OMB eyes central authentication plan

GSA details assurance levels

Level 1: Little or no assurance is needed about the identity of the user, such as a citizen logging on to a customized Web page.

Level 2: It is highly probable that the user's identity is accurate, such as a federal employee taking courses through an online education site.

Level 3: There is a high degree of confidence that the user is authentic, such as a lawyer who provides patent data to the Patent and Trademark Office.

Level 4: It is absolutely necessary that the user's identity is accurate, such as a law enforcement official accessing a federal database of criminal records.

GSA's G. Martin Wagner says agencies should adopt a governmentwide PKI approach.

Henrik G. de Gyor

The Office of Management and Budget last week acted to stem agencies' inconsistent investments in and implementations of authentication technologies.

OMB issued a memo asking agencies to freeze projects if possible while the administration settles on a governmentwide approach.

'We must have a common way to think about these technologies if you are going to have cross-government authentication,' an OMB official said. 'All of this is new ground for us. Agencies in the past determined their own authentication approach, and we are trying to be more consistent in determining that.'

With more than 12 agencies issuing task orders through the General Services Administration's Access Certificates for Electronic Services program, the Defense Department handing out more than 2.5 million smart cards and other agencies running authentication pilots, OMB said a cross-
agency approach would save agencies money and promote interoperability.

GSA has followed OMB's lead by releasing a draft policy outlining four assurance levels for electronic authorization.

'This policy will drive investment decisions in technologies for all agencies,' said Karen Evans, Energy Department CIO and vice chairwoman of the CIO Council. 'This is important for the E-Authentication e-government project because project managers can overlay the policy to their projects and craft longer-term solutions.'

For consistency, Mark Forman, OMB's administrator for e-government and IT, has instructed CIOs to refrain 'to the maximum extent possible' from buying authentication or identity management technologies without first getting an OK from the E-Authentication team or the new Federal Identify and Credentialing Committee.

OMB recently created the committee to develop policies for credentialing federal employees. Led by Judith Spencer, chairwoman of the Federal Public-Key Infrastructure Steering Committee, the group is made up of IT security, physical security and human resources officials from across government.

OMB's limitation on buys will force agencies to decide how quickly they need to fill short-term authentication needs, said G. Martin Wagner, GSA's associate administrator for governmentwide policy.

Agencies 'are going to look at decisions they are on the edge of making and try to trade off on the immediate problem they have to solve versus a joint solution' that will come later, Wagner said.

In its draft policy guidance on electronic authentication, GSA asked agencies to perform risk assessments for the 25 Quicksilver e-government projects by Oct. 1 and all major systems by Sept. 15, 2004, to determine which assurance levels they will need to apply.

GSA said most of the Quicksilver teams have finished their risk assessments and determined the level of assurance they need.

'The intent of the policy is first to give federal employees credentials,' Evans said. 'We then can drive technology solutions that will service federal employees because we set up a system to accommodate the level of authentication needed within and between departments.'
Forman said agencies will use PKI or PKI with biometric technology, depending on the level of authentication required.

Bulk savings

The reason agencies should try to consolidate their authentication efforts, Forman said, is that the government expects to spend more than $160 million this year and next on authentication and identity technologies. By combining agencies' efforts, the government can reduce its expenditures and drive down the price it will have to pay for these technologies and services.

Plus, inconsistent approaches are hindering agencies' ability to meet the mandate of the Government Paperwork Elimination Act, which calls for automating most government transactions by October, he added.

OMB has asked agencies to comment on the draft authentication policy and on guidance being created by the National Institute of Standards and Technology.

The NIST directive will outline the technologies that match the assurance levels. The document is set for release by Oct. 1 and will detail the characteristics of each assurance level and appropriate accompanying security controls.

By year's end, OMB plans to select providers to offer credentials and PKI services. Once they are chosen, agencies will need to develop migration strategies for moving to the governmentwide options, Forman said.

'Security and authentication are hard,' Wagner said. 'It takes expertise. Agencies doing it on their own is a lot harder than plugging in to something that is vetted and supported.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above