity Ecosystem? I expect adoption of these solutions to follow the same S-shaped diffusion as most technologies—and we are, in my estimation, past the critical first inflection point. We have solutions, some early adopters, and promising indications for the future. It’s time to continue innovating and to scale.

We— the broad digital identity community—have made great strides over the last five years, and we’re expecting many more achievements as we finish the job. So much so, in fact, that NIST thinks each of these deserve an in-depth look, and we’re doing so through two new documents.

In May, we’ll release a two-part series of NISTIRs exploring the strategic landscape of digital identities. The first document will take a deep dive on market progress in the last five years, while the second will be an implementation roadmap for the second half of our 10-year goal of achieving the sustained, continually-evolving Identity Ecosystem.

We look forward to continued development and adoption of trusted digital identity solutions and growing our partnership on the second half of this journey. Happy adopting – and a happy NSTICiversary to all!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , | 1 Comment

A previously unknown vulnerability.

This has gone on long enough. In 2004, Bill Gates predicted the demise of the password: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

The first known computer password heist occurred 54 years ago and the situation is arguably worse than it was in 1962. The 2015 Verizon Data Breach Report estimated 700 million compromised records in 2014 with a $400 million estimated financial impact. According to Verizon’s Data Breach Digest, 80% of breaches involve exploitation of stolen, weak, default, or easily guessable passwords.

For so many years we’ve talked about why passwords are insecure, unusable, and otherwise just plain bad. Today, we’re taking the next step forward at NIST. It’s time to make a stand against passwords.

The National Vulnerabilities Database is the U.S. government repository of standards-based vulnerability management data. It contains over 75,000 vulnerabilities. Today it contains one more.

Earning the maximum base score of 10.0 and an impact score of ∞, we’ve added the password to the NVD. The Common Vulnerability System Score metrics are unusually severe, with high impacts to each of confidentiality, integrity, and availability. “The analytics proved this one particularly nasty,” said Paul Grassi of the NSTIC NPO. “It’s rare to see a vulnerability that’s permeated so many systems. It’s like wildfire.”

We’ve canvassed the community and have gotten mostly positive feedback.

“The people who ask you for your password are often those least qualified to manage it,” remarked known rabble-rouser John Bradley from Ping Identity. “Passwords have long been passé. Let’s just say NIST is fashionably late to the party.”

Some in industry thought this a foregone conclusion, such as Stu Vaeth from SecureKey: “Well, I suppose this is more like a 19,000-day than a zero-day, but it’s comforting that NIST finally finished the paperwork.”

Others weren’t so sure about the move. Peter Alterman, COO of SAFE-BioPharma and noted ham radio operator, took a predictably contrarian position by declaring that “passwords work fine. It’s people that are struggling to keep up with the pace of the Internet. Totally obsolete.”

We’ll get right on that one.

Posted in Uncategorized | Tagged , , , , , , , , , , , , | 4 Comments

New pilot opportunity: health records + federated identity = a better online experience

Say you’ve just had a procedure done at a hospital. This means new electronic medical records – but it likely also means a new account and yet another password to remember. When your healthcare team includes primary care physicians, dentists, allergists, and more, the number of accounts you have to remember can really add up.

The same goes for providers – especially the doctors, nurses, technicians, and therapists who work in multiple healthcare settings. A cardiologist might see a patient on a regular basis in their office, then in a critical situation in the hospital, then again in follow-up office visits. Going back and forth with different credentials to check information can take valuable time and attention away from patient care. What if patients and providers could instead access medical records with one trusted credential?

Today I’m thrilled to introduce our second solicitation for pilot funding of 2016, which focuses on streamlining the way that patients and providers access health information from different organizations online. We’re looking for a project that will pilot solutions to access health information that are privacy-enhancing, secure and resilient, interoperable, and cost-effective and easy-to-use.

For this funding opportunity, we’re looking to solve this problem through deployment of federated identity credentials in healthcare. Using the same credential across multiple healthcare providers can make life easier for users by simplifying and speeding up sign-in processes. For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy.

We’re looking for projects that:

  • Pilot a federated credential solution in which at least two hospitals or regional healthcare systems accept a federated, verified identity that leverages multi-factor authentication and an effective identity proofing process.
  • Enable online access to at least two organizationally separate healthcare organizations.
  • Demonstrate that the federated credential solution aligns with the Identity Ecosystem Framework Requirements.
  • Allow for interoperability with other identity federations in the healthcare sector and, where possible, other sectors.
  • Include collecting metrics and other information about the implementation of the federated credential solution that can contribute to a best practices guidance document.

