The National Strategy for Trusted Identities in Cyberspace (NSTIC, or Strategy) is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of online transactions.
In the current online environment, individuals are asked to maintain dozens of different usernames and passwords, usually one for each website with which they interact. This approach is a burden to individuals, and it encourages behavior—like the reuse of passwords—that makes online fraud and identity theft easier. At the same time, businesses are faced with ever-increasing costs for managing customer accounts, the consequences of online fraud, and the loss of business that results from individuals’ unwillingness to create yet another account. Moreover, both businesses and governments are unable to offer many services online because they cannot effectively identify the individuals with whom they interact.
The NSTIC Vision:
Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
The realization of this vision is the user-centric “Identity Ecosystem,” an online environment where individuals and organizations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices.
The Strategy specifies four Guiding Principles to which the Identity Ecosystem must adhere:
- Identity solutions will be privacy-enhancing and voluntary
- Identity solutions will be secure and resilient
- Identity solutions will be interoperable
- Identity solutions will be cost-effective and easy to use
The Strategy will only be a success—and the ideal of the Identity Ecosystem will only be fulfilled—if these Guiding Principles are achieved.
Components of the Identity Ecosystem
The Identity Ecosystem will consist of different online communities that use interoperable technology, processes, and policies. These will be developed over time—but always with a baseline of privacy, interoperability, and security.
The different components include:
- The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.
- A steering group will administer the development of policy, standards, and accreditation processes for the Identity Ecosystem Framework in accordance with the Guiding Principles in the Strategy. The steering group will also ensure that accreditation authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework.
- Trust frameworks are developed by a community whose members have similar goals and perspectives. A trust framework defines the rights and responsibilities of that community’s participants; specifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. A trust framework should address the level of risk associated with the transaction types of its participants; for example, for regulated industries, it could incorporate the requirements particular to that industry. Different trust frameworks can exist within the Identity Ecosystem, and communities of interest can tailor trust frameworks to meet their particular needs. In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.
- Accreditation authorities assess and validate identity providers, attribute providers, relying parties, and identity media, ensuring that they all adhere to an agreed-upon trust framework. Accreditation authorities can issue trustmarks to the participants that they validate.
- Trustmark schemes are the combination of criteria that is measured to determine service provider compliance with the Identity Ecosystem Framework. The Identity Ecosystem Framework provides a baseline set of standards and policies that apply to all of the participating trust frameworks. This baseline is more permissive at the lowest levels of assurance, to ensure that it does not serve as an undue barrier to entry, and more detailed at higher levels of assurance, to ensure that requirements are aligned with the risk any given transaction. The Identity Ecosystem Framework will not be developed overnight. It will take time for different participants to reach agreement on all of the policy and technical standards necessary to fulfill the NSTIC’s vision. Initially, an interim Identity Ecosystem Framework is likely to contain a fairly minimal set of commonly agreed upon standards and policies. The Identity Ecosystem Framework will become more robust over time as participants are able to come to agreement on different standards and policies.