The National Institute of Standards and Technology will evaluate pilots to support the National Strategy for Trusted Identities in Cyberspace and will also help establish a privately lead Identity Ecosystem Steering Group.
NIST has budgeted $10 million for the pilots and anticipates funding five to eight separate projects. Each selected pilot will last up to two-years and receive between $1.25 million and $2 million per year, though proposals requesting smaller amounts may be considered. The deadline for submitting initial proposals was March 7.
For the initial round of proposals, NIST requested concise, five page descriptions of what the pilot would entail, says Jeremy Grant, senior executive advisor of ID management at NIST. There will be a cut by the end of March, and selected applicants will be asked to submit in-depth proposals by the end of April. Funded pilots should be announced at some point in the summer.
The opportunity cites a number of barriers that have prevented identity solutions from being widely deployed in the marketplace including:
- The need for technical standards that ensure interoperability among different identity authentication solutions.
- A lack of clarity about liabilities when something goes wrong.
- No common standards for privacy protections and data re-use.
- Issues with ease of use for some strong authentication technologies.
Specifically, NIST is seeking pilots that address some or all of these barriers while adhering to the four central principles guiding the strategy: identity solutions should be privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use.
For example, the funding opportunity notes that proposals could include, but are not limited to, technologies or approaches that:
- Create identity hubs to quickly validate credentials with strong authentication methods meeting agreed upon standards,
Provide incentives for consumers to use trusted authentication methods in lieu of user IDs and passwords,
- Include improved ways to enhance consumer privacy, while simultaneously meeting business and security needs, or
- Demonstrate interoperability across various technologies such as smart cards, one-time passwords or digital certificates.
Report commissions steering committee
One of the core tenants of the national strategy is that it be lead by the private sector, says Grant. The creation of the steering committee is a step to make sure that happens. In early February NIST released a report defining this committee entitled, “Recommendations For Establishing An Identity Ecosystem Governance Structure.”
The committee will be open to anyone, Grant explains. “We want to have a good balance of stakeholders, so we don’t have one company abuse the process,” he adds.
In order to prevent large companies from controlling the committee, NIST describes multiple safeguards that are designed to provide protections for individual privacy and the underrepresented and guard against undue influence by any single stakeholder group.
Safeguards called for in the report include:
- Privacy Coordination Committee: A permanent body responsible for reviewing and approving all Steering Group standards, policy and procedures to ensure they do not violate accepted privacy standards.
- Ombudsman: An impartial and unaffiliated officer responsible for supporting equitable representation of all stakeholders and individual participants and upholding the guiding principles.
- Operating principles: All operations within the Steering Group should be conducted in accordance with the principles of openness and transparency, balance, consensus and harmonization.
- One member, one vote: Within the Plenary and on the Management Council no single stakeholder group or organization should have more than one vote in decision-making proceedings.
- Multiple pathways to participation: The Identity Ecosystem Steering Group should maintain multiple pathways to enable all stakeholders the broadest opportunity to take part–directly or indirectly–in the Steering Group.
The government recommends a Steering Group structure with two bodies, a Plenary and a Management Council, with supporting roles and dispersed decision making responsibilities. The Plenary should be a large body containing working groups and committees dedicated to conducting the work required for establishing and adopting standards, policies and procedures to govern the identity ecosystem.
The Management Council should be a smaller group consisting of officers, delegates from stakeholder groups, and at-large delegates. This council should be responsible for providing strategic guidance to the Plenary, supervising its progress, and resourcing its operations.
Grant is also working on funding some of the groups in the steering committee so stakeholders don’t have to worry about paying for expenses related to participation in committee activities. See the updated story here.