Coffee Chat with Michael Kaiser, Executive Director, National Cyber Security Alliance

Michael KaiserTo get to the core of multi-factor authentication (MFA) and why it’s such an important security feature, we caught up with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser graciously sat down with us for our inaugural coffee chat – a new series on the NSTIC Notes Blog. In this series, we’ll hear from various leaders in the identity community as they share unique perspectives—in their own words—on essential identity topics. See our questions and his answers, below.*

About our expert

Michael Kaiser is the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser joined the NCSA  in 2008. As NCSA’s chief executive, Mr. Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (October), Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries.


What is MFA, and why is it important?

MFA is, most simply, a way of providing additional security by using another factor in addition to your username and password to log in to an account. Multi-factor – sometimes referred to as two-step or two-factor – authentication or verification, can be any number of things: a biometric (such as a fingerprint, eye scan or gesture), a text message with a one-time code sent to your phone, a token that generates a one-time-use password or just your phone itself, because your phone has a unique ID.

MFA is an extremely important emerging way to increase account security. The new forms of authentication are critical to building a safer, more secure and trusted Internet. Logging in with a username and password, the primary way people access online accounts, has been around since the dawn of the Internet. It was never meant to be a primary form of security but has become the key to entry. It doesn’t work for a variety of reasons. In most cases, your username is your email address, which is likely not a secret, and we know a couple of things about passwords. First, they can be stolen whether from hacking into a website or system or using a service that captures consumers’ keystrokes. Second, good password practices require passwords that are long, strong, and unique for all accounts. Time and time again consumers have shown that they choose not to make strong passwords because they are inconvenient and hard to remember. For several years running the most used passwords have included “password” and “1234567.” The bad guys know this, making passwords easy to harvest or guess. MFA adds another layer to the login process that provides significantly more security to your accounts.

What would you say to people who say MFA is too time consuming or inconvenient? Do the benefits outweigh the extra cost?

The benefit of the increased security vastly outweighs the additional effort to implement it. For example, requiring a second factor like a text message to your phone makes it very hard for the bad guys to break into your account unless they have your phone in their possession, and that’s what makes it so much more secure. The time it takes to turn on and use MFA is not significant, and there are ways to make it easier to manage. For example, some of the email applications that use a text message code don’t require you to add the factor every single time; you can set MFA to remember your device, so that you are only prompted to enter a code when logging in from a different device or location or once every 30 days. As time goes on, and the technology improves, it will get easier and more convenient to use this kind of security technology, because it will work more seamlessly with the devices and websites that people are using and/or you’ll be able to use similar techniques across many, many sites and services.

The National Cyber Security Alliance (NCSA) has a few campaigns related to MFA – what are they?

Our primary campaign on this is called Two Steps Ahead, and it really reflects on what we feel – there’s a play on words about using two-step or MFA, but we also believe in a very positive sense that people who implement these technologies to be more secure are actually getting ahead. If a criminal comes across one account that has a username and password only and another account that has a username, a password and MFA, the criminal will be more likely to go after the former because it’s less work for them. The Two Steps Ahead campaign has held events in more than 20 places across the country over the last couple of years, and we’ll be in 15 to 20 cities in 2016. These events are designed to teach people about MFA and how to enable it and share insight on staying safe and secure online.

Additionally, in 2015 we started a social media campaign called #2FactorTuesday, which falls on the first Tuesday of each month. Each #2FactorTuesday, we work with private- and public-sector partners to share events, resources and content related to authentication, aiming to increase the adoption of MFA as a means to protect online accounts.

What are some ways that the average person can incorporate MFA into his or her online routine?

The starting place for anybody is to turn on MFA for your email account. Almost all of the major email providers offer some form of MFA or two-factor authentication service. The reason that consumers should start here is that for any account that uses a username and password, the password reset process normally starts with an email sent to your email address to verify your account. Therefore, if your email account gets hacked because of weak security, you could basically be providing access to all of your other accounts that have password reset as the way to gain reentry.

Additionally, people are concerned about protecting their money, so it’s recommended that you look into the MFA options that your financial institutions may offer or how they may provide enhanced login security.

