National Strategy for Trusted Identities in Cyberspace

The strategy was developed with input from private sector lobbyists, including organizations representing 18 business groups, 70 nonprofit and federal advisory groups, and comments and dialogue from the public.

The strategy had four guiding principles:{{cite web|url=http://www.idecosystem.org/page/adherence-nstic-guiding-principles |title=Adherence to the NSTIC Guiding Principles | Identity Ecosystem Steering Group |access-date=2013-08-16 |url-status=dead |archive-url=https://web.archive.org/web/20130815232538/http://www.idecosystem.org/page/adherence-nstic-guiding-principles |archive-date=2013-08-15 }}

1. privacy-enhancing and voluntary
2. secure and resilient
3. interoperable
4. cost-effective and easy to use.

The NSTIC described a vision compared to an ecosystem where individuals, businesses, and other organizations enjoy greater trust and security as they conduct sensitive transactions online. Technologies, policies, and agreed upon standards would securely support transactions ranging from anonymous to fully authenticated and from low to high value in such an imagined world.

Implementation included three initiatives:

• The Identity Ecosystem Steering Group (IDESG), the private sector-led organization developing the Identity Ecosystem Framework;{{cite web|url=http://www.idecosystem.org/page/identity-ecosystem-framework |title=Identity Ecosystem Framework | Identity Ecosystem Steering Group |access-date=2013-08-16 |url-status=dead |archive-url=https://web.archive.org/web/20130629090534/http://www.idecosystem.org/page/identity-ecosystem-framework |archive-date=2013-06-29 }}
• Funding pilot projects that NSTIC said embrace and advance guiding principles;{{cite web |last=Boeckl |first=Kaitlin |date=29 April 2016 |title=Pilot projects & partners |url=https://www.nist.gov/nstic/pilot-projects.html |archive-url=https://web.archive.org/web/20160707230602/https://www.nist.gov/nstic/pilot-projects.html |archive-date=2016-07-07 |website=nist.gov |publisher=}} and
• The Federal Cloud Credential Exchange (FCCX),{{cite web|url=http://trustedidentities.blogs.govdelivery.com/2013/02/01/putting-the-fed-in-federation-the-u-s-government-as-early-adopter-of-the-identity-ecosystem/|title=Putting the Fed in Federation: The U.S. Government as Early Adopter of the Identity Ecosystem - I Think, Therefore IAM|publisher=}} the U.S. federal government service for government agencies to accept third-party issued credentials approved under the FICAM scheme.

NSTIC was announced during the Presidency of Barack Obama near the end of his first term on April 15, 2011. A magazine article said individuals might validate their identities securely for sensitive transactions (such as banking or viewing health records) and let them stay anonymous when they are not (such as blogging or surfing the Web).{{Cite news |title= Kill the Password - Why a String of Characters Can't Protect Us Anymore |work= Wired Gadget Lab |author= Mat Honan |date= November 15, 2012 |url= https://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/2/ |access-date= November 9, 2013 }}

In January 2011, the U.S. Department of Commerce had established a National Program Office (NPO), led by the National Institute of Standards and Technology, to help implement NSTIC.{{Cite news |title= National Program Office Planned for Online Trusted Identity Strategy |publisher= NIST |date= January 19, 2011 |work= Press release |url= https://www.nist.gov/public_affairs/releases/nstic_011911.cfm |access-date= November 10, 2013 }} To coordinate implementation activities of federal agencies, the NPO works with the White House Cybersecurity Coordinator, originally Howard Schmidt, and then after 2012 Michael Daniel.{{cite web |title= Michael Daniel: Special Assistant to the President and Cybersecurity Coordinator |url=https://obamawhitehouse.archives.gov/blog/author/Michael%20Daniel/ |via= National Archives |work= whitehouse.gov |access-date= November 9, 2013 }}

