NSTIC Update (W1D)

From IIW

Session Topic: NSTIC Update (W1D)

Convener: Jeremy Grant

Notes-taker(s): Iana Bohmer

Tags for the session - technology discussed/ideas considered:


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

IIW Update:

National Strategy for Trusted Identities in Cyberspace (NSTIC) Jeremy Grant

This session consisted of a presentation by Jeremy Grant and a Q&A period.

1. Overview of NSTIC. Focused on establishing a framework for trusted identities in cyberspace. Calls for the creation of an Identity System in accordance with the Guiding Principles established in the NSTIC Strategy.

2. NSTIC Governance Notice of Inquiry (NOI) Responses. Department of Commerce received 57 responses to the NOI covering areas related to NSTIC governance: initiation of governance group (Steering Group), governance structure stakeholder representation and international participation.

  • Government position that the Steering Group must led by private sector, not government.
  • Comment period was originally through the end of July, but was extended through August.
  • Responses ran the gamut from large companies to individuals.
  • One area in which the Government wanted input was as to whether an existing organization should be leveraged to serve as the Steering Group or whether a new organization should be established. The overwhelming response was that a new one should be created.
  • Another item around which questions arose was as to whether FACA would apply, however, the NSTIC National Program Office (NPO) has clarified that the Government is not requesting advice or recommendations from the private sector, but rather is looking to facilitate a partnership with the public sector in which the private sector takes the lead in developing the Identity Ecosystem Framework.
  • There were many recommendations regarding the structure of the Steering Group. Common themes were that the Steering Group should have a “light touch”; that it should seek to work with existing trust frameworks (rather than re-invent); and that the Smart Grid model should be leveraged to the extent possible.
  • Funding of the Steering Group was another issue on which respondents provided comments. In general, the consensus was that the Government should pay or at least partially subsidize the formation of the Steering Group.
  • There were numerous comments regarding advocacy of the individual. What was gratifying was that not only advocacy groups, but also respondents from large organizations insisted that the interests of the individual must be put front and center.
  • The necessity of allowing everyone to participate in the Steering Group also was a common theme – there were many recommendations regarding the use of technology tools to achieve this balance, e.g., virtual meetings, webcasts, etc.
  • Finally, with regard to international coordination, the consensus is that NSTIC/NIST needs to look beyond the US border and leverage international standards bodies – the Identity Ecosystem can’t be developed in US-centered vacuum.

3. What are We Doing Next? NSTIC NPO will be publishing a paper with recommendations and draft charter within the next couple of months. The paper must go through the government vetting process which is what takes time because it has to go through multiple government parties.

  • What can be said at this point is that there are many consensus points from the NOI responses and the recommendations paper can be expected to be in line with those responses.
  • There were numerous comments regarding how NSTIC should use the Smart Grid model as a starting point because of its mission to establish standards for interoperability. Nonetheless, Smart Grid is dealing with interoperability standards for the electric grid with a limited number of stakeholder groups and a narrower topic. For identity, there are many more stakeholders with the individual at the center. Therefore, NSTIC can borrow some aspects of the Smart Grid model, in particular those aspects that serve to catalyze the formation of a public private partnership.
  • Much of the near-term activities of the NPO will be dependent on funding. Although the House did not include funding for NSTIC, the Senate agreed to $24 million. NSTIC expects to have the resources to move forward, but they have to wait for the formal channels to work their way through.

4. OMB Memo of 10/6 on Externally Issued Credentials. Recently the Federal CIO – Steve VanRoekel issued an OMB memo regarding government policy on externally-issued credentials. The memo basically says that any new government website has to give the public the option to log in with LOA 1-approved credentials. The government is also reviewing the acceptance of LOA 2-4 credentials recognizing that government websites need to be able to accept these higher levels of assurance and thus align with FICAM. OMB has a strong control mechanism related to these policies because they approve the budgets of the agencies.

  • A key role for the Federal government will be to act as an early adopter. In a 10/14 White House blog post from Howard Schmidt, he says that NSTIC is helping to drive the concept of an individual having a single credential to access government areas and services.
  • WhiteHouse.gov will be the next site to accept externally-approved credentials – by the end of the year.
  • A problem in the private/commercial sector is that they have expended a lot of resources to comply with government identity standards and get certified and yet few agencies accept these credentials.
  • In the government agencies, the most interest lies with LOA 2 and 3 credentials, especially 3. Soon GSA is expected to have an approved LOA 3 service provider.

5. Inception of Pilots. Of the requested $24.5 million for the budget, $17.5 million is expected to be for funding pilots. The NPO has heard from numerous organizations with ideas for pilots.

