Q&A: Jeremy Grant on NSTIC implications for government IT


Back in April the White House released the National Strategy for Trusted Identities in Cyberspace (.pdf), a government-coordinated effort to create a digital "identity ecosystem," executed by the private sector. Since then NSTIC lead, Jeremy Grant, the senior executive advisor for identity management at the National Institute of Standards and Technology, has been hard at work bringing identity stakeholders to the table and asking (.pdf) industry, government, consumer groups and web citizens what an identity ecosystem should look like.   

NIST has helped moderate two workshops thus far--one June 9 session on governance in Washington, D.C. and another with a focus on privacy held June 27 in Cambridge, Mass. Grant says a third workshop on technology and standards is planned for the fall and could be co-located with an identity-focused conference in the San Francisco Bay area.

FierceGovernmentIT spoke with Grant July 26 about upcoming NSTIC implementation pilots and the implications of an identity ecosystem for government IT.

FGIT: Assuming the budget permits the pilots planned for fiscal 2012, how do you think the pilot period is going to work? Is this going to be a single model with different stakeholders or will there be different types of models?

Jeremy Grant: Well, it's a little premature to talk about that right now since it's important to consider NSTIC as it is in 2011, where the program is not fully-funded yet. And NIST is tackling it based on existing work it's doing on cybersecurity and identity management and then the budget that's been proposed for fiscal 2012. So this year it's me and some folks working on details and trying to put a foundation in place. Next year, I think, is when we'll have a much more vibrant national program office.

So, trying to think through how some of the pilots will work is one of the things that we've started to do. But we haven't put any specific criteria in place.

That being said I think your question was, 'would it be one pilot or several?' And I think the answer is we would not be looking to fund just a single pilot. We would be looking to fund several. And be able to test out different facets, whether it be looking specifically at privacy-enhancing technologies that have great promise but haven't fully matured and how we can advance the use of those, to issues like, frankly, being able to deploy an identity ecosystem in miniature and test some of the different assumptions that are in the strategy and look for lessons learned and ways to actually perfect the model.

FGIT: As far as participants in the pilots, that's probably premature?

Grant: Definitely.

FGIT: But this would likely not be reserved for government.

Grant: Absolutely not. The bulk of NSTIC is really focused on parties outside of government. I've made it very clear NSTIC should not be viewed as FICAM (.pdf) with a different name and more money. Although FICAM is an important part of NSTIC it really represents the .gov embodiment of how things would work.

So, it's not to say that pilots involving agencies would be ruled out but we're not necessarily assuming it's going to be a federal-government centric set of pilots. And I think it's safe to say, early on when we haven't published any specific guidance, an ideal pilot would involve multiple identity providers and perhaps a range of public and private-sector reliant parties.

FGIT: And the DoD-VA integrated electronic health record, that wouldn't necessarily be ruled out?

Grant: Well, I would be surprised if we would fund agency programs that already have funding.

Having said that, I can say we're doing some work right now with a number of agencies who have existing identity management and authentication challenges in terms of being able to provide services to the citizens that they serve and there's a number of agencies that actively reached out to us in large part because NSTIC is a White House strategy and agencies are looking for some guidance in terms of where the strategy is going and trying to understand how, as NSTIC is implemented, it will help them fulfill their mission better.

But also agencies have been very clear, they want to make sure that whatever they do it not misaligned with NSTIC. So, a lot of agencies have gotten direction that they make sure they've coordinated with us as they're looking to move more applications online and add an identity and authentication layer to ensure that things are aligned.

There are a lot of interesting challenges that those two agencies have right now in trying to get things coordinated and we'd love to coordinate with them.

FGIT: You mentioned that this isn't to be viewed as a FICAM. What is it to be viewed as? What ideally would the government use of an NSTIC implementation look like?

Grant: Well, again the most important thing to keep in mind is that NSTIC is not just focused on the government, but on the country at large. So, it is not a government strategy for trusted identities in cyberspace, it's a national strategy.

And so the vision is that individuals and business a few years from now are able to choose from multiple credential providers and different types of credentials that could be available from private sector entities, it could be available from public-sector entities. There's nothing that would preclude an agency that is already in the identity business today--or a state for that matter or a local government that has an important role to play--from issuing a credential. But it's really about offering choice to individuals and in terms of making sure that there's a number of different strong credentials that they can chose from that they can use interoperably at different places they go online.

So, the government's part of that. The government wants to be an early adopter of new solutions and be able to accept them, and wants to, frankly, leverage them to be able to bring more services online that can't be done today because there's a lot of transactions you can't put online because you don't know if the person on the other end of the internet connection is a dog or not--as in the old New Yorker cartoon.

However, the focus of it is not just the .gov, it's really something much broader for the country and the government is only expected to be one of many reliant parties out there.

The work that's been done with FICAM today essentially represents the .gov embodiment of NSTIC. So if I get calls from agencies today that essentially ask, 'How can we coordinate with NSTIC?' The message we continue to give them is, 'Please talk to the FICAM folks because they are well ahead of the rest of us and there's already a process in place for private sector credentials to be used.'

FGIT: So, an NSTIC implementation in government could look a lot like FICAM looks now in government.

