Celebrating Data Privacy Day and everything it stands for!

Happy Data Privacy Day! According to a recent survey of young Americans by Harvard’s Institute of Politics, 65% of respondents said they were “very concerned” about technology companies collecting digital information from their phone or computer. While it’s only January, that level of concern suggests privacy will continue to have a place in the national conversation throughout 2016.

The first NSTIC Guiding Principles is that solutions will be privacy-enhancing and voluntary, and today we would like to take the opportunity to talk about some of the things we are doing to help organizations be better stewards of individuals’ data. The reality is that when it comes to building infrastructure like the Identity Ecosystem, there are only so many things individuals can do when the infrastructure itself creates privacy risks. Thus, the organizations that are a part of the Identity Ecosystem also need to take steps to identify and address privacy risks in the systems they build.

One of the ways NIST is working to promote a privacy-enhancing identity ecosystem is by funding new, innovative solutions in the identity space. In working with pilots over the past several years, we have learned about a few key challenges in online identity. Although our pilots and the broader marketplace have made great progress toward the NSTIC vision, there’s still much room for improvement in privacy. Take our Galois pilot, for example. They are working to develop a personal data store that will enable a user to be in control of what data they are sharing and to whom—enabling consented online transactions with the user’s information squarely in their own control.

In the National Cybersecurity Center of Excellence, we’re working on a building block to develop privacy-enhancing identity federation solutions. The goal of this effort is to develop a solution, using commercially available products, that protects individual transactions and personal data from being exposed to participants in the federation. Once complete, we will release a cybersecurity practice guide that details the integration steps we completed so that other organizations can learn from our efforts, or even better, repeat our integration with limited complexity.

Beyond technical research, we are continuing to support the work of the Identity Ecosystem Steering Group, who released last year their first version of the Identity Ecosystem Framework (IDEF). The IDEF’s privacy requirements provide a baseline for describing the organizational and engineering practices of organizations who take individuals’ privacy seriously. Through this work and with the help of other organizations working in this space, we hope to support the development of standards for the technical underpinnings of what individuals can expect from privacy protections online.

It’s just a matter of time: as technology continues to evolve and as people demand better privacy protections, new technological advances will emerge—and organizations will find innovative ways to deliver services with improved management of privacy risk. We see the great things that are possible and we continue – through research, pilots, and partnerships – to set our expectations high. We are celebrating Data Privacy Day today—but we aspire to an identity ecosystem that is truly privacy-enhancing all 365 days a year.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Stepping stones: working to establish a solid foundation for measurement science in the Identity Ecosystem

The crowd for the event's first panel. Photo by James Bryce Clark

The crowd for the event’s first panel. Photo by James Bryce Clark

Mike Garcia closed out the first workshop of NIST’s new Applied Cybersecurity Division with the same energy, passion, and commitment to action that we saw from all attendees over the course of the two-day event: “There is an Identity Ecosystem. We have attributes and we use them. We proof identities. We authenticate…but we know that’s not the whole story. Each of us knows we could do better and that digital identity matters to us, as a society and in our economy.”

The “Applying Measurement Science in the Identity Ecosystem” workshop was a huge success from NIST’s perspective; post-conference chatter leads me believe that attendees felt the same way. These two days further validated my excitement coming to work every day: we were humbled by the 220 familiar faces and new friends that showed a desire to build on the community’s progress in digital identity, along with the diversity of opinions and expertise to do just that. Between informative expert panels and intensive breakout sessions, attendees delved into measurement science in the Identity Ecosystem – brainstorming and evaluating approaches, barriers, implementation considerations, and more.

So, what’s next?

In a few weeks, we’ll be releasing a proceedings document summarizing what we heard at the event to share the discussions more broadly—and to make sure we synthesized your input accurately—so that our follow-on efforts are aligned with the goals and interests of this community. From there, we’ll be working with you to determine the next steps to advance measurement science in the Identity Ecosystem. This will all be an iterative process and we won’t do anything hastily; getting this right is our priority. One message that was loud and clear at the workshop: there is more to explore in this area. So please keep an eye out for blog posts, tweets, and emails with ways to get involved in the next steps.

In the meantime, we welcome comments, feedback, and guidance on both the content and our process; if you have additional contributions to these efforts, please send them to NSTICworkshop@nist.gov.