The NSTIC called a steering group led by the private sector to administer the development and adoption of its framework. This Identity Ecosystem Steering Group (IDESG) held a meeting in Chicago August 15–16, 2012.{{cite web|url=https://www.idecosystem.org/content/august-2012-plenary |title=Identity Ecosystem Steering Group | Created to administer the development of policy, standards, and accreditation processes for the Identity Ecosystem Framework |access-date=2013-08-16 |url-status=dead |archive-url=https://web.archive.org/web/20131109233932/https://www.idecosystem.org/content/august-2012-plenary |archive-date=2013-11-09 }} The meeting brought together 195 members in person and 315 members remotely. Additional plenary meetings were in Phoenix, Arizona,{{cite web|url=https://www.idecosystem.org/3rdPlenary |title=February 2013 Plenary | Identity Ecosystem Steering Group |access-date=2013-08-16 |url-status=dead |archive-url=https://web.archive.org/web/20130810052657/http://www.idecosystem.org/3rdPlenary |archive-date=2013-08-10 }} Santa Clara, California{{cite web|url=https://www.idecosystem.org/mayplenary |title=May 2013 Plenary | Identity Ecosystem Steering Group |access-date=2013-08-16 |url-status=dead |archive-url=https://web.archive.org/web/20130808024408/http://www.idecosystem.org/mayplenary |archive-date=2013-08-08 }} and Boston, Massachusetts. Under a grant from 2012 through 2014, Trusted Federal Systems, Inc. was the group's administrative body.{{cite web |title= NSTIC Welcomes Trusted Federal Systems as Secretariat of the Identity Ecosystem Steering Group |date= July 12, 2012 |work= NSTIC blog |url= http://nstic.blogs.govdelivery.com/2012/07/12/nstic-welcomes-trusted-federal-systems-as-secretariat-of-the-identity-ecosystem-steering-group-iesg |access-date= November 9, 2013 }}

The federal government initiated and supported pilot programs. In 2012, NSTIC awarded $9 million to pilot projects in the first year. For example, the American Association of Motor Vehicle Administrators was developing a demonstration of commercial identity provider credentials by the Virginia state government, including securely verifying identities online with the Virginia Department of Motor Vehicles.{{Cite news |title= Five Pilot Projects Receive Grants to Promote Online Security and Privacy |work= Press release |date= September 20, 2012 |publisher= NIST |url= https://www.nist.gov/itl/nstic-092012.cfm |access-date= November 10, 2013 }} The Internet2 received about $1.8 million for research. ID.me was given a two-year grant in 2013.{{cite web|title=NSTIC, ID.me, Inc.|url=https://www.nist.gov/nstic/id-inc.html|website=www.nist.gov|publisher=National Institute of Standards and Technology|access-date=21 February 2015}}

Further work funded by NIST is on their Trusted Identities Group Web Page.{{Cite web |title=Trusted Identities Group |publisher= NIST | url= https://www.nist.gov/itl/tig}}

The NSTIC called for U.S. federal government agencies to be early adopters of the Identity Ecosystem envisioned in NSTIC. Agencies struggled to implement it for services they provide internally and externally. Technical, policy and cost barriers made it challenging to accept third-party credential providers accredited by the Federal Identity, Credential, and Access Management (FICAM) initiative.{{cite web|url=http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance |title=FICAM Roadmap and Implementation Guidance | IDManagement.gov |access-date=2013-08-16 |url-status=dead |archive-url=https://web.archive.org/web/20130819043739/http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance |archive-date=2013-08-19 }}

In response, the White House created a Federal Cloud Credential Exchange (FCCX) team, co-chaired by NSTIC and the General Services Administration. The team consisted of representatives from agencies whose applications are accessed by a large population of external customers. In November 2012, the United States Postal Service was chosen to manage a pilot version of the FCCX, and awarded the contract to build it to SecureKey Technologies, a member of FIDO Alliance. That contract was renewed in May 2015.{{cite web|url=http://securekey.com/press-releases/securekey-technologies-wins-contract-with-u-s-postal-service-to-implement-federal-cloud-credential-exchange/|title=SecureKey Technologies Wins Contract with U.S. Postal Service to Implement Federal Cloud Credential Exchange - SecureKey|publisher=}}{{cite web|url=http://www.zdnet.com/article/connect-gov-solidifies-expands-identity-credential-plan-for-federal-agencies/|archive-url=https://web.archive.org/web/20150502233308/http://www.zdnet.com/article/connect-gov-solidifies-expands-identity-credential-plan-for-federal-agencies/|url-status=dead|archive-date=May 2, 2015|title=Connect.Gov solidifies, expands ID credential plan for federal agencies - ZDNet|first=John|last=Fontana|website=ZDNet |publisher=}}

