OMB opens door to non-federal online credentials

Friday - 10/14/2011, 5:47am EDT

Jason Miller, Federal News Radio

Download mp3

Over the next year, agencies will begin accepting citizens' usernames and passwords from commercial providers, such as Google and PayPal, to conduct business with the government. It's part of the larger effort to secure identities in cyberspace and push the government down a similar path as the private sector.

"Currently, members of the public and business partners maintain dozens of identity credentials to interact with the government online and agencies maintain duplicative backend systems," wrote Steven VanRoekel, federal chief information officer, in an Oct. 6 memo obtained by Federal News Radio. "To decrease the burden on users of our systems, and reduce costs associated with managing credentials, agencies are to begin leveraging externally-issued credentials, in addition to continuing to offer federally-issued credentials."

VanRoekel instructed agencies to begin implementing the technology and policies to use third-party credentials within 90 days of the CIO Council and the General Services Administration approving the first Trust Framework Provider. Currently, three providers — InCommon Federation, Kantara Initiative and Open Identity Exchange &mdash: received provisional approval.

A Trust Framework Provider is an organization that follows open standards and provides certification services. GSA and the CIO Council will approve these organizations based on how they meet federal standards.

VanRoekel wrote agencies should start with low-risk sites, known as Level 1 security assurance. These include any sites that require a person to log on to, say, enter a comment on a blog, or receive email feeds. Under Level 1, ensuring the person's identity isn't critical to the security of the system.

"I believe this memo is long overdue," said Judy Spencer, a former GSA official who oversaw many of the identity management initiatives across government and now is with CertiPath, a trusted authority for interoperable identities for collaboration in the aerospace and defense industry. "With the Trust Framework Provider approval process, the government seems to have learned from the past and established a partnership that can be sustained. Agencies have already started looking at some of these external credentials at level 1 — OpenID for instance — and some have even moved to accepting them."

Starting small

Agencies are to move to Levels 2-3-4 over the course of the next three years as resources and technology allow, VanRoekel wrote.

"I think it's a step in the right direction because it helps align the federal government and citizen services with what's taking place throughout America with online banking, online shopping and giving citizens the same experience as they expect in the private sector," said Frank Baitman, an entrepreneur in residence at the Food and Drug Administration and former CIO of the Social Security Administration. "The whole idea of having federated credentials is you build a stronger system because many people whose businesses are on the line work together to get this right. Everyone will work to make the system stronger and have a very high degree of confidence."

This isn't the first time the government tried to move to electronic authentication. During the second Bush administration, OMB launched the E-Authentication e-government initiative. But after several years, the program didn't catch on widely. However, the work behind E-Authentication spawned the success of the Federal Bridge and eventually Homeland Security Presidential Directive-12 (HSPD-12) requiring federal employees to get and use secure identity cards.

"While the concept was a good one, it didn't come to fruition — perhaps its time had not yet come" Spencer said.

OMB said this time the effort is different.

"There are a couple of new factors that have converged to make this memo timely," said OMB spokeswoman Moira Mack. "For instance, there are a number of viable commercial identity solutions that millions of people are using such as OpenID, and the federal government has a process, Open Identity Solutions for Open Government, to ensure that commercial identity providers are accredited and meet certain security and privacy requirements."

Mack said the National Institutes of Health's pilot under PubMed is an example of why the time is right. NIH launched the test in June 2010 and now has 72,000 people accessing the site with third-party provided usernames and passwords.

"The devil is always in the details, but NIH has already demonstrated that this can be done and that it is more about the 'will' to do it, rather than the complexity," Spencer said. "All of the approved providers are utilizing open standards, and by adhering to the federal profiles there is consistency in the way they are presenting the credential to the application. It takes some of the burden off the implementing agency and, as the NIH example indicates can result in serious cost savings."