Big Pilots Drive the Big Picture: Building an Ecosystem of Ecosystems

No one ever claimed that implementing the NSTIC would be easy or that any one organization – private or public – could do it alone. This is why President Obama referred to the envisioned end state as the Identity "Ecosystem." Webster's calls an ecosystem "the complex of a community of organisms and its environment functioning as an ecological unit." And to all those out there already operating in some sort of identity ecosystem, the NSTIC National Program Office (NPO) recognizes that the ecosystem of a river bank is also part of the ecosystem of the forest, and all are part of the global ecosystem. We see the Identity Ecosystem as an ecosystem of ecosystems, and the Identity Ecosystem Framework as a description of how all those communities of "entities" function together to enhance online choice, efficiency, security, and privacy. To successfully build an ecosystem, we need lots of different types of entities operating within their communities and we need to get them all to function together. With this in mind the NPO kick-started creation of the private sector-led Identity Ecosystem Steering Group (IDESG), worked to demonstrate the value of accepting third-party credentials in government by helping to establish the Federal Cloud Credential Exchange, and funded the first set of NSTIC pilots in 2012 to help catalyze a marketplace of identity solutions. Today, we're announcing five new pilot awards that will greatly advance us toward the complete Identity Ecosystem. For starters, a successful Ecosystem requires credentials that are easy to use – the market has made clear that consumers will reject any solution that creates extra work. The Exponent pilot will show how credentials can be delivered in two different, highly convenient ways:  through wearable devices and through securely embedding credentials in mobile devices. Pilot participants will be able to use these federated credentials at a variety of relying parties, including government and a leading social media site. Exponent promises to deliver credentials people have with them without thinking about it, a key to a successful Identity Ecosystem. Once you've got a credential, you need to be able to use it in more places. The last thing anyone needs is to replace three dozen passwords with three dozen bracelets, one-time password tokens, plastic ID cards, etc. While technically feasible today, a lack of policies to enable interoperability has held back progress on this point. Building on an established and functioning trust framework deployed internationally throughout the defense and aerospace community, TSCP will pilot an approach to unearth and overcome policy impediments to cross-sector interoperability.  Initially, the focus will be on allowing employees in the TSCP community to conduct transactions in the financial industry – but we think the pilot’s deliverables will be reusable across many sectors, enabling a rapid broadening of the ecosystem. The pilot will allow participants to reuse an employer-issued credential to manage personal finances without revealing any sensitive personal information back to their employer. But we know credentials aren't everything. In fact, these days a lot of folks in the identity space focus less on identity and more on attributes. And for good reason: in so many online contexts, your name doesn't matter nearly as much as a few relevant items about you. With that in mind, we are excited about Troop ID’s pilot to support current and former military members and their families that want to express something about themselves (e.g., military affiliation) without having to share all the information that would come with, say, scanning a military ID and sending it across the ether. Relying parties – both government and private – will get reliable assertions of the attribute they need to know while members of our military community get the security, convenience and privacy they deserve. The NPO also recognizes that the Identity Ecosystem must address the fact that some parts of the population will have special requirements in the ecosystem.  Nowhere is this more evident than with children – where the Children’s Online Privacy Protection Act (COPPA) requires service providers to seek parental permission to allow children under 13 access to some online content. Privacy Vaults Online (PRIVO) will pilot a solution for parents and children to issue and support credentials that providers of children's content can trust to address the challenges of COPPA. By providing stronger credentials with higher confidence of parental permission, PRIVO can protect kids and enhance their ability to access content for both learning and entertainment, while making compliance with regulations easier and more effective. Finally, the Georgia Tech Applied Research Institute (GTRI) has been awarded a pilot to develop a foundation for a trustmark marketplace, helping to standardize policies across trust frameworks and individual participants. Since it's hard to trust what you don't know, GTRI will deliver a solution that enables any person to more quickly understand the policies of any trustmarked entity. For individuals and interested organizations like consumer advocacy groups, it will be easier to understand what's behind a service provider's terms and conditions and privacy policies. It will also be easier for service providers and trust framework providers to know if policies align sufficiently to interoperate or interfederate. This approach promises to deliver a marked improvement in the efficiency and automation of making policy-based trust decisions. Combined with the continuation of the five pilots we awarded last year – and two new pilots that we expect to award later this week focused on improving access to state government services – we will have a total of twelve active NSTIC pilots in the coming year.  To be clear, all these efforts combined don't equal the Identity Ecosystem called for in the National Strategy.  But with increased momentum in the privately-led Identity Ecosystem Steering Group (IDESG), continued movement toward government acceptance of third-party credentials, increasing awareness among consumers about the perils of passwords, and these new pilots, the energy toward realizing the vision of the NSTIC has never been greater – and with it the likelihood of success. There's much work left to do, but it's an exciting time in the online identity space and we hope you can feel the pieces coming together. We invite you join us at the upcoming IDESG Plenary, hosted at NIST in Gaithersburg, MD, on October 16-18, and to follow us for news and updates at @NSTICNPO and at our blog, NSTIC Notes.  We look forward to your participation in a private sector led drive toward an online environment where individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.