You can learn more about how to implement MFA on your online accounts by visiting https://stopthinkconnect.org/2stepsahead. On this page, we provide links to many of the services on the web that already offer MFA or two-step authentication tools for clients and how to enable these features.

* The views expressed in this post do not necessarily reflect the views of NIST or the NSTIC NPO; they are solely the opinions of the experts interviewed.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Back to Basics: What’s multi-factor authentication – and why should I care?

Here’s the traditional, not so secure way to log in to your bank account: enter your username and that familiar password you probably use for most of your online accounts. Then, you’re in. You can go about your business.

Not so fast! If you’re one of the 54% of consumers who, according to TeleSign, use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows hackers to take down multiple accounts just by cracking one password. The good news? There’s an easy way to better protect your accounts (which contain a lot of personal information) with multi-factor authentication (MFA).

What is MFA?

MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

  • swiped your bank card at the ATM and then entered your PIN (personal ID number).
  • logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

So look at a simple scenario: logging in to your bank account. If you’ve turned on MFA or your bank turned it on for you, things will go a little differently. First and most typically, you’ll type in your username and password. Then, as a second factor, you’ll use an authenticator app, which will generate a one-time code that you enter on the next screen. Then you’re logged in – that’s it!

MFA B2B Blog Graphic 6_16_2016

 

 

In most cases it’s even easier than that. Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor. Between device recognition and analytics the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.

 So what’s the big deal?

MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone. You would definitely notice if your phone went missing, so you’d report it before a thief could use it to log in. Plus, your phone should be locked, requiring a PIN or fingerprint to unlock, rendering it even less useful if someone wants to use your MFA credentials.

Using 2FA is one of the top three things that security experts do to protect their security online, according to recent Google survey. And consumers feel the same way: almost 9 in 10 (86%) say that using 2FA makes them feel like their online information is more secure, according to TeleSign.

 When should I use MFA?

Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim.

You should use MFA whenever possible, especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. While some organizations require you to use MFA, many offer it as an extra option that you can enable—but you must take the initiative to turn it on. Furthermore, if a business you interact with regularly, say your health organization, wants to provide you with convenient online access to health records, test results, and invoices, but only offers a password as a way to protect that data, consider saying: ‘no thanks, not until you provide MFA to secure my information.’

You can find a list of websites that offer MFA here and step-by-step instructions for enabling it for your accounts here. You can even use this browser extension that was created as a result of last year’s National Day of Civic Hacking challenge that we hosted; it lets you know which of the websites you use offer MFA—and makes it easy to call out those that don’t.

It’s simple: turn on MFA today!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

Looking back on happenings at the IDESG plenary

Last week in New Orleans, the Identity Ecosystem Steering Group (IDESG) launched the Identity Ecosystem Framework (IDEF) Registry and publicly listed the first four organizations to self-attest. At the 17th IDESG plenary meeting, these organizations presented their experiences – emphasizing the business benefit of publicly showcasing their dedication to trusted digital identity solutions. They also shared the ease of self-attestation, thanks to the IDESG’s concierge that assists Registry applicants.

“The launch of the IDEF Registry was a huge milestone, operationalizing the IDEF requirements. We are enthusiastic about this new phase for the IDESG, focused on sharing this product far and wide, encouraging organizations to get listed on the Registry and publicly attest their dedication to the NSTIC Guiding Principles,” said Mike Garcia, acting director of the NSTIC office.

In keeping up the momentum of the launch, plenary attendees mainly looked ahead—toward scaling up the Registry and fostering greater trust across the Identity Ecosystem. Across the two-day event, attendees:

  • Learned how the Registry works and heard perspectives from listed NSTIC pilots MorphoTrust USA, Galois, and PRIVO;
  • Discussed the bylaws of the IDESG and the privacy evaluation process required for all IDESG deliverables;
  • Gained a more thorough understanding of the IDESG standards registry and the process of adopting standards;
  • Discussed mapping the IDESG requirements to other trust frameworks—with the goal of streamlining multiple self-assessments into one;
  • Heard about the pilots’ experiences in evaluating and managing privacy risks in their organizations.