We are also excited to announce that we’ll be collaborating with the Office of the National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services (ONC), which will participate in the review of applications and provide technical support regarding implementation and operation of the pilot. As Rose-Marie Nsahlai, lead IT security specialist at ONC, said, “We are pleased to collaborate with NIST on this important federated identity pilot project. Reducing the number of siloed identity solutions using federated credentials aligns with the calls to action in ONC’s Shared Nationwide Interoperability Roadmap. The ease of use and convenience provided by a federated identity solution will help to accelerate clinician adoption of new digital health solutions. We look forward to seeing new ideas and solutions unfold and increased adoption of quality identity solutions in healthcare.”

For this pilot solicitation, NIST anticipates funding one award in the range of $750,000 to $1,000,000 for eighteen months. To be eligible, all applicants must meet all of the following requirements:

  • Applicants must be hospitals or healthcare system consisting of multiple hospitals, ambulatory sites, clinics or similar healthcare facilities.
  • Applicants may be for-profit, not-for-profit or governmental (other than Federal government) entities located in the United States or its territories.
  • Applicants must partner with at least one other healthcare organization in their locality or region. The partner organization should have anticipated overlap with the applicant organization of patients, physicians, and other clinical staff, such as a physician practice group(s), clinic(s) and hospital(s).
  • The partner organization must be organizationally independent of the applicant and maintain a separate health information system from the applicant.

We don’t intend this to be a standalone pilot project. The project partners must provide data on how they implemented the solution and how it performed, ultimately contributing to a jointly published document that can serve as a guide for other healthcare systems.

We look forward to reviewing applications for this new pilot that strive to improve critical processes for patients and healthcare providers!

The deadline to apply is: Wednesday, June 1, 2016, by 11:59 p.m. Eastern Time

@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , | Leave a comment

New publication: January workshop next steps

I’ve said it before and I’ll say it again: NIST’s efforts in defining measurement science and metrics in digital identity management must be aligned with the goals of the community. Today I’m pleased to announce the draft release of NISTIR 8103: Advanced Identity Workshop on Applying Measurement Science in the Identity Ecosystem: Summary and Next Steps. This document summarizes two days of discussion from the over 220 participants at NIST’s workshop last month in Gaithersburg, Maryland, and provides a brief glance at how we intend to move forward with these important topics.

We welcome community feedback on this draft document and how you feel about our processes for completing this work. A public comment period is open now until March 31, 2016. Comments may be sent to NSTICworkshop@nist.gov. Please let us know if we missed anything or erred– and we always welcome any additional feedback on the workshop itself.

So, what should you expect from us? In the coming months, NIST will focus on determining the type of material to be developed that will most effectively forward these efforts, establishing new processes to foster greater collaboration and frequent community interaction in the development of NIST documents, and determining the best fora for advancing these efforts. More concretely, we will:

  • publicly post “project charters” outlining methods for each topic area
  • transition the attribute metadata and confidence whitepaper and the strength of authentication whitepaper to NISTIRs
  • commence a series of iterative public comment and development periods utilizing Github public repositories upon completion of the initial draft of the attribute metadata NISTIR, and
  • solicit stakeholder feedback to determine the scope and path for measuring the strength of identity proofing

My sincerest thank you to those who have contributed to this process and remain on board for the developments ahead. We’ll be in touch as we continue to make progress and move forward!

Read: NISTIR 8103

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , | Leave a comment

Celebrating Data Privacy Day and everything it stands for!

Happy Data Privacy Day! According to a recent survey of young Americans by Harvard’s Institute of Politics, 65% of respondents said they were “very concerned” about technology companies collecting digital information from their phone or computer. While it’s only January, that level of concern suggests privacy will continue to have a place in the national conversation throughout 2016.

The first NSTIC Guiding Principles is that solutions will be privacy-enhancing and voluntary, and today we would like to take the opportunity to talk about some of the things we are doing to help organizations be better stewards of individuals’ data. The reality is that when it comes to building infrastructure like the Identity Ecosystem, there are only so many things individuals can do when the infrastructure itself creates privacy risks. Thus, the organizations that are a part of the Identity Ecosystem also need to take steps to identify and address privacy risks in the systems they build.

One of the ways NIST is working to promote a privacy-enhancing identity ecosystem is by funding new, innovative solutions in the identity space. In working with pilots over the past several years, we have learned about a few key challenges in online identity. Although our pilots and the broader marketplace have made great progress toward the NSTIC vision, there’s still much room for improvement in privacy. Take our Galois pilot, for example. They are working to develop a personal data store that will enable a user to be in control of what data they are sharing and to whom—enabling consented online transactions with the user’s information squarely in their own control.

