From NSTIC to improved federal identity, credential and access management

7 years ago – the NSTIC and the goal of an identity ecosystem

Seven years ago this month, the Obama Administration published the “National Strategy for Trusted Identities in Cyberspace (NSTIC)”.  NSTIC called for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

Born out of the NSTIC and operating under grants from the National Institute of Standards and Technology (NIST) is the Identity Ecosystem Steering Group (IDESG), a private sector-led non-for-profit organization. Any identity ecosystem requires trust and specifically a trust framework.  The IDESG’s Identity Ecosystem Framework provides a baseline set of standards and policies that enables individuals and organizations to use a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.  Full disclosure, I currently serve on the IDESG’s Board of Directors.

Although the NSTIC vision remains, over the past seven years interoperability and trust online remains non-existent due to numerous large-scale breaches, cyberattacks and the latest scandal involving Facebook and Cambridge Analytica.   Alarmingly, the overwhelming majority of Americans have had their personal data compromised online.

Fast forward to 2018.On April 6, the White House Office of Management and Budget (OMB) published a draft for public comment titled, “Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management.”  

OMB’s policy change focuses on three main areas:

1. Implementation of effective ICAM governance;
2. Modernization of agency ICAM capabilities; and
3. Agency adoption of ICAM shared solutions and services.

OMB directs agencies to leverage the NIST Special Publication (SP) 800-63, Digital Identity Guidelines updated and published in June 2017.  The Digital Identity Guidelines are actually a suite of documents:

• SP 800-63-3 – Digital Identity Guidelines
• SP 800-63A – Enrollment and Identity Proofing
• SP 800-63B – Authentication and Lifecycle Management
• SP 800-63C – Federation and Assertions

The new policy incorporates “Digital Identity Risk Management into existing processes as outlined in NIST SP 800-63, including the selection of Identity Assurance Levels (IALs), Authentication Assurance Levels (AALs), and Federation Assurance Levels (FALs) commensurate with the risk to their digital service offerings.”

OMB’s new policy states: “When PIV cards as a form factor are not feasible for logical access control, other IAL 3 and Authenticator AAL 3 identity solutions can be used. Agencies shall consider the cross-government trusted federation and interoperability requirements established in HSPD-12 when implementing any other process and form factor.”  

This means that government agencies are no longer limited to PIV or derived PIV credentials.  Employees and contractors.  AAL 3 authenticators, including FIDO Alliance certified and numerous FIPS 140-2 approved authenticators issued by a shared service provider, meet the requirements of the new policy.   

In addition, OMB directs NIST to “Update NIST SP 800-157, Guidelines for Derived PIV Credentials, to align with NIST SP 800-63 and develop a process to identify innovative technologies and authenticators (where applicable) that can leverage the PIV process for derived credentialing for logical and physical access.”  It is still unclear which technologies will be included by NIST and whether NIST will permit non-PKI-based solutions for Derived PIV credentials.

Federation of consumer to government transactions

It is important to note that OMB’s memo applies to not only federal employees and contractors, but also consumers interacting with federal agencies online. NIST’s Federation and Assertions guideline will assist agencies.  OMB directs agencies to use shared service providers that use more than one credential provider and are able to federate with other solutions so that customers are empowered to select the option that appropriately mitigates risk for their unique interactions across government.

Taking a risk-based approach means that depending on the sensitivity and security warranted, federal agencies should be requiring higher levels of identity assurance and authentication depending on the consumer’s request.  For example, if a person is making a camping reservation at a national park it may warrant a lower IAL or AAL, Level 1.  However, if one is applying for Medicare benefits, it would warrant a higher IAL and AAL, ideally Level 3, given the level risk should the information become compromised.

In attending an early IDESG Plenary Meeting, a representative from the U.S. Department of Defense made the point that in the identity ecosystem I, along with my federal government colleagues, should be able to use their PIV or CAC cards to authenticate to non-government websites within the identity ecosystem.  We are not there yet, but OMB’s policy change turns it around in that the federal government will accept authenticators outside of a PIV or CAC. 

While these improvements will help, I do not see the U.S. government permitting leading edge, frictionless authentication technologies like adaptive authentication, or facial and voice recognition in lieu of a CAC anytime soon.  However, these technologies could be permitted by agencies for consumers to conduct business online in the future.