Congratulations on another productive IDESG plenary meeting! We encourage other interested organizations to become some of the first to self-attest to the IDEF requirements on the Registry. The IDESG welcomes early adopter feedback, which will enhance the self-attestation process. It’s an exciting time for the Identity Ecosystem – and we look forward to all that’s ahead with the IDESG.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , | Leave a comment

The IDEF Registry: an open invite to commit to trusted digital identity solutions

The Identity Ecosystem Steering Group (IDESG) laid the groundwork for better digital identity transactions with the release of the Identity Ecosystem Framework (IDEF) – and today they’re inviting organizations to publicly put it to good use.

This morning at the Cloud Identity Summit in New Orleans, the IDESG announced the implementation of the IDEF Registry, an online listing service where ecosystem participants can report their self-assessed status against the IDEF baseline requirements. By attesting to these requirements on the Registry, organizations can showcase their commitment to providing trusted digital identity services. It’s a great way for organizations to demonstrate that they have crossed a threshold in the marketplace, addressing mature protections for consumers beyond those minimally required by law.

What’s involved for organizations in getting listed on the Registry? There are just a few steps:

  1. Determine role. Organizations determine their roles in the Identity Ecosystem, like provider of digital identity services or user of web services.
  2. Perform self-assessment. Organizations perform a self-assessment to determine full or partial compliance with the IDEF requirements.
  3. Complete the IDEF Registry form.
  4. Submit the form. The IDESG will review the form, contact the organization with any questions, and then publish the listing to the Registry.

The IDESG’s flexible self-assessment approach gives organizations a range of options to report their status in meeting each requirement. Also, the IDESG is offering the Registry as a public service — organizations can currently be listed at no charge. With free public access, the IDESG is encouraging organizations large and small to attest, showing that they see the value in trusted digital identity solutions to their businesses — and their customers.

Organizations can participate as an applicant and be listed in the Registry, or use it as a resource and browse the information that has been submitted. The listing enables individuals, businesses, and organizations to identify NSTIC-aligned service providers and more easily adopt trusted identity solutions.

Several early-adopter organizations have worked with the IDESG to develop the Registry, have already completed the self-assessment, and are listed on the Registry: DigiCert, Privacy Vaults Online (PRIVO), Tozny, and University of Maryland, Baltimore County. We look forward to seeing the Registry grow and build greater trust across the Identity Ecosystem. With this exciting announcement, we’re more than ready for the IDESG plenary this week on June 8-9 in New Orleans. See you there!

Check out the IDEF Registry here.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Announcing Draft Special Publication 800-63-3: Digital Authentication Guideline!

Today, we’re releasing the public preview of draft Special Publication 800-63-3, Digital Authentication Guideline. We’re excited to share the updates we’ve made—along with the new process that enables our stakeholders to contribute to the document in a more dynamic way.

 

First things first

 There are too many changes to list in a blog, but let’s highlight a few of the biggest:

  • We broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions and provide three assurance levels for each of identity proofing and authenticators. We provide guidance to keep this compatible with OMB 04-04 and the four existing levels of assurance while OMB revises existing identity policy.
  • There are now multiple volumes consisting mostly of normative language. By cutting down on the informative language, each volume is now a one-stop shop for mandatory requirements and recommended approaches.
  • Identity proofing got a major overhaul, for which we owe many thanks to our UK and Canadian peers. Plus, the draft guidance supports in-person proofing over a virtual channel—though under a strict set of requirements.
  • We’ve clarified that knowledge-based verification (nee authentication) is limited to specific portions of the identity proofing process and never sufficient on its own. Emailing a one-time password (OTP) is gone too—and we’ve deprecated SMS OTP, so it’s in there but we expect to remove it in a future revision.
  • We address the security required for centralized biometric matching.
  • We have terminology updates to clarify language across the identity space. For example, remember ‘token’? It’s ‘authenticator’ now, since ‘token’ has plenty of other definitions and uses in the real world. It just didn’t make sense to stick with it.

Last, but not least, we modernizing our feedback process to allow greater, more dynamic participation in the development of this document. We’re releasing it on GitHub, a public-facing, simple to use interface, and we’ll solicit comments via GitHub and respond to them and make edits continually over multiple document iterations this summer.

