At the NSTIC National Program Office (NPO), we have a three-prong plan for transforming the National Strategy for Trusted Identities in Cyberspace (NSTIC) from paper to reality.
- Initiate a steering group of all stakeholders to govern the Identity Ecosystem. Check.
- Run pilots to test the implementation of the NSTIC Guiding Principles against working business models with real relying parties. Check.
- Facilitate the Federal government’s role as an early adopter of the Identity Ecosystem. In progress.
Actually, you could say that the government’s early adoption of federated identity has been in progress for some time - predating the existence of the NPO. No matter the elegance and simplicity of federated identity as a concept, we all know that it has been much more complicated to put into practice. Some may view the Federal government’s attempts as failures, but we believe that it takes an iterative process to get a complex initiative right.
We’ve learned many lessons over the years. Here are a few:
- Buy-in is critical - agencies have their missions and internal strategic plans that they need to meet. Notwithstanding the President’s signature, the right decision-makers need to understand how an initiative like NSTIC can support their objectives, not distract from them.
- Technical integration isn’t always easy – wait, wasn’t it supposed to be just one day’s worth of coding? We have seen drag in the process stemming from applications running on older versions of platforms that are no longer supported in turn-key commercial identity protocol modules, agency policies that require special coding tweaks, and so on.
- Federation has to provide significant value – even when a new system is patently better, it’s tricky to overcome the natural force of inertia unless there is a real business case that can be made. Add in a difficult technical implementation (see above), and paper policies aren’t going to get the job done.
If it sounds like the problems that the Federal government faces are much like the ones in the private sector, you’d be correct. So how are we applying these lessons to get to a better outcome?
A little over a year ago, several large agencies that have a pressing need to put services requiring LOA 2 or 3 credentials online gathered at the White House to discuss how to align with NSTIC policy and Federal Identity, Credential and Access Management (FICAM) requirements. As Howard Schmidt, the Cybersecurity Coordinator at the time, noted in a blog post
“…a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has…Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts.”
Following the meeting, the agencies formed a Tiger Team, co-chaired by the NPO and the General Services Administration, to develop the design requirements for a Federal Cloud Credential Exchange (FCCX) that would meet the business needs of the agencies and simplify the technical integration process for accepting externally-issued digital credentials from LOA 1 through 4. A few weeks ago, the Unites States Postal Service - tagged to head up the technical implementation of a pilot - put out an RFP
for a supplier to provide the FCCX solution. Already, the marketplace is responding as we see renewed interest among identity providers in becoming approved FICAM providers.
Even so, we’re not out of the woods yet. There are still challenges ahead, and undoubtedly more lessons to learn. We also recognize and appreciate the significant financial and resource investments that various private sector companies have made to date - often with little to show for it.
The good news is that we’re making progress – supported by a base of agencies that are, at last, legitimately excited to embrace federation, and eager to leverage a cloud-based solution to make the task easier. Our partnership efforts may have taken longer to take root than we had hoped, but with FCCX as an enabler, we are poised to reap the rewards.