Three years in, NSTIC lessons emerging
In the past three years the U.S. government has spent more than $20 million on 14 unique pilots to foster a secure, online identity ecosystem. To evaluate if taxpayers have gotten value for the investments, re:ID asked each pilot recipient what they have accomplished and what lessons have been learned.
The goal of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is to encourage private companies to create secure, privacy enhancing, interoperable digital identities for consumers. As we enter the fourth year of pilots and investments, it is clear that advances have been made. But does the learning warrant the dollars? “We have made a lot of progress, but no one would claim that digital identity has been solved in four years,” says Mike Garcia, acting director for the NSTIC National Program Office. “But NSTIC has been a catalyst and we’ve seen changes in the marketplace.”
Some of these changes include five new trust frameworks crossing six markets, 2.3 million participants and 125 partnering organizations, Garcia says.
An example of the successes is UCAID where NSTIC funded a pilot of multi-factor authentication on three college campuses. The project has expanded to 140 campuses as the universities have joined to increase online security for staff and students across the country.
“This is the essence of the program,” Garcia says. “We can’t give out credentials to 300 million people, we want to make the market move on its own.”
While the UCAID pilot looked at higher education, the American Association of Motor Vehicle Administrator (AAMVA) project looked at health care. “It took authoritative records from the Virginia DMV and a common social media credential and bound them together to raise the level of trust,” Gracia explains. Pilot participants can now use these credentials to access health care records and resources.
These are just two examples of the 14 pilots. The next round of pilots will be announced in September and will look a little different than previous pilots, Garcia suggests. “Over the last three years we took a broad approach,” he explains. “This time we’re asking people to tell us some of the crazy things you can solve with digital identity and how you can solve targeted use cases and impediments.”
While some of the pilots have made strides and broken ground on digital identity they can’t all be winners. One NSTIC pilot awarded in the second year – Exponent was the prime contractor – fell through due to a change in leadership at one of the companies.
The GSMA was awarded $822,000 a year ago to pilot an interoperable identity system across the four major mobile network operators in the U.S. At the time of the award the GSMA wouldn’t elaborate on the pilot details and when contacted 10-months later executives at the organizations said there was nothing to report on the project.
IDESG defines the framework
While the National Program Office is working on pilots to create the identity ecosystem, the Identity Ecosystem Steering Group (IDESG) is moving on a parallel path, says Mark Anthony Signorini, chairman of the IDESG.
The IDESG is the private sector body that works alongside NSTIC to define the trust framework for digital identity systems. “The IDESG is creating the foundation for the trust framework – we’re the theory and they’re the practice,” he explains.
The IDESG recently published its baseline requirements for the Identity Ecosystem Framework, a set of minimum conditions for participants in four key areas: privacy, security and resiliency, interoperability and user experience.
The requirements will serve as the basis for the IDESG’s Self-Assessment Program, which is targeted to be operational later this year. Under this scheme, identity service providers and relying parties will be able to self-assess their own policies, procedures, and operations to the baseline requirements and attest to their level of conformance.
The IDESG will offer a public listing service for those organizations that self-assess and determine conformance to these baseline requirements. The model, requirements, Trustmark program scope, and scoping statement will comprise the initial version of the framework as envisioned in the strategic plan.
The baseline requirements are currently in the form of a set of requirement statements. IDESG working committees are developing supplemental information to clarify each requirement statement and explain how each can be met. This supplemental information will be part of IDEF v1 release later this year.
Three years into pilots to create an identity ecosystem and there are some tangible results, as readers will find as they read on. But there is still a lot of work before consumers have a common, interoperable, privacy-enhancing online digital identity.
Over the next few week SecureIDNews.com will be posting recaps of all the NSTIC pilots.