Online ID initiative stalled by political and technical challenges
Originally President Obama was supposed to sign the National Strategy for Trusted Identities in Cyberspace in September or October, an aggressive timeline considering the draft was released for comment in June.
While some would say the delay was predictable, a delay till 2011 may point to some larger problems. Reports in early November point to a six-month review by government agencies, which would mean nothing is released until May. Other sources, however, are still pointing to a release soon after the New Year.
The national strategy will create an “identity ecosystem” that individuals can use for high levels of identity assurance for banking and health care applications while also using it for lower assurance levels or even anonymous transactions. The idea is to provide a voluntary credential in some form factor that individuals could use to secure identity online.
One source says the initial delay was to make sure the strategy didn’t get politicized during the midterm elections. There were rumbling from some in congress that the strategy could become an issue so officials decided to hold it back.
There was also jockeying within the government as to who will oversee the national strategy, a source says. Though as of early November this issue seemed solved with the U.S. Department of Commerce taking the lead on the project. “People probably wouldn’t feel comfortable with Homeland Security heading an identity project,” says one source.
The National Institute of Standards and Technology, which is part of the Commerce Department, is taking an active role, sources say. The organization has experience with identification standards having worked on the FIPS 201 standard for federal smart cards as well as a number of key biometric standards.
Part of the reason for the delay is refining the implementation plan, which would be included in whatever President Obama signs, as well as specific case studies on how the strategy would be used in the real world. One particular case study looks at how the credential may be used in health care, a source says.
The implementation plan would also look at building a federated trust framework, creating and certifying identity brokers, addressing legal issues and tackling enrollment and credentialing challenges. It’s also investigating how to encourage and provide funding for the adoption of a credential.
The group is also refining the four levels of identity assurance. These levels, which have been spelled out by the White House Office of Management and Budget for use with the FIPS 201 program and PIV card for federal employees, are being redefined for use with the public.
A matrix is being conceived to match the level of identity assurance with a specific task, a source says. For example, accessing the FEMA site to check on procedures for filing a claim from a natural disaster would require a low level of identity assurance whereas actually filing the claim would require a higher level of assurance.
Goals of the National Strategy for Secure Online Transactions
- Foster the creation and adoption of federated identity frameworks that use a variety of authentication methods
- Encourage the use of authentication methods with well-understood security, privacy, usability, and cost characteristics
- Encourage the use of authentication methods resistant to known and projected threats
- Provide a general trust model for making trust-based authentication decisions between two or more parties