Connect.gov was launched in December 2014, the manifestation of this pilot. The first two companies to provide individual US citizens Identity Management services compatible with Connect.gov, were ID.me and Verizon.{{cite web|url=http://www.federalnewsradio.com/445/3768083/Connectgov-is-latest-attempt-to-get-buy-in-to-online-ID-management|title=Connect.gov is latest attempt to get buy-in to online ID management|date=22 December 2014|publisher=}} Ping Identity and Forgerock were the first software platforms to provide FICAM-compliant credentials, and enable private sector organizations to connect securely to government agencies, a primary objective of this project.{{cite web |title= Connect.Gov solidifies, expands ID credential plan for federal agencies |date= April 30, 2015 |url= http://www.zdnet.com/article/connect-gov-solidifies-expands-identity-credential-plan-for-federal-agencies/ |archive-url= https://web.archive.org/web/20150502233308/http://www.zdnet.com/article/connect-gov-solidifies-expands-identity-credential-plan-for-federal-agencies/ |url-status= dead |archive-date= May 2, 2015 |last=Fontana |first=John |publisher=ZD Net |access-date= May 6, 2015 }}{{cite web |title= Connect.gov is latest attempt to get buy-in to online ID management |url=http://nstic.blogs.govdelivery.com/2014/02/20/putting-the-fed-in-federation-part-3-a-new-way-to-buy-identity-services/ |date= December 22, 2014 |last=Miller |first=Jason |access-date= May 6, 2015 |publisher= Federal News Radio}}

{{Main|Login.gov}}

On May 10, 2016, 18F announced in a blog entry that Connect.gov would be replaced.{{Cite web|url=https://18f.gsa.gov/2016/05/10/building-a-modern-shared-authentication-platform/|title=18F: Digital service delivery {{!}} Building a modern shared authentication platform|date=10 May 2016 |access-date=2017-07-02}}{{Cite news|url=https://www.secureidnews.com/news-item/feds-scrap-connect-gov/|title=Feds scrap Connect.Gov - SecureIDNews|work=SecureIDNews|access-date=2017-07-02|language=en-US}} The replacement system would be called Login.gov,{{Cite news|url=https://www.secureidnews.com/news-item/login-gov-replacing-connect-gov/|title=Login.Gov replacing Connect.Gov - SecureIDNews|work=SecureIDNews|access-date=2017-07-02|language=en-US}} and launched in April 2017.{{Cite web|url=https://18f.gsa.gov/2017/08/22/government-launches-login-gov/|title=18F: Digital service delivery {{!}} Government launches login.gov to simplify access to public services|website=18f.gsa.gov|language=en|access-date=2018-02-16}}

The Identity Ecosystem Steering Group (IDESG) received start up funding from NIST in 2010 and has since created a series of documents that is available on their website.{{Cite web |title=The Identity Ecosystem Steering Group |url=https://www.idesg.org/}} In 2016, they introduced the Identity Ecosystem Framework (IDEF) Registry{{Cite web |title= Identity Ecosystem Framework (IDEF) Registry |url= https://www.idefregistry.org/}} for self-assessment.

The proposal generated criticism since it was released in draft form in June 2010.{{Cite news |title= White House drafting plan for cyberspace safety |author= Lance Whitney |work= CNet news |date= June 28, 2010 |url= http://news.cnet.com/8301-13578_3-20008998-38.html |access-date= November 9, 2013}} Much centered around privacy implications of the proposal.

Shortly after the draft's release, the Electronic Privacy Information Center (EPIC), with other consumer-rights and civil liberties organizations, sent the committee a statement in response to the draft NSTIC policy, requesting a clearer and more complete plan to create and safeguard Internet users' rights and privacy.{{cite web |title= Statement on the National Strategy for Trusted Identities in Cybersecurity Creating Options for Enhanced Online Security and Privacy |author= Lillie Coney|date= September 23, 2010 |publisher= Privacy International and Electronic Privacy Information Center |url= http://privacy.org/privacy_coalition_comments_trusted_ids.pdf |access-date= November 9, 2013 |display-authors=etal}} While EPIC head, Marc Rotenberg, called NSTIC "historic," he also cautioned that "...online identity is a complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real. The US will need to do more to protect online privacy."{{cite web |last=Center |title=EPIC - National Strategy for Trusted Identities in Cyberspace (NSTIC) |url=http://epic.org/privacy/nstic.html |website=epic.org}}

NSTIC addressed some early privacy concerns through its 2013 fair information practice principles document.{{cite web |title= Appendix A – Fair Information Practice Principles |publisher= NSTIC |date= April 4, 2013 |url= https://www.nist.gov/nstic/NSTIC-FIPPs.pdf }} Subsequent initiatives sought to advance privacy. For example, the American Civil Liberties Union and the Electronic Frontier Foundation were involved in a privacy committee in the IDESG.

{{Reflist|30em}}

• {{official|https://www.nist.gov/itl/tig}} {{dead link|date=November 2024}}

{{DEFAULTSORT:National Strategy For Trusted Identities In Cyberspace}}

Category:Identity management initiative

Category:Computer network security