NSTIC on the Global Identity Stage

Since NSTIC’s release nearly two years ago, one of the most frequent questions we get is:  just how seriously should we take the “N” in NSTIC?  Stakeholders both in the U.S. and abroad have asked whether the fact that NSTIC is a “National” strategy somehow implies that the U.S. is trying to create an Identity Ecosystem that stops at our borders. The “N” may cause some occasional confusion, but the answer is clear:  the NSTIC recognizes that cyberspace is a global community, and that the Identity Ecosystem must be integrated internationally. The NSTIC, by design, seeks to ensure that emerging identity solutions deployed by the NSTIC pilots, implemented in the Federal Cloud Credential Exchange (FCCX), and developed by the private sector-led Identity Ecosystem Steering Group (IDESG) take into account emerging international standards and approaches – and look to integrate to every extent practicable.  An internationally coordinated architecture can maximize the benefit of the Identity Ecosystem to American individuals and organizations by creating new business opportunities and advancing U.S. goals in international trade, while also increasing trust when global Internet users interact with U.S.-based businesses and other entities and individuals online.  To help achieve this, the NPO continues to reach out internationally, especially in Europe and Asia.  NPO outreach is intended to inform the global identity management community on the commonalities and differences of the NSTIC’s goals and objectives to other efforts across the world, and to recruit interested entities and individuals to join the IDESG.  The NPO is also engaging foreign governments to provide updates on NSTIC implementation, especially on U.S. government identity initiatives such as the FCCX.  This intergovernmental dialogue serves our common goal of moving government services to the cloud and improving the safety and security of transactions online.  In the course of this outreach, the NPO has noticed a number of common themes voiced by governments, businesses organizations, and individuals in many parts of the world:

• Identity is key as governments move to the cloud.  Governments globally are looking to move services to the cloud, to improve customer service while reducing costs – but they cannot take advantage of many cloud services without solving the identity conundrum.  Like the U.S. FCCX, the UK Identity Assurance program seeks to enable a trust framework that will allow UK citizens to prove their identity online, leveraging private sector services.
• Digital by default.  At the recent Japan Identity and Cloud Summit, Nat Sakimura, Chairman of the OpenID Foundation, noted that many governments are seeking to go "digital by default" by reducing paperwork and the need for in-person support, which will require strong identity management schemes.  And by “digital,” Nat sees governments offering structured data useful to individuals in innovative new cloud applications and services, not just posting .pdf versions of existing print documents.  Indeed, “digital by default” has become a key principle in the United Kingdom as they look to change the way the government does business with its citizens. 
• The global marketplace.  Businesses operating in multiple geographies strongly prefer harmonization in cloud identity architectures to ensure international interoperability and a seamless experience for their increasingly global customer base.
• Avoiding multiple certifications.  Global businesses are especially concerned that governments may set up different, overlapping certification schemes, requiring multiple, costly, and time-consuming processes.  The private sector is urging governments to explore potential cross-certifications of other countries’ schemes, useful for citizen-to-government, citizen-to-business, and business-to-business applications.
• Leverage international standards.  Both governments and industry are looking to emerging international standards initiatives based on private sector innovation, such as OpenID and OAuth, to ensure maximum interoperability.
• Privacy is key.  Enhancing privacy is a consistent theme globally, and governments especially agree that international identity architectures need to design in privacy from the start – not just in policy, but also in the technologies themselves. 

As governments, businesses, and other entities deploy more solutions and services in the cloud, we expect many of these common themes to help shape the emerging identity ecosystem.  The NSTIC NPO will continue international outreach to ensure that these emerging solutions will address the needs of U.S. entities and individuals while also benefiting those in the global Internet community that share the NSTIC vision and guiding principles.  If you have recommendations for our international outreach, or would like a member of the NSTIC NPO to join you for inter-governmental dialogue or present at relevant conferences or other events, feel free to contact us at james.sheire [at] nist.gov (james[dot]sheire[at]nist[dot]gov).  In addition, the Identity Ecosystem Steering Group – particularly the IDESG’s International Coordination Committee – is an excellent forum where many of these issues are being discussed and advanced.  Membership is free, and participation is supported virtually; indeed more than twenty countries are already represented.  More details are at http://www.idecosystem.org/.