While this workshop was an important step, this work is just beginning; we look forward to continuing with you on this journey. Thank you to all of the attendees and panelists—as well as the facilitators and diligent note takers and detailed event planners—for making this event a great success. I’m proud to be part of this committed team at NIST who created and executed with this event and the amazing community that contributed to it.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

BREAKING NEWS: 2016 state and local government pilot opportunity just announced

A recent McKinsey report found that the critical drivers of customer satisfaction with state government services are: fast, simple, and efficient processes; the availability of online options for completing interactions; and the transparency of information. Secure and convenient digital access to online state services can make a genuine difference to beneficiaries—that’s why these providers need to both deliver solutions and protect against fraud—while safeguarding personal information from malicious actors.

We know simultaneously achieving these goals is no simple matter. Make a service too hard to access and it fails to serve its customers; make it too easy and it fails to protect them from fraudulent access. To combat the many security incidents affecting individuals, President Obama released Executive Order 13681, which in Section 3 called for multi-factor authentication (MFA) and effective identity-proofing processes in digital services that involve personal data. While that applies to federal applications, we believe a healthy ecosystem demands meeting these goals at all levels of government and in the private sector.

We’ve already seen that NSTIC-aligned solutions can make a difference at the state level through the work of pilots in the Commonwealth of Pennsylvania and the Michigan Department of Human Services. According to a preliminary analysis conducted for our office by RTI International, the improvements to identity and authentication under the NSTIC pilot resulted in an estimated 8% reduction in Michigan’s Food Assistance Program backlog. The impact is roughly consistent with a one-day reduction in the time that an applicant may expect to wait for their application to be processed—a potentially very important day for an individual waiting for benefits.

The promise of more impacts of this kind motivated our first solicitation for 2016 funding. We’re addressing the need for effective identity-proofing and authentication to make meaningful impacts on state and local government services. We looking for eligible applicants—to include U.S. state, tribal, and local governments, institutions of higher education, and commercial entities working with those government entities—to pilot online identity solutions that embrace the Identity Ecosystem Steering Group’s Identity Ecosystem Framework. Specifically, identity solutions must:

  • Enable online access to one or more state, local or tribal government service(s).
  • Provide for a federated, verified identity that enables MFA and an effective identity proofing process meeting the risk needs of the service(s).
  • Align with the Identity Ecosystem Framework Requirements.
  • Allow for interoperability with other federations in use in the public and private sectors.

We’re looking for projects that will deploy pilots to test or demonstrate new solutions that are not widely adopted in the marketplace today. Keep in mind that for this pilot, services that are currently online and enabled are welcome to apply, as are services that are not currently enabled online. NIST anticipates funding up to four awards; each award will be in the range of approximately $1,000,000 to $1,250,000 per year for up to three years —and all applicants must meet one of the following conditions to be eligible:

  • State, local, or Indian tribal governments located in the U.S. and its territories, or
  • Commercial or nonprofit organizations or institutions of higher education located in the U.S. that have at least two state, local, or tribal government agencies representing two different governmental jurisdictions participating in the pilot through enabling online access to one or more state, local, or tribal government service(s).

We look forward to a new round of ambitious projects—and we’ll keep you informed about other opportunities in the future!

Helpful information:

The deadline to apply is: Thursday, February 18, 2016 by 11:59 p.m. Eastern Time

@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Register now: Applying measurement science in the Identity Ecosystem workshop

Registration is now officially open for the ‘Advanced Identity Workshop: Applying Measurement Science in the Identity Ecosystem’ coming up on January 12-13, 2016, at the NIST campus in Gaithersburg, Maryland.

This two-day advanced identity workshop will bring together a diverse community of technology vendors, cybersecurity researchers, policy makers, and other experts from the public and commercial sectors to tackle three tough issues in developing measurement science in identity and access management: strength of identity proofing, both remote and in-person; strength of authentication with a focus on biometrics; and attribute confidence to assist in effective decision-making.

This is not a workshop for solely listening and learning. To make meaningful progress toward measuring the performance of solutions, we need participants to contribute their expertise.

  • For identity proofing and authentication: What approaches have worked in your organization? What data would your organization look at to quantitatively assess strength in a consistent and repeatable way? What would a provider have to communicate to your organization for you to trust their solution? How is comparability assessed among disparate technologies and processes?
  • For attribute confidence: What attribute metadata really matters to your organization’s decision-making? What implementation options should be evaluated to reduce the impact on entities that assert or consume attributes?

“One of the ultimate goals of the NSTIC is to achieve an environment in which we are able to deliver solutions at least as fast as our adversaries can break them,” said Mike Garcia, acting director of the NPO. “This workshop is a critical step in advancing how government—and we hope the market writ large—measures and compares authentication and authorization solutions based on how they perform, enabling more informed risk-based decisions. Getting this right matters and we couldn’t be more excited to launch this effort.”

