Back in February, if you read our post on Putting the Fed in Federation: The U.S. Government as Early Adopter of the Identity Ecosystem and thought “when pigs fly,” you probably weren’t alone. But with the announcement that the United States Postal Service (USPS) has awarded SecureKey Technologies with a contract to stand up the Federal Cloud Credential Exchange (FCCX), you might just want to keep your eye on the horizon.
This award is another milestone in the implementation of the NSTIC, and means that the FCCX project can move into the pilot implementation phase. The Department of Veterans Affairs and the National Institute for Standards and Technology (NIST) will be participating. We expect that additional agencies will be announcing their participation over the next few months. Implementation is more than just the deployment of a technical hub-style federation solution though. The General Services Administration (GSA) has established a program management office to coordinate the integration between the cloud solution and Federal Identity, Credential & Access Management (FICAM) policy around approved identity providers, as well as to support continued agency engagement in building a governance framework and a successful business model. These components are key to enabling federal agencies to conserve resources through use of a shared service and to eliminate their paying the same firms to credential the same citizen multiple times – an area where government can drive significant cost savings, as evidenced by a recent NIST/IRS case study. Moreover, we anticipate that progress in addressing the knotty areas of governance, liability and business models will facilitate maturation of the Identity Ecosystem.
FCCX’s value also lies in demonstrating that significant privacy risks can be managed through a combination of technical design and policy. If you had the opportunity to read the USPS RFP, you may have seen that one of the business requirements was that “[t]he FCCX service shall support the privacy requirements of anonymity, unlinkability and unobservability.” The vendor that was selected will be employing a proven, “double blind” architecture – a novel approach that will prevent tracking of credential use among identity providers and relying parties. In simple terms, this means that private organizations that issue citizens credentials – and the agencies that accept them – will have no way to track where citizens use them.
In addition, the FCCX team will be working on the capability for identity providers to share needed attributes with federal agencies while limiting the attributes’ exposure within the hub through the development of privacy-enhancing cryptography in a commercially deployable protocol. Notwithstanding the number of NSTIC pilots exploring this latter subject – broad commercial deployment of privacy-enhancing cryptography remains elusive. The NSTIC NPO is in the planning stages to build a more coordinated platform to accelerate work in this area.
So stay tuned – there may be any number of pigs flying around in the coming months.