GSA readies pilot to test new E-Authentication approach
- By Jason Miller
- Jan 09, 2004
The General Services Administration's E-Authentication project team will test a new decentralized approach in pilots slated to begin this month and last through March.
Three agencies would take part in the first pilot, which will validate the architecture for use of personal identification number and password authentication only, an Office of Management and Budget official said.
'The results of the pilot programs will give us the final architecture,' the official said. 'We also plan on demonstrating higher-level authentication technologies like digital certificates in future pilots.'
Drew Ladner, chairman of the project's executive steering committee, said in a recent memo to federal CIOs that the final architecture would be in place by June.
OMB and GSA in October decided to move away from a centralized approach after deciding a single gateway was not a realistic option.
GSA has developed an interim architecture plan outlining how the new approach will work. E-Authentication will now have a federated architecture that uses credentials from multiple domains and applies common certifications, guidelines, standards and policies, the architecture document said.
In addition to the interim architecture, OMB director Joshua B. Bolten last month issued final guidance detailing the four assurance levels for E-Authentication.
By the end of this month, the National Institute of Standards and Technology will release technical guidance to identify technologies that can be implemented governmentwide and promote interoperability, said Bill Burr, manager of security technology in NIST's Computer Security Division.
'We are trying to set standards for the technical protocol provisions of each of the four e-authentication levels and perform identity proofing for each level,' he said. 'This is a lot of unplowed territory. We have to try to be as nonspecific as we can, but it makes life a lot harder.'
OMB's guidance comes five months after GSA issued interim regulations that asked agencies to conduct risk assessments and apply one of four assurance levels to all e-government and transaction systems.
One of the major changes in the final policy is that OMB puts the onus on agencies' business owners'such as program managers'instead of technology managers.
Stephen Holden, an assistant professor in the Information Systems Department at the University of Maryland-Baltimore County, applauded the change.
'The draft policy from the fall, I felt, undermined OMB's message that this is about business transformation because it focused too much on technology,' said Holden, whose research is focused on e-government. 'The new version does a much better job of clarifying the role of the business owner. The policy has moved quite a bit from the draft.'