6. Upcoming Events:

  • Dec. 8-9: meeting on Privacy-Enhancing Cryptography at NIST; already a high level of interest.
  • ID Trust: March 13-14, at NIST


Questions

1. 'What is the Government looking for in pilots? '

  • Government wants to know whether there specific technologies that are partially done but need to be tested and work for NSTIC guiding principles. New and promising approaches.
  • Government is looking for cross sector pilots that could demonstrate NSTIC – multiple credentials working with multiple relying parties.

2. 'Where does the Government see ID proofing taking place?'

  • NSTCI doesn’t prescribe business models. Although most models have ID proofing at the IDP, NSTIC is not adverse to other models as long as they align with the NSTIC guiding principles.

3. 'Are pilots meant to serve as a test bed?'

  • Yes, but also to serve as a foundation within the Identity Ecosystem. The government will publish pilot criteria once funding becomes available.

4. 'What is the handful of killer applications for NSTIC at government agencies? Can you talk about them?'

Examples:

  • SSA – Because of the cost, SSA wants to stop mailing out yearly benefit statements, but they need to have an online solution that is more secure than ID/passwords
  • VA – Need to provide benefits and access to health records and placement services but they don’t have an effective and secure method of authentication.
  • IRS – Faces a number of challenges regarding what information can be provided on line. They have experienced identity theft related to online tax filings.

5. 'Does NSTIC have influence for speeding up the FICAM trust framework process? '

  • In the immediate term, no, but in the long-term, maybe. The Government recognizes that there has been a great deal of frustration in this area and it looking at options to address the process.

6. 'How can we be sure that “this time it is different” – that the government won’t come up with a new concept, companies will spend a lot of money to implement, and then the government won’t use the solution?'

  • This time we have the strong participation of the Executive Branch. Also, the government is going to act as Government has to be an early adopter and can’t “pull the football away” again. White House involvement will ensure consistent follow through – it will bolster all the work that has been done by NIST, GSA, OMB over the last several years and put pressure on the agencies for adoption. In addition, the NPO will leverage NSTIC to encourage agencies to become early adopters.

7. 'How bi-partisan is the support for NSTIC? How about election? '

  • Yes, there is bi-partisan support. Although the Chamber of Commerce and Administration don’t always see eye to eye, on the identity issue, they do. And, there is Congressional oversight over NSTIC. The NPO has briefed the oversight committees on numerous occasions.

8. 'How many IDPs are signed up/accredited from the private sector? '

  • There are 5 signed up and one in the queue to be accredited. The Government has seen a lot of support for the process from companies that have come to visit the NPO. The accreditation process will be an issue for the Steering Group to decide. NIST is statutorily bound to look at external standards that are developed rather than develop them in the Government.

9. 'Has there been any demonstrated interest in NSTIC on the part of Relying Parties? '

  • Yes, but not enough and this is largely because of where we are right now and the Steering Group has not yet been established. The Chamber of Commerce has been asked to assist in reaching out to Relying Parties.

10. 'How will the Government address the asymmetry between IDPs and RPs, i.e., monetization in the private sector? What about liability allocation and rule-making for when things go wrong?'

  • All these issues will be addressed in the Steering Group. The NIST NPO will be issuing a recommended charter to catalyze the discussion.

11. 'Will Government involvement minimize the voluntary element with all this process? '

  • The voluntary aspect is embodied into the Guiding Principles, so no, the Government will always stress that participation is voluntary.

12. 'How is the Government going to convince the Relying Parties that there is a business case in their participation?'

  • There is a gap between the Government’s belief in the value proposition to the private sector – both IDPs and RPs – particularly when the agencies often don’t end up using these services. The community needs to develop a business model and economic plan so that it is made clear exactly what is expected and what can be expected from those participating in this business. An example has been for those working on FICAM – to date most private-sector participants have realized little profit on its implementation.

13. 'Has the Government established any policies on privacy for the Identity Ecosystem? Are the privacy issues on hold until governance/Steering Group is resolved? '

  • NIST held a workshop on privacy in Boston on June 27-28. Currently the NPO has limited resources and is working on foundational governance issues that need to be resolved before addressing privacy. There are 3 people on detail at the NPO who are looking at the privacy issue. The NPO intends to hire a chief privacy officer once funding becomes available.

14. 'What will the role of the Steering Group be vis-à-vis the Government’s role?'

  • The Government’s role will be to establish the Steering Group both with initial funding (pending funds availability) and assisting in its launch.

15. 'Is NIST going around FACA by calling this organization a steering group? '

  • No, the Steering Group will not be an advisory board to the Government.

16. 'Will the rules or guidelines that emerge from the Steering Group be preferable to existing laws?'

  • There are no real laws that exist in this area, particularly around privacy. Although the Government is not ruling out the need for new laws, the expectation is that a set of commonly agreed-to rules may alleviate the need to create new laws.