This technical workshop will include a mix of moderated panels and facilitated working sessions that will determine meaningful and actionable next steps that NIST and its partners will undertake in establishing measurement science in identity management. In the coming weeks we will release three whitepapers—one for each area of focus at the workshop—on our website. We encourage attendees to read them and arrive with their ideas to move our community forward.

Confirmed speakers and panelists at this time include: Darran Rolls (SailPoint), Gerry Gebel (Axiomatics), Leif Johannson (SUNET/Kantara), Vance Bjorn (Digital Persona/Cross Match), Stephanie Schuckers (Clarkson/FIDO Alliance), Cathy Tilton (CSC), David Kelts (MorphoTrust USA), Dario Berini (NextgenID), Kim Little (LexisNexis), Brett McDowell (FIDO Alliance), Ian Glazer (SalesForce), and LaChelle LeVan (GSA).

Register
Agenda
@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | Leave a comment

Launching iGov: secure and privacy-enhancing identity authentication and authorization profiles developed on an international scale

International collaboration among the public and private sectors is now expanding with the announcement of a new OpenID Foundation (OIDF) working group called the International Government Assurance Profile (iGov)—launching on October 26th at the OIDF Workshop in Mountain View, California. The iGov profile working group will develop an interoperable profile of OpenID Connect (OIDC) to allow users to authenticate and share consented attribute information in a consistent and user-centric manner.

With over 10 international governments and multiple private sector organizations already participating, iGov will set the foundation for secure and privacy-enhancing authentication and authorization transactions based on common requirements from the global community. The primary objectives of developing this profile in an open forum are two-fold:

  1. Harness the collective experience and lessons learned of multiple international governments to develop a security and privacy profile that can be utilized across a range of public sector online offerings, and
  2. Obtain buy-in from private sector partners and product vendors that deliver technologies for digital identity services.

Through this collective effort, product vendors can enhance their solutions once to be internationally conformant—rather than clogging their product pipeline with multiple costly enhancements focused on satisfying one government at a time. This, in turn, reduces integration time to enable trusted identity transactions, allowing governments to accelerate the delivery of citizen-centric services. As more and more public sector services incorporate the iGov profile into their identity infrastructures, global interoperability will shift from something to which we all aspire to something that is built into the underlying fabric of identity services.

The scope of the working group is to:

  • Develop a set of internationally-applicable use cases and requirements to expand the current portfolio,
  • Define a set of profiles for OAuth 2.0 and OIDC,
  • Promote progressive harmonization with existing specifications and protocols as appropriate, and
  • Support deployment architectures that are common in today’s marketplace.

To provide iterative testing and feedback along the way, Connect.Gov, the U.S. government’s shared service for privacy-enhancing authentication and attribute delivery, will pilot the iGov profile with early-adopter agencies. When the iGov profile is complete, it will be road-tested and ready to go!

Objective 4.2 of the NSTIC calls for international integration of the Identity Ecosystem, and the number of governments and private sector partners actively participating in this effort is a terrific indication of the flourishing partnership of diverse stakeholders; we are one step closer to a rich ecosystem of innovative products for identity services!

We already have a great group of collaborators, but we’re always looking for more active participation to make this working group as successful as possible—so please visit the newly launched iGov website to find out more about how to join.

For more information, feel free to read the iGov charter and subscribe to the mailing list. You can also follow the NSTIC NPO on Twitter to get additional updates in the future.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Breaking news: the IDEFv1 is now available to the public!

In the NSTIC, the president called for an “overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.”

Today, I’m proud to announce that the privately-led Identity Ecosystem Steering Group (IDESG) has delivered. Thanks to the incredible dedication of the IDESG’s volunteer membership, version 1 of the Identity Ecosystem Framework (IDEF) is now a final public document. This framework raises the bar for online transactions and substantially advances the Identity Ecosystem.

The IDEF provides a foundation for the Identity Ecosystem, which is necessary to continually improve online commerce, the efficiency of digital services, and online interactions. The IDEFv1 will also serve as the foundation for the Self-Assessment Listing Service (SALS)—poised to be operational in January—that will enable businesses and organizations to assess and report on the status of their conformance to the minimum requirements for alignment with the NSTIC Guiding Principles that identity solutions will be: privacy-enhancing and voluntary, secure and resilient, interoperable, and cost effective and easy to use.