In the National Cybersecurity Center of Excellence, we’re working on a building block to develop privacy-enhancing identity federation solutions. The goal of this effort is to develop a solution, using commercially available products, that protects individual transactions and personal data from being exposed to participants in the federation. Once complete, we will release a cybersecurity practice guide that details the integration steps we completed so that other organizations can learn from our efforts, or even better, repeat our integration with limited complexity.

Beyond technical research, we are continuing to support the work of the Identity Ecosystem Steering Group, who released last year their first version of the Identity Ecosystem Framework (IDEF). The IDEF’s privacy requirements provide a baseline for describing the organizational and engineering practices of organizations who take individuals’ privacy seriously. Through this work and with the help of other organizations working in this space, we hope to support the development of standards for the technical underpinnings of what individuals can expect from privacy protections online.

It’s just a matter of time: as technology continues to evolve and as people demand better privacy protections, new technological advances will emerge—and organizations will find innovative ways to deliver services with improved management of privacy risk. We see the great things that are possible and we continue – through research, pilots, and partnerships – to set our expectations high. We are celebrating Data Privacy Day today—but we aspire to an identity ecosystem that is truly privacy-enhancing all 365 days a year.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Stepping stones: working to establish a solid foundation for measurement science in the Identity Ecosystem

The crowd for the event's first panel. Photo by James Bryce Clark

The crowd for the event’s first panel. Photo by James Bryce Clark

Mike Garcia closed out the first workshop of NIST’s new Applied Cybersecurity Division with the same energy, passion, and commitment to action that we saw from all attendees over the course of the two-day event: “There is an Identity Ecosystem. We have attributes and we use them. We proof identities. We authenticate…but we know that’s not the whole story. Each of us knows we could do better and that digital identity matters to us, as a society and in our economy.”

The “Applying Measurement Science in the Identity Ecosystem” workshop was a huge success from NIST’s perspective; post-conference chatter leads me believe that attendees felt the same way. These two days further validated my excitement coming to work every day: we were humbled by the 220 familiar faces and new friends that showed a desire to build on the community’s progress in digital identity, along with the diversity of opinions and expertise to do just that. Between informative expert panels and intensive breakout sessions, attendees delved into measurement science in the Identity Ecosystem – brainstorming and evaluating approaches, barriers, implementation considerations, and more.

So, what’s next?

In a few weeks, we’ll be releasing a proceedings document summarizing what we heard at the event to share the discussions more broadly—and to make sure we synthesized your input accurately—so that our follow-on efforts are aligned with the goals and interests of this community. From there, we’ll be working with you to determine the next steps to advance measurement science in the Identity Ecosystem. This will all be an iterative process and we won’t do anything hastily; getting this right is our priority. One message that was loud and clear at the workshop: there is more to explore in this area. So please keep an eye out for blog posts, tweets, and emails with ways to get involved in the next steps.

In the meantime, we welcome comments, feedback, and guidance on both the content and our process; if you have additional contributions to these efforts, please send them to NSTICworkshop@nist.gov.

While this workshop was an important step, this work is just beginning; we look forward to continuing with you on this journey. Thank you to all of the attendees and panelists—as well as the facilitators and diligent note takers and detailed event planners—for making this event a great success. I’m proud to be part of this committed team at NIST who created and executed with this event and the amazing community that contributed to it.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

BREAKING NEWS: 2016 state and local government pilot opportunity just announced

A recent McKinsey report found that the critical drivers of customer satisfaction with state government services are: fast, simple, and efficient processes; the availability of online options for completing interactions; and the transparency of information. Secure and convenient digital access to online state services can make a genuine difference to beneficiaries—that’s why these providers need to both deliver solutions and protect against fraud—while safeguarding personal information from malicious actors.

We know simultaneously achieving these goals is no simple matter. Make a service too hard to access and it fails to serve its customers; make it too easy and it fails to protect them from fraudulent access. To combat the many security incidents affecting individuals, President Obama released Executive Order 13681, which in Section 3 called for multi-factor authentication (MFA) and effective identity-proofing processes in digital services that involve personal data. While that applies to federal applications, we believe a healthy ecosystem demands meeting these goals at all levels of government and in the private sector.

