We recently reported that implementation of the federal government’s national Identity Ecosystem is still well over the rainbow. When it arrives, however, it will bring benefits that include simplifying the administration of security credentials. That would be a boon across the board, but particularly for complex efforts like electronic health records. In the meantime, federal officials are focusing on creating governance structures...
to guide the creation of the Identity Ecosystem.
The Identity Ecosystem, which emerged from President Obama’s Cyberspace Policy Review, is intended to let individuals choose among multiple, interoperable digital credentials issued by private sector companies so they can interact securely with government agencies and commercial companies. Once implemented, IT shops won’t have to concern themselves with issuing and managing credentials, said Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology and manager of the national program office for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Managers “first and foremost need to keep in mind that the president has made it a cybersecurity priority that agencies in most cases get out of the credentialing business,” Grant said. This policy “basically states that they should not be creating new websites [that involve] issuing user names and passwords.”
Grant noted the government already has taken a small step in the direction of the NSTIC vision with the Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance. Under the FICAM framework, the General Services Administration has scheduled and certified commercial providers that agency managers can turn to for credentialing and identity management services, he said.
Deployment of a national Identity Ecosystem should be a huge boon for managers. “[If] you’re able to trust private-sector issued credentials at different levels, that’s one less thing you have to worry about,” Grant said. “So creating that framework with a variety of different interoperable credentials is a key thing for us.”
Enabling electronic health records
Strong, interoperable credentialing will be especially critical as initiatives such as those under the health IT banner — the electronic exchange of medical records among doctors, hospitals, medical organizations and government agencies at all levels, for example — are realized.
“How are doctors actually going to authenticate in transactions involving electronic health records?” Grant asked. “It’s not something where a username and password is going to cut it. If [medical records are] going to be moved online, you’ll need to have the stronger credentials that are out there. It makes it a lot easier to offer services to citizens when you can give them the ability to log in with a private sector credential that they already have. And it gets you out of the password management and the password reset business, which can be quite costly.”
Indeed, government officials expect the Identity Ecosystem to help ease IT expenses. “In a time when we’ve got declining IT budgets and tremendous budget pressures, agencies really have to try and figure out how they can be more cost effective,” he said. “So the more [operations] you can move online as a whole and shutter brick and mortar operations, or [end] transactions by mail and allow people to do things online, the more money you can save.”
Governance for NSTIC
Realizing the NSTIC vision will take years, government officials acknowledge. Grant termed it “a marathon, not a sprint.”
In the meantime, officials are establishing a governance structure for the initiative, including ensuring there is “proper stakeholder representation and the right mix of voices and opinions,” according to Grant.
Grant offered the following advice to managers:
- Get involved in NSTIC. “The bottom-line message for government IT managers is to participate in NSTIC and look to what this initiative will produce,” he said. “It should enable a lot of new transactions to be brought online over the next few years.”
- Make sure any new security programs at your agency align with NSTIC. “[I]t’s probably not a very wise thing -- cost-wise or otherwise -- to create some new authentication structure that’s not aligned with the presidential strategy,” Grant said.
- Sign up for NSTIC pilot programs. “There is money for pilots as proposed in next year’s budget,” Grant said. “We will want agencies to participate. We’re very interested in helping agencies that want to be early adopters and embrace the strategy, and give [them] the tools and the help they need to move forward.”
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.