- Reply
a NIST blog
At the NSTIC National Program Office (NPO), we have a three-prong plan for transforming the National Strategy for Trusted Identities in Cyberspace (NSTIC) from paper to reality.
Actually, you could say that the government’s early adoption of federated identity has been in progress for some time - predating the existence of the NPO. No matter the elegance and simplicity of federated identity as a concept, we all know that it has been much more complicated to put into practice. Some may view the Federal government’s attempts as failures, but we believe that it takes an iterative process to get a complex initiative right. We’ve learned many lessons over the years. Here are a few:
If it sounds like the problems that the Federal government faces are much like the ones in the private sector, you’d be correct. So how are we applying these lessons to get to a better outcome? A little over a year ago, several large agencies that have a pressing need to put services requiring LOA 2 or 3 credentials online gathered at the White House to discuss how to align with NSTIC policy and Federal Identity, Credential and Access Management (FICAM) requirements. As Howard Schmidt, the Cybersecurity Coordinator at the time, noted in a blog post:
“…a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has…Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts.”
Following the meeting, the agencies formed a Tiger Team, co-chaired by the NPO and the General Services Administration, to develop the design requirements for a Federal Cloud Credential Exchange (FCCX) that would meet the business needs of the agencies and simplify the technical integration process for accepting externally-issued digital credentials from LOA 1 through 4. A few weeks ago, the Unites States Postal Service - tagged to head up the technical implementation of a pilot - put out an RFP for a supplier to provide the FCCX solution. Already, the marketplace is responding as we see renewed interest among identity providers in becoming approved FICAM providers. Even so, we’re not out of the woods yet. There are still challenges ahead, and undoubtedly more lessons to learn. We also recognize and appreciate the significant financial and resource investments that various private sector companies have made to date - often with little to show for it. The good news is that we’re making progress – supported by a base of agencies that are, at last, legitimately excited to embrace federation, and eager to leverage a cloud-based solution to make the task easier. Our partnership efforts may have taken longer to take root than we had hoped, but with FCCX as an enabler, we are poised to reap the rewards.