Grant: Sure, it's a starting point. I think the real question will be, as we go forward, because we've said NSTIC should be private-sector led, does the steering group called for in NSTIC start to lay out potentially some alternatives for cross-framework models that could vary a little bit from FICAM. And if it were to happen at that point, it would start to sort of fall to the government to look at those and try to figure out if there should be any changes to the underlying guidance, both the NIST specs 800-63 (.pdf) as well as the FICAM rules that govern that to see if there should be changes to it.

FGIT: I guess part of this is just dependent on what sorts of solutions industry comes up with.

Grant: Right. I will say that a lot of times we get asked about, 'How does NIST 800-63 apply?' And if you're familiar with it, it's specific guidance on e-authentication for people accessing federal information systems.

It's an interesting specification in that there hasn't really been anything else out quite like it in the U.S., and some would argue the world, and so when the NIST guidance was put out, while it was only focused on federal agencies there were a number of other industries and even countries that adopted it because it had been blessed by NIST and because NIST is, you know, generally viewed as doing excellent work when it comes to cybersecurity standards. This general view that the standards that NIST puts out are a good thing to follow.

The flip side of that is if you are trying to follow the NIST specs for an industry that may have a completely different risk model than what federal agencies deal with, you may find that the specs are too rigid. And if you look at the new draft (.pdf) of 800-63 that's out for review right now on the special pubs website and there's a forward to it actually that has some language that basically talks about the relationship of 800-63 to NSTIC. And I don't have the exact language in front of me, but it basically reaffirms that 800-63 is guidance for federal agencies and those parties accessing federal applications. When it comes to NSTIC and applications outside of the federal government, 800-63 may or may not be a starting point for those discussions.

That will largely be left up to the governance structure once it convenes to figure out how exactly they will go forward. However, the fact that parties will want the government to be a reliant party and there's already a framework in place based around that, may provide some incentives to start with that.

FGIT: I think that's something that was kind of emphasized at the D.C. workshop, in that it may not be new standards in some cases it may be picking and choosing what should be adopted.

Grant: Yeah. And I think in my impression--you know, while we're officially open on a lot of these topics and want to let a broader group of stakeholders really take the lead--it's pretty clear if you talk to most stakeholders that there is a body of work out there in terms of standards that do exist today and may provide a good place to start, in that they are areas where either industry and/or government have already come together and embraced certain standards and technologies as a foundation.

So, a lot of it can change, but given that there's already a lot of work that's been done, you'll find there are at least parts that can be used as a foundation going forward.

FGIT: DoD has been focused on identity management for some time and I was wondering if there were any points that you could pick out of DoD's strategy that maybe an NSTIC governing body could learn from.

Grant: DoD's done a fantastic job, although--they've really, frankly been kind of the gold standard as far as how to actually deploy strong authentication and how to make sure it has a real impact. I think we're going to be actually hard pressed to take a lot of lessons in terms of the governance in that DoD has a very firm chain of command, and people have to follow orders and do what they're told. It's something that doesn't even apply in the same way to the rest of the federal government, let alone the private sector.

And so, I think to the extent to where DoD's been a leader in pioneering new technologies, like multi-application smart cards with PKI certificates in secure networks, or other technologies that they've used, there are certainly some good approaches that can be followed. But I don't know from a governance perspective because they're just so much more focused on a chain of command than the rest of the world is that there's going to be a lot that we can really borrow from.

FGIT: Looking ahead, you've said that the goal is to have an NSTIC environment fully functioning  by Jan. 1, 2016. So what milestones can we expect through 2012?

Grant: I'd say where we're focused now in the short term--first of all, I sincerely think we can get something up and functional before 2016. It's kind of an arbitrary date and I think more than anything else it represents that what we're doing is not a sprint but a marathon. But given that that's close to 5 years off I think there's some real milestones early on.

You know, where we're focused in the short term is establishing a very high-functioning, private-sector-led steering body, in partnership with the government start to make real substantial progress on tackling the array of standards and policy and business challenges that will be necessary in order to create the identity ecosystem. So, we expect to have that stood up by the end of the year and would expect in 2012 that the group starts meeting regularly and has different subgroups making significant progress on defining standards and rules, on a consensus basis that will actually form the underpinnings of the ecosystem.

I also think in the next year, and some of this will be contingent on funding of course and the timing of when an fiscal 2012 budget passes, but I would say four to six, very exciting pilots will be stood up that will demonstrate different elements of the identity ecosystem and in some cases provide a foundation that we can build on to expand it rather than just do things that will wrap up in the short term.

And, you know, those I think will be some of the--at least in 2012--some of the things to look at as the foundation's in place. It will really be an environment where at that point different industries can bring solutions to the table that would be able to be quickly accredited as being compliant with the NSTIC requirements and from there you could have a marketplace where a thousand flowers can bloom and different solutions can compete for end users.

We're really excited to what kind of innovative solutions industry can bring to the table.

Related Articles:
NSTIC pilots expected next year; NIST releases NSTIC RFP
Focus turns to privacy in second NSTIC workshop
NSTIC policy and standards body to be formed by year end, says NIST official
Online 'personas' at heart of privacy protection in identity ecosystem, says U.K. think tank