Service providers that self-attest will have the opportunity to differentiate their services by demonstrating the enhanced protections and practices they have put in place to safeguard consumers and business partners. Individuals and organizations can then more easily identify trust-worthy service providers and solutions—an essential step in building a vibrant and flourishing Identity Ecosystem. The complete IDEFv1 package released today includes:

  • Baseline requirements: the set of minimum requirements for identity ecosystem participants
  • Supplemental guidance: additional information to further clarify the requirements for all audiences
  • Functional model: a breakdown of the functions in an identity interaction
  • Scoping statement: setting the path for the IDEFv2 and the IDESG program listing and certification scheme

Since day one I’ve stood as witness to the remarkable effort of the IDESG’s volunteers. Now, I’m excited to see the impact of the IDEFv1 on the marketplace for identity solutions and the impact of more trustworthy solutions for consumers. In the coming months the IDESG will finalize the SALS to ensure a simple and streamlined ability for organizations to self-attest to the IDEFv1. I look forward to more progress in the future and thank everyone for their continued dedication. Congratulations!

To see the released IDEFv1 package, please visit http://www.idesg.org/IdentityRevolution and follow the NSTIC NPO on Twitter for updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , | Leave a comment

A major NSTIC milestone: IDEFv1 set for October 20th public release

When the Identity Ecosystem Steering Group (IDESG) plenary convened last week in Tampa, Florida, attendees meant business. By Friday afternoon, committees had finalized the baseline requirements and supplemental guidance for v1 of the Identity Ecosystem Framework (IDEF). Now the plenary stands in recess with the IDESG on track for a major milestone: completion of the IDEFv1, set for public release on October 20th!

The IDEF, chartered for establishment and governance by the IDESG, will stand as the policy foundation for the Identity Ecosystem (IE). After much effort by the IDESG working committees – including collaboration with the NSTIC pilots to level-set with commercial entities– the IDESG has produced a set of baseline requirements that will enable self-attesting entities to assess and report on their alignment with the NSTIC Guiding Principles. This represents a major step forward in influencing the marketplace toward the NSTIC vision. The IDEFv1 will be released for a final reading period on October 7th, and the plenary will reconvene virtually on October 15th at 2:00 PM ET to approve the package. During the Plenary meeting, Plenary Chair Kim Sutherland recognized the substantial effort and commitment of the IDESG committees – and in particular the individual committee chairs – for all of their work to produce the IDEFv1 as the IDESG’s major collaborative work product and contribution to the IE.

Beyond the committee work of finalizing the requirements, plenary attendees:

  • Advanced the Self-Assessment Listing Service (SALS) as led by the Trust Framework and Trustmark (TFTM) Committee. Set to begin operations by the end of the year, the SALS will enable IE participants to assess and assert conformance with the IDEF requirements, publicly announcing their commitment—and operational adherence—to the Baseline Requirements for privacy, interoperability, security, and usability.
  • Received updates on the NSTIC pilot progress from recipients and their partners. Pilot recipients brought along relying parties that gave the bigger picture on the role of these projects in the market. Plenary attendees heard from GSMA, joined by representatives from Payfone and Verizon; GTRI, joined by a representative from the State of Alabama; MorphoTrust USA; and the University Corporation for Advanced Internet Development (UCAID or Internet2).
  • Had an intro to our three new additions to the NSTIC pilots family, a preview of the NSTIC NPO’s future activities, and were the first to hear about the NPO’s upcoming workshop.

Simply put, part one of the currently-recessed plenary went off as planned. It was productive and all could feel the energy of IDEFv1 nearing release. Now, the IDESG looks to push the IDEFv1 across the finish line at the October 15th virtual plenary. Stay tuned for more exciting IDEF updates in the coming weeks—the Identity Ecosystem has never felt so close!

…as always, remember to follow us on Twitter!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Save the Date: NSTIC identity proofing, authentication, and attributes workshop – January 2016

We’re thrilled to announce that on January 12-13, 2016, the NSTIC National Program Office, with our colleagues here in NIST’s Information Technology Lab, will hold a technical workshop called ‘Applying Measurement Science in the Identity Ecosystem.’ Participants will collaborate about ways to measure and compare the performance of key solutions in the Identity Ecosystem, specifically:

  • Strength of identity proofing, both remote and in-person;
  • Strength of authentication with a focus on biometrics; and
  • Attribute confidence to assist in effective authorization decision making.

This two-day event at the NIST campus in Gaithersburg, Maryland, will bring together leading security practitioners, solution providers, experts, and policy makers from across sectors. With the growth of available solutions in the market, the NPO believes it’s now time to improve the science behind identity assurance—and that the agencies and industry will benefit from better tools to measure the performance of solutions.