Once these summer iterations come to a close, we‘ll hold a more traditional 30- or 60-day public comment period with comment matrices and email, as an additional option to using GitHub. But for the current public preview, GitHub is place to be!

What we’re looking for from you

Now is your chance to let us know: Did we miss anything? Have we gotten ahead of what is available in the market? Have we made appropriate room for innovations on the horizon?

In this public preview, we’re focused on getting the technical content right. So you’ll probably find an uncrossed ‘t’ and dot-less ‘i’ here and there. We ask that you focus your suggestions in this phase on the substantive (think technical and procedural requirements). Unless they impact the meaning of the statement, we’ll get to minor grammatical issues in due time—but we’ll gladly accept them if you can’t contain your inner grammarian.

GitHub uses markdown for editing, so the document may look a shade different from what you’d typically expect. But don’t let that put you off. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a simple form. There, you can summarize your suggested changes and submit them for further discussion in a forum-style format. You and your fellow reviewers can then can consider the changes, discuss them, and suggest new ones as the conversation develops. More instructions are available online. And while we want this process to be interactive, we prefer suggested changes over forum chatter.

How we’ll review your comments

Our 800-63-3 team will review and update the draft document by looking over each issue. After careful review, we can incorporate changes directly into the draft and close the issue. The process will be fluid; comment periods will lead to new updates, which in turn will generate new opportunities for public collaboration and more updates. Our team will regularly update the document, so you can see changes as they occur over time. And after these cycles, we’ll end up with a completed version this winter built on community participation.

Now, please, go forth and contribute! We look forward to engaging with the community in this new process for 800-63-3 and developing effective, updated guidance.

Twitter: @NSTICnpo

What’s GitHub?

GitHub is an open source collaboration and development tool that will allow us to share the document and track your comments and suggestions. You can learn more about GitHub and how to sign up for an account here: https://github.com/

Posted in Uncategorized | Tagged , , , , , , , , , , , , | 1 Comment

WHOA-OH! WE’RE HALFWAY THERE! Happy NSTICiversary!

It’s a little hard to believe, but today marks the 5th anniversary of the NSTIC, the strategy for achieving trusted digital identities in a private sector-led identity ecosystem. Let’s take a glimpse back in time to where we were five years ago:

It’s 2011. Most (79%) American adults use the Internet. The average user needs 10 different passwords for their daily online activity, according to a UK study, and 3 out of 4 Americans don’t use sufficiently strong passwords for their most sensitive accounts. It’s also a year of unprecedented data breaches. In fact, “2011 boasts the second-highest data loss since [Verizon] started keeping track in 2004,” with 855 incidents and 174 million compromised records. Some companies are getting more aggressive in pursuing better security; 2011 is the year Google released two-factor authentication (2FA). While companies are beginning to adopt more secure solutions, they’re still uncommon, even in services with the most sensitive data: in 2011, only 35% of non-Federal short-term care hospitals have the capability for 2FA.

NSTIC circle graphic

2011 is also the year the U.S. government released an ambitious strategy to improve digital identity and online interactions and achieve the NSTIC vision that individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

Since then, the market has evolved and matured – and we are much closer to the Identity Ecosystem. Here at NIST, we’re focused on advancing standards, technology, and measurement science to drive commercial and government adoption of trusted digital identity solutions—and to do so, we’re executing on four primary tactics: partnerships, publications, market intelligence, and communications.

I’ll be perfectly clear: we have a lot of work left to do. But as we continue our drive to ubiquitous use of quality digital identity solutions, we oughtn’t overlook the extraordinary progress this community has made. As the market has changed so has the work of NIST and its partners. Here’s a look at just how far we’ve come…

Development of standards is increasing the interoperability of identity solutions. The last five years have brought great progress harnessing collective experience in the community to develop identity-focused security and privacy standards, protocols, and profiles that can be utilized across sectors.

On January 12-13, 2016, the Applying Measurement Science in the Identity Ecosystem workshop, hosted by NIST, brought together 224 public and private sector stakeholders to discuss the feasibility of and approaches to measure and compare attribute metadata and confidence scoring, strength of authentication, and strength of identity proofing.

