FICAM trust framework update opens door to federal credentials from financial institutions


Agency and department websites could one day soon leverage the same log-on information citizens use for online banking for government services, following a Feb. 7 General Services Administration update to the Trust Framework Solution.

The TFS update, part of the Federal Identity, Credential and Access Management Roadmap and Implementation Guidance, lays out a path for financial institutions to become federal credential service providers and marks the first comprehensive update to FICAM since it was issued in 2009.

Although it's often referred to as "guidance," the TFS (.pdf) isn't a mere suggestion, said Anil John, program manager for the trust framework solution.

It's part of the FICAM Roadmap and Implementation Guide, and per OMB-M11-11 (.pdf) all agencies are required to use FICAM's TFS process to enable members of the public and business partners to register or log on to government websites.

The TFS ensures a process for agencies to accept credentials and other types of identity services available in the commercial sector. It verifies that these commercial services meet the security, privacy and interoperability needs of government.

Recent innovation in identity management pushed GSA to examine how government could leverage such services at the agency and department level, John said. The update follows a draft release of the TFS in November 2013, which received extensive feedback from agencies and industry that has since been incorporated into the guidance.

GSA is now working with the existing trust framework providers to ensure they adopt version 2 of the memorandum of agreement. Then, GSA will update the approved services under the version 2 of the trust framework, said John.

The TFS update includes many changes, but perhaps the biggest thing it puts in place is a fast track program for potentially approving financial institutions as credential service providers.

"Financial institutions are already regulated by the [Federal Financial Institutions Examination Council] and they actually provide authentication guidance to financial institutions," said John.

The TFS update recognizes that there is a trust framework already in place that is comparable to government requirements and that financial institutions are required to comply with. The TFS now says that, if they so choose, financial institutions can be a credential service provider to the government, said John.

Version 2 of the TFS also incorporates a lesson learned from implementation. Rather than requiring services to attest that they are interoperable, the new process adds "a touch point" – especially at the higher-assurance levels – where GSA actually verifies the interoperability of the services that are offered. John said they check that services are using the proper standards so that integrations from the agencies' perspective are very smooth and require minimal investment.

Finally, the original Trust Framework had a minimal focus on privacy criteria.

"The privacy documentation and the privacy requirements were distinct and separate from the first version of the trust framework," said John. "We've clearly and directly made privacy a very important and equal criteria to security and interoperability within version 2 of the Trust Framework."

Another change since 2009 is the impact of the National Strategy for Trusted Identities in Cyberspace, a strategy document released by the White House in April 2011.

"FICAM is the government implementation of the NSTIC vision," said John.

Unlike the NSTIC national program office, ran out of the National Insitute of Science and Technology, GSA does not find themselves in the identity ecosystem building business. But, said John, FICAM is happy to leverage the innovations that emerge from it.

"We do not want to, in any way, shape or form, say to industry what they should or should not do," said John. "We basically compare what our needs and practices are, to what [industry and consortiums] have and see if they can meet our needs and if they do, we 'adopt them' and we have the ability to leverage services that are part of their framework for use with government," said John.

FICAM is mentioned in so many different contexts it sometimes creates confusion. Deb Gallagher, director for the identity assurance and trusted access division within GSA, said FICAM really brings together multiple pieces that are already in place into a cohesive whole.

"The federal PKI, HSPD-12 and the TFS program are all basically pieces of what FICAM is," said John. "They are obviously serving different needs, but they're not an evolution as much as I can say fine-tuning."

For more:
- download the updated "Federal Identity Credential and Access Management Trust Framework Solutions" (.pdf)
- download the updated "Trust Framework Provider Adoption Process for All Levels of Assurance" (.pdf)
- download the updated "Authority to Offer Services for FICAM TFS Approved Identity Services" (.pdf)
- download the updated "Identity Scheme and Protocol Profile Adoption Process" (.pdf)
- visit the IDMGov Info website for more on FICAM

Related Articles:
Agencies plan to use FICAM authentication standards for counterterrorism sharing
Grant: NSTIC will succeed where other programs have failed