National Strategy for Trusted Identities in Cyberspace

Last updated

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a US government initiative announced in April 2011 to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations. [1]

Contents

The strategy imagined an online environment where individuals and organizations can trust each other because they identify and authenticate their digital identities and the digital identities of organizations and devices. [2] It was promoted to offer, but not mandate, stronger identification and authentication while protecting privacy by limiting the amount of information that individuals must disclose. [3]

Description

The strategy was developed with input from private sector lobbyists, including organizations representing 18 business groups, 70 nonprofit and federal advisory groups, and comments and dialogue from the public.

The strategy had four guiding principles: [4]

  1. privacy-enhancing and voluntary
  2. secure and resilient
  3. interoperable
  4. cost-effective and easy to use.

The NSTIC described a vision compared to an ecosystem where individuals, businesses, and other organizations enjoy greater trust and security as they conduct sensitive transactions online. Technologies, policies, and agreed upon standards would securely support transactions ranging from anonymous to fully authenticated and from low to high value in such an imagined world. Implementation included three initiatives:

NSTIC was announced during the Presidency of Barack Obama near the end of his first term on April 15, 2011. [1] A magazine article said individuals might validate their identities securely for sensitive transactions (such as banking or viewing health records) and let them stay anonymous when they are not (such as blogging or surfing the Web). [8]

In January 2011, the U.S. Department of Commerce had established a National Program Office (NPO), led by the National Institute of Standards and Technology, to help implement NSTIC. [9] To coordinate implementation activities of federal agencies, the NPO works with the White House Cybersecurity Coordinator, originally Howard Schmidt, [3] and then after 2012 Michael Daniel. [10]

Steering group

The NSTIC called a steering group led by the private sector to administer the development and adoption of its framework. This Identity Ecosystem Steering Group (IDESG) held a meeting in Chicago August 15–16, 2012. [11] The meeting brought together 195 members in person and 315 members remotely. Additional plenary meetings were in Phoenix, Arizona, [12] Santa Clara, California [13] and Boston, Massachusetts. Under a grant from 2012 through 2014, Trusted Federal Systems, Inc. was the group's administrative body. [14]

Pilots

The federal government initiated and supported pilot programs. In 2012, NSTIC awarded $9 million to pilot projects in the first year. For example, the American Association of Motor Vehicle Administrators was developing a demonstration of commercial identity provider credentials by the Virginia state government, including securely verifying identities online with the Virginia Department of Motor Vehicles. [15] The Internet2 received about $1.8 million for research. [15] ID.me was given a two-year grant in 2013. [16]

Further work funded by NIST is on their Trusted Identities Group Web Page. [17]

Federal Cloud Credential Exchange

The NSTIC called for U.S. federal government agencies to be early adopters of the Identity Ecosystem envisioned in NSTIC. [7] Agencies struggled to implement it for services they provide internally and externally. Technical, policy and cost barriers made it challenging to accept third-party credential providers accredited by the Federal Identity, Credential, and Access Management (FICAM) initiative. [18]

In response, the White House created a Federal Cloud Credential Exchange (FCCX) team, co-chaired by NSTIC and the General Services Administration. The team consisted of representatives from agencies whose applications are accessed by a large population of external customers. In November 2012, the United States Postal Service was chosen to manage a pilot version of the FCCX, and awarded the contract to build it to SecureKey Technologies, a member of FIDO Alliance. That contract was renewed in May 2015. [19] [20]

Connect.gov

Connect.gov was launched in December 2014, the manifestation of this pilot. The first two companies to provide individual US citizens Identity Management services compatible with Connect.gov, were ID.me and Verizon. [21] Ping Identity and Forgerock were the first software platforms to provide FICAM-compliant credentials, and enable private sector organizations to connect securely to government agencies, a primary objective of this project. [22] [23]

Login.gov

On May 10, 2016, 18F announced in a blog entry that Connect.gov would be replaced. [24] [25] The replacement system would be called Login.gov, [26] and launched in April 2017. [27]

Identity Ecosystem Steering Group

The Identity Ecosystem Steering Group (IDESG) received start up funding from NIST in 2010 and has since created a series of documents that is available on their website. [28] In 2016, they introduced the Identity Ecosystem Framework (IDEF) Registry [29] for self-assessment.

