SICAM: Policy Drivers & Public Sector Landscape
By Paul Laurent on Nov 01, 2010
What accounts for all the traction behind crafting a State Identity Credential Access Management (SICAM) framework in the State & Local (S&L) space suddenly? After all, this idea first lowered its Public Sector roots over a half-decade ago in the Federal space. Through a series of standards and initiatives, the Feds now have a stable and growing infrastructure for identity verification, data sharing, and interoperability. But as the Federal space was making inroads in Federal PKI, Common Access Cards, Personal Identity Verification (PIV-I), and the Federal Bridge Certificate Authority, the S&L space didn't jump in head-first...now there's some significant State interest. What gives?
It's a sea-change in requirements. Historically, systems, identities, permissions, & data served the core agency or department missions...missions that usually stop at the four walls and the "keep the lights on" charter of each department. When sharing was necessary, departments often worked out ad hoc handoffs and agreements that were seldom geared for reuse. Result? Identities and credentials had department-specific meaning and usefulness. Now, it comes as no surprise that the most common obstacle raised when States and their constituent departments discuss standing up robust citizen services is bridging resulting departmental silos.
What's changed in S&L requirements and how does a SICAM framework fit in? Increasingly, States are finding themselves "on the hook" for answering their portion of nation-wide requirements. The S&L space is seeing pressure from both ends of "the carrot & the stick." The carrot is conditional funding and competitive grants. Take, for example, the Department of Education's State Longitudinal Data Systems (SLDS) program. Originally funded in 2005 with a requirements reworking as part of 2009's American Recovery and Reinvestment Act (ARRA), SLDS aims to build a view into the long-term effects of individual schools, teachers, educational programs, and community initiatives on positive outcomes with children from pre-school through higher education. To support this analytical view, the SLDS program now specifically requires collaboration and information from S&L entities like Health and Human Services (HHS), Department of Education, Local Educational Agencies, Corrections, Departments of Labor and Employment, and Higher Education. Old departmental requirements and silos weren't architected to support this mission or level of sharing. To compete for the funding means a new approach to data sharing and interoperability.
How about a good example of both carrot and stick? Just about anything related to the HHS field from the ARRA fits the bill. Receiving over $18.8B in funding from the ARRA, HHS used a good portion of its funding resources (i.e. carrots) to push interoperable initiatives with an eye toward supporting Electronic Health Records (EHR) for all Americans by 2014. We continue to get details about what's required in meeting that 2014 date: Buzzwords like "Health Information Exchanges" and "Nationwide Health Information Organizations" are starting to creep into our requirements, use cases and architecture diagrams. But HHS brandishes a big stick too. As part of the Health Information Technology (HIT) changes of the ARRA, the scope of entities that have to comply with the wide range of privacy and security controls around health data was massively expanded, we're talking a huge chunk of entities that manage HIPAA data. And the civil and criminal penalties for failure to comply have been blown through the roof (from $100/day with a yearly maximum of $25,000 for individual control violations to $50,000/violation and up to $1.5M annually.) It's not just the promise of Federal funding on this front, but strict compliance mandates in place that have S&L looking to adapt.
Carrots & sticks aside for a moment, the mission critical requirement of S&L business, extending valuable services to citizens & businesses, has grown as well. States are connecting those previously stand-alone departments and systems to find new ways capture revenue, speed state processes and services delivery, and run more effective operations. So when our customers and clients describe the sting of those previously mentioned "silos" and a lack of interoperability, it's because they're already well down the path of standing up a "citizen portal", rolling out "e-licensing", or trying to put people "online instead of standing in line" as part of their core business.
Whether requirements are for grants, compliance, or keeping individuals and businesses happy on the S&L level, having a workable model for federated trust and sharing is foundational for the states: foundational for national efforts like Electronic Health Records, for State participation in initiatives like SLDS, and within the State for bridging new requirements in proactive services. If the only requirements were to play nicely in the national initiatives, the Federal version of Identity Credential Access Management (FICAM) would be the way to go. It's a combination of IT capability, funding, and staffing issues that have S&L cutting a different path toward SICAM instead. SICAM walks a middle ground between siloed systems and the FICAM end state. SICAM discussions ask the S&L questions:
- What does statewide identity management look like for us? What about federation?
- How does the State "see" citizens and individuals from department to department? Can we achieve one view (a State or SICAM view) of our constituents and businesses?
- How do I know Jane Doe is the same Jane Doe from organization to organization and system to system?
- Are there advantages/efficiencies in "Identity as a Service" for us?
- What's the best way to manage our relationship with individuals and businesses?In our next installment, we'll start to expand on successful approaches and smart initiatives to answer these challenges.