We’ve already seen that NSTIC-aligned solutions can make a difference at the state level through the work of pilots in the Commonwealth of Pennsylvania and the Michigan Department of Human Services. According to a preliminary analysis conducted for our office by RTI International, the improvements to identity and authentication under the NSTIC pilot resulted in an estimated 8% reduction in Michigan’s Food Assistance Program backlog. The impact is roughly consistent with a one-day reduction in the time that an applicant may expect to wait for their application to be processed—a potentially very important day for an individual waiting for benefits.

The promise of more impacts of this kind motivated our first solicitation for 2016 funding. We’re addressing the need for effective identity-proofing and authentication to make meaningful impacts on state and local government services. We looking for eligible applicants—to include U.S. state, tribal, and local governments, institutions of higher education, and commercial entities working with those government entities—to pilot online identity solutions that embrace the Identity Ecosystem Steering Group’s Identity Ecosystem Framework. Specifically, identity solutions must:

  • Enable online access to one or more state, local or tribal government service(s).
  • Provide for a federated, verified identity that enables MFA and an effective identity proofing process meeting the risk needs of the service(s).
  • Align with the Identity Ecosystem Framework Requirements.
  • Allow for interoperability with other federations in use in the public and private sectors.

We’re looking for projects that will deploy pilots to test or demonstrate new solutions that are not widely adopted in the marketplace today. Keep in mind that for this pilot, services that are currently online and enabled are welcome to apply, as are services that are not currently enabled online. NIST anticipates funding up to four awards; each award will be in the range of approximately $1,000,000 to $1,250,000 per year for up to three years —and all applicants must meet one of the following conditions to be eligible:

  • State, local, or Indian tribal governments located in the U.S. and its territories, or
  • Commercial or nonprofit organizations or institutions of higher education located in the U.S. that have at least two state, local, or tribal government agencies representing two different governmental jurisdictions participating in the pilot through enabling online access to one or more state, local, or tribal government service(s).

We look forward to a new round of ambitious projects—and we’ll keep you informed about other opportunities in the future!

Helpful information:

The deadline to apply is: Thursday, February 18, 2016 by 11:59 p.m. Eastern Time

@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Register now: Applying measurement science in the Identity Ecosystem workshop

Registration is now officially open for the ‘Advanced Identity Workshop: Applying Measurement Science in the Identity Ecosystem’ coming up on January 12-13, 2016, at the NIST campus in Gaithersburg, Maryland.

This two-day advanced identity workshop will bring together a diverse community of technology vendors, cybersecurity researchers, policy makers, and other experts from the public and commercial sectors to tackle three tough issues in developing measurement science in identity and access management: strength of identity proofing, both remote and in-person; strength of authentication with a focus on biometrics; and attribute confidence to assist in effective decision-making.

This is not a workshop for solely listening and learning. To make meaningful progress toward measuring the performance of solutions, we need participants to contribute their expertise.

  • For identity proofing and authentication: What approaches have worked in your organization? What data would your organization look at to quantitatively assess strength in a consistent and repeatable way? What would a provider have to communicate to your organization for you to trust their solution? How is comparability assessed among disparate technologies and processes?
  • For attribute confidence: What attribute metadata really matters to your organization’s decision-making? What implementation options should be evaluated to reduce the impact on entities that assert or consume attributes?

“One of the ultimate goals of the NSTIC is to achieve an environment in which we are able to deliver solutions at least as fast as our adversaries can break them,” said Mike Garcia, acting director of the NPO. “This workshop is a critical step in advancing how government—and we hope the market writ large—measures and compares authentication and authorization solutions based on how they perform, enabling more informed risk-based decisions. Getting this right matters and we couldn’t be more excited to launch this effort.”

This technical workshop will include a mix of moderated panels and facilitated working sessions that will determine meaningful and actionable next steps that NIST and its partners will undertake in establishing measurement science in identity management. In the coming weeks we will release three whitepapers—one for each area of focus at the workshop—on our website. We encourage attendees to read them and arrive with their ideas to move our community forward.

Confirmed speakers and panelists at this time include: Darran Rolls (SailPoint), Gerry Gebel (Axiomatics), Leif Johannson (SUNET/Kantara), Vance Bjorn (Digital Persona/Cross Match), Stephanie Schuckers (Clarkson/FIDO Alliance), Cathy Tilton (CSC), David Kelts (MorphoTrust USA), Dario Berini (NextgenID), Kim Little (LexisNexis), Brett McDowell (FIDO Alliance), Ian Glazer (SalesForce), and LaChelle LeVan (GSA).

Register
Agenda
@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | Leave a comment