From NSTIC to Improved Cybersecurity: U.S. Government Updates ICAM Policy
Seven years ago, the Obama Administration published the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC called for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”
Born out of the NSTIC and operating under grants from the National Institute of Standards and Technology (NIST), the Identity Ecosystem Steering Group (IDESG) is a private sector-led, not-for-profit organization. Any identity ecosystem requires trust and specifically, a trust framework. The IDESG’s Identity Ecosystem Framework provides a set of standards and policies that enables individuals and organizations to use a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet. Full disclosure, I currently serve on the IDESG’s Board of Directors.
Although the NSTIC vision remains, over the past seven years interoperability and trust online remain non-existent due to numerous large-scale breaches, cyberattacks and the latest data losses involving Facebook and Cambridge Analytica. Alarmingly, the overwhelming majority of Americans have had their personal data compromised online.
Fast forward to 2018. On April 6, the White House Office of Management and Budget (OMB) published a draft for public comment titled, Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management.
OMB’s policy change focuses on three main areas:
- Implementation of effective ICAM governance
- Modernization of agency ICAM capabilities
- Agency adoption of ICAM shared solutions and services
OMB directs agencies to leverage the NIST Special Publication (SP) 800-63, Digital Identity Guidelines updated and published in June 2017. The Digital Identity Guidelines are actually a suite of documents:
- SP 800-63-3 – Digital Identity Guidelines
- SP 800-63A – Enrollment and Identity Proofing
- SP 800-63B – Authentication and Lifecycle Management
- SP 800-63C – Federation and Assertions
As mentioned on CSOonline, the new policy incorporates “Digital Identity Risk Management into existing processes as outlined in NIST SP 800-63, including the selection of Identity Assurance Levels (IALs), Authentication Assurance Levels (AALs), and Federation Assurance Levels (FALs) commensurate with the risk to their digital service offerings.”
Moving Beyond PIV & CAC Authentication
OMB’s new policy states: “When PIV cards as a form factor are not feasible for logical access control, other IAL 3 and Authenticator AAL 3 identity solutions can be used. Agencies shall consider the cross-government trusted federation and interoperability requirements established in HSPD-12 when implementing any other process and form factor.”
This means that government agencies are no longer limited to PIV or derived PIV credentials for employees and contractors. AAL 3 authenticators, including FIDO Alliance certified and numerous FIPS 140-2 approved authenticators issued by a shared service provider, meet the requirements of the new policy.
In addition, OMB directs NIST to “Update NIST SP 800-157, Guidelines for Derived PIV Credentials, to align with NIST SP 800-63 and develop a process to identify innovative technologies and authenticators (where applicable) that can leverage the PIV process for derived credentialing for logical and physical access.” It is still unclear which technologies will be included by NIST and whether NIST will permit non-PKI-based solutions for derived PIV credentials.
Authentication for Citizen-to-government Transactions
It is important to note that OMB’s memo also applies to citizens interacting with federal agencies online.
NIST’s Federation and Assertions guidelines will assist agencies here. As mentioned on CSOOnline, OMB directs agencies to leverage shared service providers that use more than one credential provider and are able to federate with other solutions. This way users are empowered to select the option that appropriately mitigates risk for their unique interactions across government.
Taking a risk-based approach means that depending on the sensitivity and security warranted, federal agencies should require higher levels of identity assurance and authentication depending on the user’s request. For example, if a person is making a camping reservation at a national park, it may warrant a lower IAL or AAL, Level 1. However, if one is applying for Medicare benefits, it would warrant a higher IAL and AAL, ideally Level 3, given the level of risk should the information become compromised.
In attending an early IDESG Plenary Meeting, a representative from the U.S. Department of Defense made the point that in the identity ecosystem, “I, along with my federal government colleagues, should be able to use PIV or CAC cards to authenticate to non-government websites within the identity ecosystem.” We are not there yet, but OMB’s policy change turns it around, in that the federal government will accept authenticators outside of a PIV or CAC.
While these improvements will help, I do not see the U.S. government adopting leading edge, frictionless authentication technologies like adaptive authentication, or facial and voice recognition in lieu of a CAC anytime soon. However, agencies can adopt these technologies to make it safer and more convenient for citizens to conduct government business online in the future.
For more information on Trusted Digital Identity by VASCO, go to:
Behavioral Biometrics: Improve Security and the Customer Experience
The following article, authored by Michael Magrath, Director, Global Regulations & Standards, first appeared 4/13/18 on CSO Online.