Criticism

The proposal generated criticism since it was released in draft form in June 2010. [3] [30] Much centered around privacy implications of the proposal.

Shortly after the draft's release, the Electronic Privacy Information Center (EPIC), with other consumer-rights and civil liberties organizations, sent the committee a statement in response to the draft NSTIC policy, requesting a clearer and more complete plan to create and safeguard Internet users' rights and privacy. [31] While EPIC head, Marc Rotenberg, called NSTIC "historic," he also cautioned that "...online identity is a complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real. The US will need to do more to protect online privacy." [32]

NSTIC addressed some early privacy concerns through its 2013 fair information practice principles document. [33] Subsequent initiatives sought to advance privacy. For example, the American Civil Liberties Union and the Electronic Frontier Foundation were involved in a privacy committee in the IDESG.

Related Research Articles

The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency was named the National Bureau of Standards.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

Digital identity is the phrase referring to the data that computer systems use to represent external agents, which can be individuals, organizations, applications, or devices. For individuals, it involves an aggregation of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as hard and soft privacy technologies.

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

<span class="mw-page-title-main">Kantara Initiative</span> Digital identity organization

Kantara Initiative, Inc. is a non-profit trade association that works to develop standards for identity and personal data management. It focuses on improving the trustworthy use of identity and personal data in the area of digital identity management and data privacy.

<span class="mw-page-title-main">Cloud Security Alliance</span>

Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.”

The Open Identity Exchange (OIX) is a membership organisation that works to accelerate the adoption of digital identity services based on open standards. It is a non-profit organisation and is technology agnostic. It is collaborative, and works across the private and public sectors.

National Cyber Security Policy is a policy framework by Department of Electronics and Information Technology (DeitY) It aims at protecting the public and private infrastructure from cyber attacks. The policy also intends to safeguard "information, such as personal information, financial and banking information and sovereign data". This was particularly relevant in the wake of US National Security Agency (NSA) leaks that suggested the US government agencies are spying on Indian users, who have no legal or technical safeguards against it. Ministry of Communications and Information Technology (India) defines Cyberspace as a complex environment consisting of interactions between people, software services supported by worldwide distribution of information and communication technology.

Phil Agcaoili is a technologist, entrepreneur, and cyber security, information security, and privacy expert.

ID.me is an American online identity network company that allows people to provide proof of their legal identity online. ID.me digital credentials can be used to access government services, healthcare logins, or discounts from retailers. The company is based in McLean, Virginia.

<span class="mw-page-title-main">Login.gov</span> Authentication system for US government services

Login.gov is a single sign-on solution for US government websites. It enables users to log in to services from numerous government agencies using the same username and password. Login.gov was jointly developed by 18F and the US Digital Service. The initiative was announced in a blog post in May 2016 and the new system was launched in April 2017 as a replacement for Connect.Gov.