 

Government adoption is increasing. Since 2011, the government has shown dedication to enhanced security and privacy through marked progress in government-wide practices.

In 2013, with funding from the Office of Management and Budget’s Partnership Fund for Program Integrity, NIST awarded two state-focused pilots, which have enabled over 800,000 Michigan citizens to prove their identity online to digitally access state benefits and services, and Pennsylvania citizens to electronically submit claims to the Pennsylvania Human Resources Commission. 


Commercial adoption of trusted identity solutions is increasing
. The NSTIC calls for the private sector to “lead the development and implementation of this Identity Ecosystem,” and organizations have stepped up, improving how they do identity.

  • In the last five years, many companies have enabled versions of MFA (sometimes 2FA or 2-step verification) for users: Google and Facebook did so in 2011; Apple, Twitter, and LinkedIn first offered the feature in 2013; Slack, Snapchat, and Amazon followed suit in 2015; and Instagram began rolling out 2FA in early 2016.
  • Since 2012, we’ve funded 18 pilots to facilitate the adoption of innovative, NSTIC-aligned identity solutions. The pilots have impacted over 3.8 million individuals, with advances occurring across 11 sectors.

Under Armour’s military and first responder market segment saw 30% revenue growth in its first year relying on NSTIC pilot ID.me for identity attribute verification and credentialing.


Individual adoption is increasing as well
. The success of the Identity Ecosystem, according to the NSTIC, “depends, in large part, on encouraging individuals and organizations to adopt it,” because “the greater the number of participants in the Identity Ecosystem, the greater the value that each will obtain from participation.”

The Cybersecurity National Action Plan calls for an awareness campaign that focuses on broad adoption of MFA. The National Cyber Security Alliance will build off the Stop.Think.Connect. campaign and efforts stemming from the NSTIC, partnering with technology companies and civil society to promote this effort and make it easier for millions of users to secure their accounts online.

 

So what does all of this mean for the development of the Identity Ecosystem? I expect adoption of these solutions to follow the same S-shaped diffusion as most technologies—and we are, in my estimation, past the critical first inflection point. We have solutions, some early adopters, and promising indications for the future. It’s time to continue innovating and to scale.

We— the broad digital identity community—have made great strides over the last five years, and we’re expecting many more achievements as we finish the job. So much so, in fact, that NIST thinks each of these deserve an in-depth look, and we’re doing so through two new documents.

In May, we’ll release a two-part series of NISTIRs exploring the strategic landscape of digital identities. The first document will take a deep dive on market progress in the last five years, while the second will be an implementation roadmap for the second half of our 10-year goal of achieving the sustained, continually-evolving Identity Ecosystem.

We look forward to continued development and adoption of trusted digital identity solutions and growing our partnership on the second half of this journey. Happy adopting – and a happy NSTICiversary to all!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , | 1 Comment

A previously unknown vulnerability.

This has gone on long enough. In 2004, Bill Gates predicted the demise of the password: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

The first known computer password heist occurred 54 years ago and the situation is arguably worse than it was in 1962. The 2015 Verizon Data Breach Report estimated 700 million compromised records in 2014 with a $400 million estimated financial impact. According to Verizon’s Data Breach Digest, 80% of breaches involve exploitation of stolen, weak, default, or easily guessable passwords.

For so many years we’ve talked about why passwords are insecure, unusable, and otherwise just plain bad. Today, we’re taking the next step forward at NIST. It’s time to make a stand against passwords.

The National Vulnerabilities Database is the U.S. government repository of standards-based vulnerability management data. It contains over 75,000 vulnerabilities. Today it contains one more.

Earning the maximum base score of 10.0 and an impact score of ∞, we’ve added the password to the NVD. The Common Vulnerability System Score metrics are unusually severe, with high impacts to each of confidentiality, integrity, and availability. “The analytics proved this one particularly nasty,” said Paul Grassi of the NSTIC NPO. “It’s rare to see a vulnerability that’s permeated so many systems. It’s like wildfire.”

We’ve canvassed the community and have gotten mostly positive feedback.

