CMS looks to NSTIC for identity management


The Centers for Medicare and Medicaid Services wants to move away from providing credentials and instead leverage the National Strategy for Trusted Identities in Cyberspace, or NSTIC, according to CMS Chief Information Officer Tony Trenkle.

"That's not the business we really want to be in," said Trenkle Oct. 18 at the AFCEA Bethesda Health IT Day in Bethesda, Md.

"We're focusing pretty much on NSTIC," he said. "We want to be a relying party. We don't want to be a credential provider for the government."

Trenkle said CMS is working closely with the NSTIC program office and the Health and Human Services Department to make sure this "is not something that just gets done alone but can be actually leveraged."

The agency provides around 4 million national provider IDs for the various entities that do business with CMS, he said. It also has 175 applications currently using seven different access management systems. And with the forthcoming health insurance exchange, CMS could eventually be handling access and credentials for 30 to 50 million users, said Trenkle.

Federated identity management is the end goal, "where we can accept the level 3 credential, or a level 4 credential, or even a level 2 credential from whoever, federate that and utilize it so a provider will not have to get multiple credentials," said Trenkle.

Federal Chief Information Officer Steven VanRoekel recently said the Office of Management and Budget is pushing agencies to adopt a federated identity management model that allows trust relationships across agencies, in accordance with NSTIC.

What that means from a technology and implementation perspective, however, is still unclear, as NSTIC's identity ecosystem pilots are in their infancy.

"The easy part is saying we want to adhere to the principles of the strategy," said David Wennergren, assistant deputy chief management officer at the Defense Department, following a panel discussion at the event. In many ways identity management efforts already underway align with the spirit of NSTIC.

Identity management will be a key consideration in the forthcoming iEHR, he said, adding that the joint DoD-Veterans Affairs Department program is looking into the possibility of "eventually leveraging DS Logon to better handle continuous identity."

Related Articles:
VanRoekel: Agencies to adopt NSTIC
Grant: Pilots move NSTIC from theory to practice
NIST hands off NSTIC to private sector