Advancing the National Strategy for Trusted Identities in Cyberspace: Government as Early Adopter
When I last discussed the need for better digital credentials in this blog, the President had just signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) to address two challenges that can affect economic growth online: (1) the insecurity and inconvenience of static passwords and (2) the cost of transactional risks that arise from the inability of individuals to prove their true identity online. The solution proposed by NSTIC is a user-centric “Identity Ecosystem” built on the foundation of private-sector identity providers.
Now the Administration has taken another key step towards realizing the vision of NSTIC. Our Federal Chief Information Officer (CIO), Steven VanRoekel, just issued a Memorandum for Chief Information Officers of Executive Departments and Agencies detailing requirements for accepting externally-issued digital credentials. Going forward, Executive Departments and Agencies must accept approved externally-issued credentials when they are upgrading or developing Level 1 websites (as defined by OMB Memorandum 04-04 and NIST SP 800-63) that allow members of the public and business partners to register or log on. In addition, websites requiring credentials with higher levels of assurance (Levels 2, 3 and 4) should also be enabled to accept approved externally-issued credentials where appropriate. In basic terms, this means that solutions from firms like Equifax, Google, PayPal, Symantec and Wave Systems – all of whom have had their credentialing solutions certified to meet Federal security and privacy requirements – can be trusted identity providers for certain types of Federal applications.
This memorandum marks a new day for Federal efficiency: a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has – a university-issued credential for example - across sites hosted by the Departments of Veterans Affairs, Education and Treasury. Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts. Moreover, by using accredited identity providers, Federal agencies see to it that Americans’ information is treated with privacy and security online.
Yet the Federal government’s role in facilitating the growth of the Identity Ecosystem is only half the story. To date, a handful of identity providers have undergone or are undergoing the Federal approval process. We are eager to see – particularly at the higher levels of credential assurance – a larger, vibrant pool of accredited identity providers to provide more choices for people and Federal agencies. The Federal government has developed a viable framework for using federated digital credentials, and with this memorandum, taken a significant step towards creating a more efficient government that can meet the needs of the American people in the 21st century. Now we look to the private sector to support our efforts and reap the collective benefits.