“The people who ask you for your password are often those least qualified to manage it,” remarked known rabble-rouser John Bradley from Ping Identity. “Passwords have long been passé. Let’s just say NIST is fashionably late to the party.”

Some in industry thought this a foregone conclusion, such as Stu Vaeth from SecureKey: “Well, I suppose this is more like a 19,000-day than a zero-day, but it’s comforting that NIST finally finished the paperwork.”

Others weren’t so sure about the move. Peter Alterman, COO of SAFE-BioPharma and noted ham radio operator, took a predictably contrarian position by declaring that “passwords work fine. It’s people that are struggling to keep up with the pace of the Internet. Totally obsolete.”

We’ll get right on that one.

Posted in Uncategorized | Tagged , , , , , , , , , , , , | 4 Comments

New pilot opportunity: health records + federated identity = a better online experience

Say you’ve just had a procedure done at a hospital. This means new electronic medical records – but it likely also means a new account and yet another password to remember. When your healthcare team includes primary care physicians, dentists, allergists, and more, the number of accounts you have to remember can really add up.

The same goes for providers – especially the doctors, nurses, technicians, and therapists who work in multiple healthcare settings. A cardiologist might see a patient on a regular basis in their office, then in a critical situation in the hospital, then again in follow-up office visits. Going back and forth with different credentials to check information can take valuable time and attention away from patient care. What if patients and providers could instead access medical records with one trusted credential?

Today I’m thrilled to introduce our second solicitation for pilot funding of 2016, which focuses on streamlining the way that patients and providers access health information from different organizations online. We’re looking for a project that will pilot solutions to access health information that are privacy-enhancing, secure and resilient, interoperable, and cost-effective and easy-to-use.

For this funding opportunity, we’re looking to solve this problem through deployment of federated identity credentials in healthcare. Using the same credential across multiple healthcare providers can make life easier for users by simplifying and speeding up sign-in processes. For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy.

We’re looking for projects that:

  • Pilot a federated credential solution in which at least two hospitals or regional healthcare systems accept a federated, verified identity that leverages multi-factor authentication and an effective identity proofing process.
  • Enable online access to at least two organizationally separate healthcare organizations.
  • Demonstrate that the federated credential solution aligns with the Identity Ecosystem Framework Requirements.
  • Allow for interoperability with other identity federations in the healthcare sector and, where possible, other sectors.
  • Include collecting metrics and other information about the implementation of the federated credential solution that can contribute to a best practices guidance document.

We are also excited to announce that we’ll be collaborating with the Office of the National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services (ONC), which will participate in the review of applications and provide technical support regarding implementation and operation of the pilot. As Rose-Marie Nsahlai, lead IT security specialist at ONC, said, “We are pleased to collaborate with NIST on this important federated identity pilot project. Reducing the number of siloed identity solutions using federated credentials aligns with the calls to action in ONC’s Shared Nationwide Interoperability Roadmap. The ease of use and convenience provided by a federated identity solution will help to accelerate clinician adoption of new digital health solutions. We look forward to seeing new ideas and solutions unfold and increased adoption of quality identity solutions in healthcare.”

For this pilot solicitation, NIST anticipates funding one award in the range of $750,000 to $1,000,000 for eighteen months. To be eligible, all applicants must meet all of the following requirements:

  • Applicants must be hospitals or healthcare system consisting of multiple hospitals, ambulatory sites, clinics or similar healthcare facilities.
  • Applicants may be for-profit, not-for-profit or governmental (other than Federal government) entities located in the United States or its territories.
  • Applicants must partner with at least one other healthcare organization in their locality or region. The partner organization should have anticipated overlap with the applicant organization of patients, physicians, and other clinical staff, such as a physician practice group(s), clinic(s) and hospital(s).
  • The partner organization must be organizationally independent of the applicant and maintain a separate health information system from the applicant.

We don’t intend this to be a standalone pilot project. The project partners must provide data on how they implemented the solution and how it performed, ultimately contributing to a jointly published document that can serve as a guide for other healthcare systems.

We look forward to reviewing applications for this new pilot that strive to improve critical processes for patients and healthcare providers!