NIST is shifting its focus to these issues at a vital time. Last October, President Obama’s Executive Order 13681 called for multi-factor authentication and effective identity proofing processes in federal agencies’ digital services that involve personal data. Emerging technologies, like those in mobile and biometrics, are poised to be game-changers in the way we think about identity and access management. Based on these innovations, the explosion of tools and techniques in the market, and the need to remain flexible in guidelines and standards, we believe metrics are a critical element of well-informed risk decisions. By aligning risk tolerance with a measure of strength in proofing and authentication– or attribute confidence– agencies can determine exactly what market solutions best can meet their needs.

In the coming months we will release a series of brief white papers addressing each of the primary focus areas for the workshop. With the white papers as a starting point, stakeholders will have an opportunity to provide critical feedback at this workshop and guide our next steps—which we envision will be critical inputs to federal guidance on each of these topics as well as international standards. To make these efforts meaningful we need engagement from a diverse array of stakeholders on how measurement science and risk practices can be aligned to help mitigate the cyber threats we all face today. Bring your solutions and your insight to the table and help us improve online identity!

Stay tuned for registration information on our new NSTIC events page and for the release of our white papers.

…and remember to follow us on Twitter!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , | 2 Comments

Introducing the 3 newest members of the NSTIC pilots family!

The NSTIC pilots family is growing today with the announcement of three new pilot projects receiving NIST grants!

These projects will join the ranks of the 15 active NSTIC pilots and alumni that know all about catalyzing a marketplace of identity solutions. The NSTIC pilots family has done a great deal to seed the market, including:

  • Bringing together over 130 partner organizations in support of advancing the NSTIC across 10 major industry sectors;
  • Impacting approximately 2.3 million individuals;
  • Enabling 10 MFA solutions such as SMS text and multi-modal biometrics; and
  • Establishing or enhancing five commercial trust frameworks to facilitate interoperability of NSTIC-aligned credentials across sectors.

With a new round of NIST grant awardees, we have yet another opportunity to bring NSTIC-aligned solutions to the masses. This year’s additions are developing and deploying awesome, innovative solutions to address the toughest identity conundrums associated with everyday transactions; the pilots are aimed specifically at reducing tax refund theft, improving the security of medical information, and providing secure online storage for internet-of-things enabled devices.

This year’s selections show how we’re transitioning our pilots program to focus on filling more specific, critical gaps in the marketplace. In one of the federal funding opportunities (FFOs) we released earlier this year, we solicited projects with a focus on privacy-enhancing technologies since we’ve found privacy to be one of the most challenging NSTIC Guiding Principles for organizations to address. This more specific FFO followed a general solicitation for NSTIC-aligned solutions, which mirrored NSTIC FFOs of years past.

From submissions to these two FFOs, we at the NSTIC National Program Office selected three new pilot projects to push the boundary of identity management as it currently stands.

Without further ado, the grantees announced today are:

MorphoTrust USA (Billerica, Mass.: $1,005,168) MorphoTrust’s second NSTIC pilot grant will focus on preventing the theft of personal state tax refunds. Through MorphoTrust’s partnerships with multiple states, the project will show how to efficiently leverage trust created during the online driver licensing process (which includes enrollment, verification through biometric identification, authentication and validation, and issuance) in a scalable way to create trustworthy electronic IDs that individuals control.

HealthIDx (Alexandria, Va.: $813,922) HealthIDx proposes to deliver an innovative, privacy-enhancing technology that protects patients’ identity and information. This project will pilot a ‘triple blind’ technology in which medical service providers have no knowledge of which credential service provider an end-user chooses, credential service providers have no knowledge of which medical service provider the end-user is visiting, and the identity broker has no knowledge (nor retains any information) about the transaction’s parties or contents.

Galois, Inc. (Portland, Ore.: $ 1,856,778) Galois will build a tool to allow users to store and share personal information online. The user-centric personal data storage system relies on biometric-based authentication and will be built securely from the ground up. As part of the pilot, Galois will work with partners to develop just-in-time transit ticketing on smart phones and to integrate the secure system into an internet of things-enabled smart home.

NSTIC pilots aren’t just about executing on the descriptions above. These last few years, they have been vital in offering a commercial perspective on the Identity Ecosystem Framework to the Identity Ecosystem Steering Group, piloting the newly drafted Privacy Risk Management Framework for the privacy engineering team at NIST, and providing feedback for NIST publications, such as NISTIR 8054. We look forward to seeing these three 2015 pilots follow suit and advance the NSTIC. And with these three pilots addressing identity challenges in everyday transactions, we can’t wait to see entirely new groups of individuals benefit from the security, privacy, and convenience of NSTIC-aligned solutions.

We at the NSTIC NPO will be sure to keep you updated as these pilot projects unfold, so be sure to check our blog and twitter regularly for updates.

MorphoTrust, HealthIDx, and Galois: welcome to the family!

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment