Over the next year, agencies will begin accepting citizens’ usernames and passwords from commercial providers, such as Google and PayPal, to conduct business with the government. It’s part of the larger effort to secure identities in cyberspace and push the government down a similar path as the private sector.
“Currently, members of the public and business partners maintain dozens of identity credentials to interact with the government online and agencies maintain duplicative backend systems,” wrote Steven VanRoekel, federal chief information officer, in an Oct. 6 memo obtained by Federal News Radio. “To decrease the burden on users of our systems, and reduce costs associated with managing credentials, agencies are to begin leveraging externally-issued credentials, in addition to continuing to offer federally-issued credentials.”
VanRoekel instructed agencies to begin implementing the technology and policies to use third-party credentials within 90 days of the CIO Council and the General Services Administration approving the first Trust Framework Provider. Currently, three providers — InCommon Federation, Kantara Initiative and Open Identity Exchange– received provisional approval.
A Trust Framework Provider is an organization that follows open standards and provides certification services. GSA and the CIO Council will approve these organizations based on how they meet federal standards.
VanRoekel wrote agencies should start with low-risk sites, known as Level 1 security assurance. These include any sites that require a person to log on to, say, enter a comment on a blog, or receive email feeds. Under Level 1, ensuring the person’s identity isn’t critical to the security of the system.
“I believe this memo is long overdue,” said Judy Spencer, a former GSA official who oversaw many of the identity management initiatives across government and now is with CertiPath, a trusted authority for interoperable identities for collaboration in the aerospace and defense industry. “With the Trust Framework Provider approval process, the government seems to have learned from the past and established a partnership that can be sustained. Agencies have already started looking at some of these external credentials at level 1 — OpenID for instance — and some have even moved to accepting them.”
Agencies are to move to Levels 2-3-4 over the course of the next three years as resources and technology allow, VanRoekel wrote.
“I think it’s a step in the right direction because it helps align the federal government and citizen services with what’s taking place throughout America with online banking, online shopping and giving citizens the same experience as they expect in the private sector,” said Frank Baitman, an entrepreneur in residence at the Food and Drug Administration and former CIO of the Social Security Administration. “The whole idea of having federated credentials is you build a stronger system because many people whose businesses are on the line work together to get this right. Everyone will work to make the system stronger and have a very high degree of confidence.”
This isn’t the first time the government tried to move to electronic authentication. During the second Bush administration, OMB launched the E-Authentication e-government initiative. But after several years, the program didn’t catch on widely. However, the work behind E-Authentication spawned the success of the Federal Bridge and eventually Homeland Security Presidential Directive-12 (HSPD-12) requiring federal employees to get and use secure identity cards.
“While the concept was a good one, it didn’t come to fruition — perhaps its time had not yet come” Spencer said.
OMB said this time the effort is different.
“There are a couple of new factors that have converged to make this memo timely,” said OMB spokeswoman Moira Mack. “For instance, there are a number of viable commercial identity solutions that millions of people are using such as OpenID, and the federal government has a process, Open Identity Solutions for Open Government, to ensure that commercial identity providers are accredited and meet certain security and privacy requirements.”
“The devil is always in the details, but NIH has already demonstrated that this can be done and that it is more about the ‘will’ to do it, rather than the complexity,” Spencer said. “All of the approved providers are utilizing open standards, and by adhering to the federal profiles there is consistency in the way they are presenting the credential to the application. It takes some of the burden off the implementing agency and, as the NIH example indicates can result in serious cost savings.”
Pilots show cost savings
NIH expects to save almost $3 million by 2015 by not having to manage about 50 databases of usernames and passwords.
“The idea is in fact to follow the same guidelines that are referred to in this memo and give citizens the same opportunity to get a Level 2 or Level 3 credential as NIST defines it. It would be a big deal,” he said. “You can see the real focus of this memo is ensuring all agencies get on board for a Level 1 credential. Where SSA is heading, is the next phase of that, which is Level 2 and Level 3.”
OMB expects agencies eventually to get to high levels of security assurance, but also must wait until industry is ready.
“Federal agencies that use higher levels of credentials can put more sensitive services online such as accessing tax records or social security benefits with better security,” Mack said. “By accepting externally-issued credentials, agencies gain greater efficiencies as well as provide more convenience to people who will not have to manage separate credentials for each agency. However, as recognized in President Obama’s National Strategy for Trusted Identities in Cyberspace, there are not many commercial identity solutions easily available to people at the higher levels. This memo is a call to industry that the federal government is ready, and industry needs to step up and meet the demand.”
Randy Vanderhoof, the executive director of the Smartcard Alliance, said previous attempts have failed for several reasons, many of which had to do with the lack of a coordinated approach.
“This memo is providing some leadership from the federal CIO office for agencies to align around a common strategy,” he said. “We’ve seen for too long federal agencies have been able to stovepipe solutions to meet their specific needs without necessarily looking at the solutions from a governmentwide interoperability standard.”
He added the memo is one of several steps the government has taken over the past few years to show it has realized it doesn’t operate in a vacuum and must have work with industry to create a trust infrastructure.
The Federal Public Key Infrastructure (PKI) Bridge is an example of a trust infrastructure that has had limited use and success.
GSA, OMB to meet with agencies
Spencer, who ran the Federal Bridge for GSA, said this latest effort and the bridge are complimentary.
“When agencies start looking at the acceptance of external credentials at Levels 3 and 4, they will be relying on the Federal Bridge to indicate trusted identity providers,” she said.
GSA and OMB will meet with agencies over the next three months to answer questions and share best practices. They plan to start during the week of Oct. 24 with the Agriculture, Commerce, Defense and Education departments.
“The degree of cost and complexity for implementing the technical capability to accept externally-issued credentials varies depending on the technology platform an agency is using,” Mack said. “The changes are primarily technical. Depending on the technology platform in use, it can be as simple as configuring an add-on module that is commercially available to ensure that only credentials from accredited identity providers are being accepted.”