A Retrospective Look: Eating our own dog food with dogged determination

It can be hard to serve as an early adopter of new technology. It usually means having very few (or no) examples to demonstrate what to do…and what not to do. Being the guinea pig is no easy feat, but we at the NSTIC NPO are embracing the challenge since we believe this is vital to facilitating the commercial adoption of identity solutions. After all, the NSTIC was clear that building a healthy identity ecosystem would require government to eat its own dog food. An example of the federal government working as an early adopter is the partnership with the NSTIC NPO, the General Services Administration (GSA), and the U.S. Postal Service (USPS). We worked closely together to develop an “easy usa-button” for agencies to provide an NSTIC-aligned way to improve services to constituents. Enter Connect.Gov (previously known as the Federal Cloud Credentialing Exchange, or FCCX). Connect.Gov creates a secure, privacy-enhancing service that allows individuals to use a digital credential they may already have—and that they can ideally use online at non-government sites—to connect to online government services and applications. Connect.gov allows an individual to access multiple agency websites and online services by signing in with an approved third-party sign-in partner. In a blog from 2013, Naomi Lefkovitz explained the challenges faced by the government as an early adopter of federated identity: No matter the elegance and simplicity of federated identity as a concept, we all know that it has been much more complicated to put into practice. Some may view the federal government’s attempts as failures, but we believe that it takes an iterative process to get a complex initiative right. Time has passed since that first blog—and we continue to get closer to completing this complex initiative. For example, we are learning about how to address the issue of liability by setting liability limits as part of the credential service provider contract. Figuring out if we have the model right will take time and require tweaking, but the result will be impactful. We also have learned that simple and scalable relying party (RP) integration continues to be a challenge; we need to make standardized tools available to RPs. We still face many challenges, but overcoming them will make our successes even sweeter. Along the way, the program can be proud that it has already:

1. Built a platform with innovative architectural design that preserves individuals’ privacy through collaboration with USPS, agency relying parties and technology providers;
2. Integrated two certified credential service providers at level of assurance (LOA) 2 and 3 and three more at LOA1; and
3. Entered soft-launch production with our first agency applications and have several additional production implementations on track by the end of the year.

As Connect.Gov continues to progress by on-boarding more agencies and enhancing its capabilities, the benefits to both the user and agencies will increase. Additionally, our team of GSA, NIST, and USPS already has an eye toward the future. We currently have a testable protocol for encrypted attributes in an effort to explore additional privacy-preserving hub architectures and have an RFI out as part of a collaborative process with industry to develop appropriate business models for federated identity services. We have a lot to look forward to and a lot to be proud of. We are excited to see how this capability will enable stronger online transactions for users in an easy-to-use and privacy-preserving way. To learn more about how Connect.Gov simplifies access, protects privacy, and provides choice, please click here. Follow the NSTIC NPO on Twitter for the latest updates.