White House ready to reveal identity management plans

Friday - 4/2/2010, 7:01am EDT

WFED's Jason Miller

Click below to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Obama administration is preparing two documents to advance its vision for federal identity management.

The first is a memo from the Office of Management and Budget that will ask agencies for specifics on when they will more fully use their secure identity cards for building and computer network access.

The second is a draft strategy to secure online transactions.

Both of these documents signal how the White House wants to move services online for both federal employees and citizens. And to do this, the government must authenticate and verify identity, which would, in turn, improve cybersecurity and prevent identity theft.

These two documents would be among the first significant public statements the administration has made in the year it's been in office. The White House mentioned the need for strong identity in the President's cyberspace review and again in the fiscal 2011 budget request and guidance to agencies.

But it hasn't said much else about the path forward.

"Some departments got extra passback language because they needed a little more push to get to where OMB wished them to be," says Paul Grant, special assistant for Federated Identity Management and External Partnering in the Defense Department's chief information officer's office, and the co-chairman of the CIO Council's Federal Identity, Credential and Access Management Subcommittee.

Grant spoke Thursday at the Interagency Smart Card Advisory Board meeting in Washington.

He says the upcoming memo on using secure identity cards under Homeland Security Presidential Directive 12 follows the more general passback language that every agency received.

"In my case, DoD will write an identity, credential and access management transition plan documenting efforts to identify ICAM management activities and submit it back to OMB," Grant says. "They are pretty serious. The guidance is in draft and we've seen a draft of the template OMB wishes to use to track agency progress."

The memo is expected to be finalized in the next few weeks.

Sources say the memo also will address HSPD-12, similar to the requirements in the budget passback guidance.

This memo comes on the heels of OMB increasing pressure on agencies to meet HSPD-12 requirements.

One source, who requested anonymity because they were not approved to talk about this issue, says federal CIO Vivek Kundra held TechStat sessions with the Transportation and Veterans Affairs Departments and the Small Business Administration about their poor progress in issuing secure identity cards to employees and contractors.

TechStat sessions are used to help fix problematic projects.

As of the latest numbers from OMB from January, DOT has issued cards to only 31 percent of all contractors and employees who need them, SBA is at 23 percent and VA is at 6 percent.

The source says other sessions are expected for agencies who also are not meeting OMB's HSPD-12 requirements, such as the Homeland Security Department (7 percent), Justice (19 percent) and Interior (50 percent).

Meanwhile, the White House's cybersecurity coordinator's office is circulating a partial draft of the Strategy to Secure Online Transactions.

Sources say Mike Butler has been on detail from the National Institute of Standards and Technology for the past few months to help lead this effort with Tom Lockwood from DHS.

Grant says the White House hopes to finalize the drafts strategy by April 23.

"Most of the things in there are dealing with pre-supposed strong credentialing, strong identity proofing and vetting," he says. "It's going to be a very high level document because it is 25 pages of national strategy. It's hinged strongly upon the ICAM strategy."

Aside from these two documents, there are several other identity management initiatives that agencies are teeing up.

Federal PKI Certificate Policy Working Group is reviewing a new set of criteria for non-federal entities to provide secure credentials or certificates as part of the Personnel Identity Verification-Interoperable (PIV-I) standard.

Grant says these companies, such as VeriSign, Entrust, ORC and even Citibank, would need to pick up the extra requirements of the PIV-I, which requires strong identity proofing and vetting of an individual.

"This would be another cross-certification for the Federal PKI bridge," he says. "We expect the citizenry initially to be at the lower assurance levels because they do not have high assurance credentials and many of the smaller companies. But the people who have large volumes of either privacy or sensitive information to do business with us or among themselves must have the stronger credentials not to violate law or federal regulations."