By Paul Laurent on Jun 03, 2011
From 50k Feet – NSTIC is an outgrowth of the 2009 Cyberspace Policy Review[iv] and an open invite to organizations (both public and private) to play in a new identity ecosystem. An ecosystem that halts the tidal wave of stockpiling multiple identities for every online use, dramatically strengthens the authentication of individuals and devices, offers substantial benefits in terms of privacy, civil liberties, and choice of credentials. It undoes the damage done to online trust when passwords were overwhelmed as a useful security tool and frees service providers from administering to identities, credentials, and passwords in favor of developing innovative new services and delivery. To quote Commerce Secretary Locke, NSTIC will place “a floor on identities without a ceiling on innovation.”[v]
What’s in a Strategy? – At this point NSTIC is more about intent than specifics (hence the need for governance workshops) but depending on what sector you park your car in, there are some general prescriptions:
Federal – The Feds have been chipping away at the identity crisis for well over a decade now (largely in response to the requirements of the Government Paperwork Elimination Act of 1998[vi] and OMB Circular A-130[vii]) and over time they have made some significant strides both in technology and procedural standards (I call out a highlight reel of those efforts in the opening paragraph of this entry about ICAM initiatives.) So when the Feds address their end of building the identity ecosystem they acknowledge they have “unique capabilities” in this area and will “continue to lead by example[viii]” in building out their existing trust frameworks. Additionally, they will promote and pilot programs for interoperable identities.[ix]
State, Local, Tribal Government (S&L) – NSTIC has 2 simple pieces of advice for S&L: 1) First off…you know that FICAM thing we, the Feds, have been using as our key trust model in this space? You should probably do your best to adopt as much of it as you possibly can.[x] 2) Start thinking about high-value and innovative ways to participate as an identity and attribute provider in the Identity Ecosystem.[xi] The latter is a HUGE point to digest. In it’s current form, NSTIC presents its biggest challenges and opportunities for S&L government. If you’re wondering why, it has a lot to do with the identity proofing and attribute verification components NSTIC will require to bake those extra layers of assurance into identities and credentials. This point was made at the NSTIC release by Paypal’s Andrew Nash, “State government is really the root of how we know anything about who you are.”[xii] Think about the familiar use case of a U.S. passport: for most of us born in the States, the proof of citizenship and primary identification we submit often lies in a S&L issued birth certificate and a driver’s license. There are other forms of Federal identification that can be used – but those Federal forms of ID were often only issued after a similar identity proofing exercise that also relied on State-based verification. The reality is that the true clearinghouses of human identity in the US can be found in the DMV’s, Health and Human Services, Departments of Education, and other identity heavyweights across these 50 states.
Private Sector – There’s genius in NSTIC’s advice to the private sector: (my paraphrasing) “Do that thing you do.” The strategy envisions a private sector that will find the economic opportunities in this ecosystem and then innovate, improve, and streamline in ways that haven’t been conceived yet. Some private vendors and actors will succeed, others will fail…so long as there’s interoperability, choice, and preservation of privacy/civil liberties, the public sector will honor entries into the ecosystem. NSTIC can be looked at as a “call to arms” or a “ringing of the dinner bell” (depending on your perspective and the caliber of your NSTIC mousetrap) for the private sector to contribute identity, credential, and service offerings that will take full advantage of this ecosystem in new, secure, and lucrative ways.
Net-net – As mentioned earlier, this current iteration of NSTIC is mostly about intent but some specifics are already called out (FICAM, NIST SP 800-63, GFIPM, and FIPPs[xiii].) How the governance and standards will be woven into the fabric of the Identity Ecosystem Framework gets a fresh look this coming week. Stay tuned.
[v] From the Secretary’s comments at the NSTIC release, April 15, 2011
[vii] A-130 has gone through a number of revisions (the most recent administration’s found here), but it was the 1996 changes to Appendix III that helped precipitate some of the Federal changes NSTIC draws upon.
[viii] Objective 2.3, page 32 of NSTIC document.
[ix] Objective 2.4, page 33 of NSTIC document.
[x] Page 39, of NSTIC document.
[xi] Objective 2.2, page 32 of NSTIC document.
[xii] This quote taken from my handwritten notes…my apologies if I didn’t capture it verbatim, but in the worst case it is a close paraphrase.
[xiii] Appendix A of the NSTIC document.