As a deadline for implementation draws near, the National Institute of Standards and Technology is working with agencies to ensure their legacy systems are keeping up with its latest standards in identity management and authentication solutions.
In June 2017, NIST released Special Publication (SP) 800-63-3, an updated set of digital identity guidelines to get agencies caught up on some of the latest recommendations for preventing fraud, unauthorized access to sensitive information and cybersecurity risks on their systems.
Agencies have until the end of June 2018 to implement SP 800-63-3, which among other things, calls on agencies to beef up its use of multi-factor authentication and to provide guidance for biometrics like facial features, fingerprints, iris patterns and voiceprints.
“The goal of that was really to update that document and bring it into the modern age, and help agencies with their needs. One of the things we learned was agencies have varying use cases, and we need identity to be flexible and authentication to really match those different use cases,” Lefkovitz said Wednesday at a Digital Government Institute panel discussion on digital trust.
Lefkovitz said NIST is working to understand how agencies will implement this new guidance and helping them with that implementation. One way they’ve been able to do that is through its National Cybersecurity Center of Excellence and evaluating different identity authentication products from the commercial sector.
In a survey of 200 federal IT employees, Unisys found that 64 percent of respondents said they view identity management solutions as a “very important” piece of responding to cybersecurity threats at their agencies. However, only 20 percent of respondents said their agencies are using biometrics to verify users’ identities online.
David Temoshok, a senior policy adviser for applied cybersecurity at NIST’s IT laboratories, said NIST has been busy building an implementation guidance for 800-63-3 on GitHub.
“Now we don’t have implementation experience, so we’re building the guidance from the standpoint [of], ‘Well this is what the standard says.’ We think that these are considerations for implementation that agencies have — questions that have come up. So we’re building the guidance along those lines,” Temoshok said. “We look at the implementation guidance as an ongoing document — a living set of documents, if you will, that as we gain experience at NIST, federal agencies gain experience in implementing -63-. We can build onto the implementation guidance as we go forward.”
For agencies like the Internal Revenue Service, which started receiving the first tax returns of the fiscal 2018 filing season, verifying the identities of the users they’re interacting with online remains a top priority.
Michael Anthony, the director of identity and access management at the IRS, said SP 800-63-3 will prove valuable in helping the agency verify the identity of taxpayers filing tax returns.
“We’re leveraging -63-3 to allow us to be more objective, more scientific and more data-driven when we look at the security posture of our applications, the data either the business customer or the taxpayer provides us and then what we provide back. It really allows us to have a deeper understanding of that data and allows us to take other things into account, whether there’s data out in the dark web, other info federal partners are sharing with us, or other information that’s already been exposed,” Anthony said.
NIST’s digital identity guidance, he added, will give the IRS an advantage over fraudsters, who continue to find new ways to leverage federal data to file tax returns using stolen credentials.
Last March, the Education Department shut down its data retrieval tool on FAFSA.gov after hackers used it to obtain sensitive financial information on as many as 100,000 people who applied for student loans, then used that data to file tax returns.
Anthony also said the new NIST guidance will help the IRS walk the line between convenience and security as it continues to expand its online financial service through its Future State Initiative. However, he also acknowledged that not all taxpayers have equal access to digital services.
“There is a constant internal tension … where our business customers want to move away from more expensive delivery channels — face to face, over the phone — to a digital environment. But -63-3, in my opinion, raises the bar on entry to the digital environment. So how do we allow secure access to diverse communities who may not have digital access? That’s something I think that we’re going to continue to struggle with,” Anthony said.