Putting the Fed in Federation (Part 3): A New Way to Buy Identity Services

Co-authored by: Dave McClure, Associate Administrator, Office of Citizen Services and Innovative Technologies, GSA; Jeremy Grant, Senior Executive Advisor, Identity Management, NIST; and Randy Miskanic, Vice President Secure Digital Solutions, USPS As part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), President Obama directed Federal agencies to be early adopters of the Identity Ecosystem – which NSTIC defines as “an online environment where individuals and organizations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”  Specifically, NSTIC calls upon agencies to: “… lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework.  By adopting Identity Ecosystem solutions as a service provider, the Federal government will raise individual’s expectations and thus drive individuals’ demand for interoperability in their transactions with the private sector and other levels of government.   As a subject, the Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions.” In simple terms, this means that the Federal government should leverage the benefits of a privately-led Identity Ecosystem to offer better online services for citizens and businesses. To do this, we need: 1. A way for all agencies to leverage their purchasing power to buy standardized identity and authentication services that are interoperable across agencies. 2. A common infrastructure – the Federal Cloud Credential Exchange (FCCX) – that will allow agencies to integrate with these services with minimal effort. 3. A compelling business case that encourages the private sector to get their identity and authentication solutions approved for government use via the GSA Trust Framework Solutions program. We’ve made good progress in establishing the common infrastructure – the US Postal Service (USPS) awarded a contract last summer to stand up the FCCX.  GSA also recently updated its Trust Framework Solutions program.  Both of these actions will make it easier for government and industry to partner on identity solutions that are standardized, interoperable, and offer value to all parties. We still have work to do on establishing a way for agencies to buy standardized identity and authentication services.  While FCCX is the infrastructure to enable shared authentication services, we still have a hole in terms of standardizing credentials and how we buy them.  As a result, some agencies that have been moving forward with non-PKI solutions at levels of assurance (LOA) 2 and 3 have been doing so with solutions that do not interoperate with each other.  This is a problem for all of us as taxpayers and as citizens – we should not be asked to obtain and manage multiple credentials to do business with the government online.  As former White House Cybersecurity Coordinator Howard Schmidt noted in a blog post: “…a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has…Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts.” A government-wide acquisition strategy is vital to realizing this vision – because agencies can only benefit if they are able to leverage a wide pool of interoperable credentials, and because our private sector partners need a clear and consistent understanding of how government will pay for their services. GSA, NIST and USPS are working on an integrated strategy that creates an approach for government to purchase standardized identity solutions using a government-wide contract. The approach we will be pursuing is one that is fundamentally different from the way that the government has procured these kinds of services in the past.  Rather than pay for credentials we intend to pay for authentication and attribute validation services.  This is fundamentally different for two reasons: 1. It provides industry flexibility in pricing its service to include elements like identity proofing and token issuance. 2. It allows industry to be compensated for the authentication of – and attribute exchange involving – credentials that were not originally issued for government purposes.  So long as the credentials are approved for government use, credentials issued originally for commercial purposes could also be the source of additional revenues the first time the credential is used at a government site. This model shifts the government’s acquisition focus to what it needs:  services that provide authentication and attributes. Credentials are of course a necessary element of these services – but that fact alone does not mean the government should embrace a model where it pays for citizen credential issuance. Our strategy enables the NSTIC vision of a vibrant Identity Ecosystem where the same credentials can be used across the public and private sector. While this long-term strategy is being fleshed out, the GSA’s Federal Acquisition Service (FAS) earlier this month released a Request for Proposals (RFP) under its Alliant vehicle seeking a limited quantity of authentication services to support the first phase of the FCCX pilot. This RFP is intended solely to support authentications services at LOA 2 and 3 for the FCCX pilot.  It does not represent the government’s long term acquisition strategy for these services.  The next logical step – which we will pursue over the next year – is an acquisition vehicle that can support millions of authentication transactions for government services each year, and that will create a path for newly certified solutions to gain a spot on this acquisition vehicle.  As we seek to benefit from the broadest array of choices in the market, we need to let the marketplace know “if you are certified, you’ll be eligible to sell to us.” Our long term goal is to have a vibrant ecosystem where citizens can choose to use a credential they already have to access most government sites and services, as well as creating a compelling value proposition for identity providers to meet government requirements and provide identity services. Our offices are working through this strategy now and intend to develop it further over the next few months through collaboration both with government and industry. There is more to come, so stay tuned!