Agencies could get a cloud hub for trusted identities
The president’s National Strategy for Trusted Identities in Cyberspace calls for the private sector to take the lead in developing a secure identity ecosystem to support the growing demand for online transactions.
“The most important thing government can do is be an early adopter of third-party identity solutions,” said Jeremy Grant, head of the NSTIC National Program Office. To date, progress in this area has been slow, however. “Agencies have not been rushing to embrace these solutions.”
In an effort to jumpstart the process, the administration is exploring opportunities for using commercial cloud services to authenticate third-party credentials of users accessing government websites, Grant said. “We would like to get a cloud hub to manage multiple identity solutions for multiple agencies.” The hub would become the Federal Cloud Credential Exchange (FCCX).
Benefits of the scheme could include an expanded market for commercial identity tools, enabling more government services to be provided online rather than in person or by paper-based mail, and allowing government to stay out of the business of providing and authenticating credentials for citizens.
“Agencies can’t afford to be issuing the credentials on their own,” Grant said. If a scheme for trusted third-party credentials across agencies matures, agencies could safely and efficiently move more applications and transactions online.
The White House convened what it called the FCCX Tiger Team in April, bringing together agency representatives to identify requirements for a federated identity system that could be hosted by a cloud service provider. The team is chaired by Deb Gallagher of the General Services Administration and Naomi Lefkovitz of the National Institute of Standards and Technology.
“In simple terms, the federal government is interested in leveraging one or more commercially available cloud service providers to streamline the burden agencies face in trusting and integrating with FICAM-approved credentials,” Gallagher and Lefkovitz wrote.
FICAM is the Federal Identity, Credential and Access Management Roadmap.
FCCX is an outgrowth of an October 2011 memo from Federal CIO Steven VanRoekel requiring agencies to “begin leveraging externally-issued credentials, in addition to continuing to offer federally-issued credentials.”
The memo cites pilot programs that have demonstrated the feasibility of the idea, including the National Institutes of Health’s PubMed site launched in 2010 using third-party credentials for access. The site had more than 72,000 users by late 2011 and NIH estimated that it would save nearly $3 million by 2015.
The FCCX Tiger Team has solicited input from vendors on implementing a cloud-based system that would enable a minimal level of identity assurance while protecting user privacy. There is yet no timeline for soliciting or awarding a contract for the exchange.