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security. It acts to coordinate various aspects of the U.S. federal government's cybersecurity and cyberattack mitigation efforts through cooperation with civilian agencies, infrastructure operators, state and local governments, and international partners.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. 1 2 "Administration Releases Strategy to Protect Online Consumers and Support Innovation and Fact Sheet on National Strategy for Trusted Identities in Cyberspace". Press release. Office of the White House. April 15, 2011. Retrieved November 9, 2013.
  2. "National Strategy for Trusted Identities in Cyberspace" (PDF). April 14, 2011. Retrieved September 9, 2017.
  3. 1 2 3 Howard A. Schmidt (June 25, 2010). "The National Strategy for Trusted Identities in Cyberspace". whitehouse.gov . Retrieved September 5, 2023 via National Archives.
  4. "Adherence to the NSTIC Guiding Principles | Identity Ecosystem Steering Group". Archived from the original on 2013-08-15. Retrieved 2013-08-16.
  5. "Identity Ecosystem Framework | Identity Ecosystem Steering Group". Archived from the original on 2013-06-29. Retrieved 2013-08-16.
  6. Boeckl, Kaitlin (29 April 2016). "Pilot projects & partners". nist.gov. Archived from the original on 2016-07-07.
  7. 1 2 "Putting the Fed in Federation: The U.S. Government as Early Adopter of the Identity Ecosystem - I Think, Therefore IAM".
  8. Mat Honan (November 15, 2012). "Kill the Password - Why a String of Characters Can't Protect Us Anymore". Wired Gadget Lab. Retrieved November 9, 2013.
  9. "National Program Office Planned for Online Trusted Identity Strategy". Press release. NIST. January 19, 2011. Retrieved November 10, 2013.
  10. "Michael Daniel: Special Assistant to the President and Cybersecurity Coordinator". whitehouse.gov . Retrieved November 9, 2013 via National Archives.
  11. "Identity Ecosystem Steering Group | Created to administer the development of policy, standards, and accreditation processes for the Identity Ecosystem Framework". Archived from the original on 2013-11-09. Retrieved 2013-08-16.
  12. "February 2013 Plenary | Identity Ecosystem Steering Group". Archived from the original on 2013-08-10. Retrieved 2013-08-16.
  13. "May 2013 Plenary | Identity Ecosystem Steering Group". Archived from the original on 2013-08-08. Retrieved 2013-08-16.
  14. "NSTIC Welcomes Trusted Federal Systems as Secretariat of the Identity Ecosystem Steering Group". NSTIC blog. July 12, 2012. Retrieved November 9, 2013.
  15. 1 2 "Five Pilot Projects Receive Grants to Promote Online Security and Privacy". Press release. NIST. September 20, 2012. Retrieved November 10, 2013.
  16. "NSTIC, ID.me, Inc". www.nist.gov. National Institute of Standards and Technology. Retrieved 21 February 2015.
  17. "Trusted Identities Group". NIST.
  18. "FICAM Roadmap and Implementation Guidance | IDManagement.gov". Archived from the original on 2013-08-19. Retrieved 2013-08-16.
  19. "SecureKey Technologies Wins Contract with U.S. Postal Service to Implement Federal Cloud Credential Exchange - SecureKey".
  20. Fontana, John. "Connect.Gov solidifies, expands ID credential plan for federal agencies - ZDNet". ZDNet .
  21. "Connect.gov is latest attempt to get buy-in to online ID management". 22 December 2014.
  22. Fontana, John (April 30, 2015). "Connect.Gov solidifies, expands ID credential plan for federal agencies". ZD Net. Retrieved May 6, 2015.
  23. Miller, Jason (December 22, 2014). "Connect.gov is latest attempt to get buy-in to online ID management". Federal News Radio. Retrieved May 6, 2015.
  24. "18F: Digital service delivery | Building a modern shared authentication platform" . Retrieved 2017-07-02.
  25. "Feds scrap Connect.Gov - SecureIDNews". SecureIDNews. Retrieved 2017-07-02.
  26. "Login.Gov replacing Connect.Gov - SecureIDNews". SecureIDNews. Retrieved 2017-07-02.
  27. "18F: Digital service delivery | Government launches login.gov to simplify access to public services". 18f.gsa.gov. Retrieved 2018-02-16.
  28. "The Identity Ecosystem Steering Group".
  29. "Identity Ecosystem Framework (IDEF) Registry".
  30. Lance Whitney (June 28, 2010). "White House drafting plan for cyberspace safety". CNet news. Retrieved November 9, 2013.
  31. Lillie Coney; et al. (September 23, 2010). "Statement on the National Strategy for Trusted Identities in Cybersecurity Creating Options for Enhanced Online Security and Privacy" (PDF). Privacy International and Electronic Privacy Information Center. Retrieved November 9, 2013.
  32. Center. "EPIC - National Strategy for Trusted Identities in Cyberspace (NSTIC)". epic.org.
  33. "Appendix A – Fair Information Practice Principles" (PDF). NSTIC. April 4, 2013.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.