The deadline to apply is: Wednesday, June 1, 2016, by 11:59 p.m. Eastern Time

@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , | Leave a comment

New publication: January workshop next steps

I’ve said it before and I’ll say it again: NIST’s efforts in defining measurement science and metrics in digital identity management must be aligned with the goals of the community. Today I’m pleased to announce the draft release of NISTIR 8103: Advanced Identity Workshop on Applying Measurement Science in the Identity Ecosystem: Summary and Next Steps. This document summarizes two days of discussion from the over 220 participants at NIST’s workshop last month in Gaithersburg, Maryland, and provides a brief glance at how we intend to move forward with these important topics.

We welcome community feedback on this draft document and how you feel about our processes for completing this work. A public comment period is open now until March 31, 2016. Comments may be sent to NSTICworkshop@nist.gov. Please let us know if we missed anything or erred– and we always welcome any additional feedback on the workshop itself.

So, what should you expect from us? In the coming months, NIST will focus on determining the type of material to be developed that will most effectively forward these efforts, establishing new processes to foster greater collaboration and frequent community interaction in the development of NIST documents, and determining the best fora for advancing these efforts. More concretely, we will:

  • publicly post “project charters” outlining methods for each topic area
  • transition the attribute metadata and confidence whitepaper and the strength of authentication whitepaper to NISTIRs
  • commence a series of iterative public comment and development periods utilizing Github public repositories upon completion of the initial draft of the attribute metadata NISTIR, and
  • solicit stakeholder feedback to determine the scope and path for measuring the strength of identity proofing

My sincerest thank you to those who have contributed to this process and remain on board for the developments ahead. We’ll be in touch as we continue to make progress and move forward!

Read: NISTIR 8103

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , | Leave a comment

Celebrating Data Privacy Day and everything it stands for!

Happy Data Privacy Day! According to a recent survey of young Americans by Harvard’s Institute of Politics, 65% of respondents said they were “very concerned” about technology companies collecting digital information from their phone or computer. While it’s only January, that level of concern suggests privacy will continue to have a place in the national conversation throughout 2016.

The first NSTIC Guiding Principles is that solutions will be privacy-enhancing and voluntary, and today we would like to take the opportunity to talk about some of the things we are doing to help organizations be better stewards of individuals’ data. The reality is that when it comes to building infrastructure like the Identity Ecosystem, there are only so many things individuals can do when the infrastructure itself creates privacy risks. Thus, the organizations that are a part of the Identity Ecosystem also need to take steps to identify and address privacy risks in the systems they build.

One of the ways NIST is working to promote a privacy-enhancing identity ecosystem is by funding new, innovative solutions in the identity space. In working with pilots over the past several years, we have learned about a few key challenges in online identity. Although our pilots and the broader marketplace have made great progress toward the NSTIC vision, there’s still much room for improvement in privacy. Take our Galois pilot, for example. They are working to develop a personal data store that will enable a user to be in control of what data they are sharing and to whom—enabling consented online transactions with the user’s information squarely in their own control.

In the National Cybersecurity Center of Excellence, we’re working on a building block to develop privacy-enhancing identity federation solutions. The goal of this effort is to develop a solution, using commercially available products, that protects individual transactions and personal data from being exposed to participants in the federation. Once complete, we will release a cybersecurity practice guide that details the integration steps we completed so that other organizations can learn from our efforts, or even better, repeat our integration with limited complexity.

Beyond technical research, we are continuing to support the work of the Identity Ecosystem Steering Group, who released last year their first version of the Identity Ecosystem Framework (IDEF). The IDEF’s privacy requirements provide a baseline for describing the organizational and engineering practices of organizations who take individuals’ privacy seriously. Through this work and with the help of other organizations working in this space, we hope to support the development of standards for the technical underpinnings of what individuals can expect from privacy protections online.

It’s just a matter of time: as technology continues to evolve and as people demand better privacy protections, new technological advances will emerge—and organizations will find innovative ways to deliver services with improved management of privacy risk. We see the great things that are possible and we continue – through research, pilots, and partnerships – to set our expectations high. We are celebrating Data Privacy Day today—but we aspire to an identity ecosystem that is truly privacy-enhancing all 365 days a year.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment