The Office of Management and Budget quietly put some policy muscle behind the latest initiative to create an identity management and access control solution for citizen-to-government interaction.
Federal Chief Information Officer Tony Scott sent a cover letter and memo to agency CIOs last month highlighting the General Services Administration’s 18F’s new Log-in.gov effort.
“As announced in the Cybersecurity National Action Plan (CNAP), part of this initiative is for the federal government to build on previous efforts and take steps to safeguard personal data in online transactions through a new plan to drive the federal government’s adoption and use of effective identity proofing and strong multi-factor authentication methods,” Scott wrote in the cover letter, which Federal News Radio obtained. “My team and I will be monitoring the progress of this effort very closely and it is being tracked as part of ongoing CNAP governance.”
The nine-page memo, which wasn’t previously publicly released, included with the cover letter the implementation plan for Section 3 of the 2014 Executive Order 13681 — commonly known as the chip-and-pin memo.
Insight by Splunk: Explore how data is the glue that will hold JADC2 together by downloading this exclusive ebook
While most of the memo is background, it does include specific milestones between April and October to move Login.gov from a concept to a reality.
For example, the memo calls for OMB and GSA by April to establish a program office, name a director, develop criteria to prioritize the projects and determine metrics to measure moving to the online transactions platform.
As far as we can tell publicly, they accomplished most of this.
By July, GSA has eight milestones, including delivering common technical and user interface components and requirements for identity proofing, credentialing and multi-factor authentication, providing metrics and data on public-facing applications and services and releasing an identity design standards and identity services playbook.
GSA also will recommend updates to identity proofing and authentication policies, standards and guidance based on lessons learned and user research.
In the meantime, agency CIOs have two deadlines to worry about. By June 30, they must “prioritize and inventory both legacy and new applications that make personal data accessible, or that provide identity-based services or benefits based on the criteria developed by the program.” Also, by Oct. 31, CIOs must have a plan to move applications into the new platform using multi-factor authentication and identity proofing based on OMB guidance.
“Any such OMB guidance will provide agencies with information on what their migration plans must include and OMB will retain authority to review and approve any agency-requested alternative services,” the policy memo stated.
OMB, GSA and the National Institute of Standards and Technology over the next five months will work on updates to key governmentwide policies and standards, such as the Trust Framework Solutions for credential providers to use services on the login.gov platform, and the December 2003 memo from OMB on e-authentication (M-04-04).
NIST also will update Special Publication 800-63 for e-authentication.
“The federal CIO will convene the advisory group described above at least bi-annually to report on progress and solicit recommendations to ensure that the goals of expanded agency implementation of multi-factor authentication and effective identity proofing are achieved,” the memo stated. “The actions and program outlined above will drive the U.S. Government’s implementation of the protections necessary to secure federal transactions online.”
What’s also interesting about Scott’s memo is he lists three projects 18F will work on with a priority basis — the Veterans Affairs Department on the Vets.gov platform; the Social Security Administration on its MySSA portal; and the IRS on its new-and-improved Get Transcript service.
But at least two of three already have identity management services in place or in the works.
VA recently announced a contract award for support and services for Vets.gov to Ad Hoc LLC, which is run by former Presidential Innovation Fellow Greg Gershman, who spent six months between 2012 and 2013 working on MyGov project. The White House said in 2012 MyGov would “create a rapid prototype of a streamlined online system that citizens will be able to use to easily access the information and services that are right for them from across the federal government.”
Along with Ad Hoc LLC, the winning team includes ID.me, a technology firm focused on identity management and authentication services run by Blake Hall, who came out strongly against 18F’s Login.gov initiative when it was announced a few weeks ago.
ID.me blogged that it will create a “single sign-on for veterans” under the Vets.gov portal.
So 18F will work with VA on Vets.gov, but VA hired an outside firm to provide identity management and support services.
Hopefully there is more to the story here than meets the eye.
And then there is the IRS and Get Transcript. The tax agency relaunched a more cyber secure version of Get Transcript on June 7 that includes a multi-factored authentication framework developed by the U.S. Digital Service.
So 18F will work with the IRS to implement an identity management service for Get Transcript even though the USDS just worked with the IRS to implement an identity management service.
Again, there is a lot of murkiness to what’s going on here.
And why didn’t OMB release this memo publicly? That also adds to the mystery of the situation.
Reaction to the memo has been mixed.
Daniel Turissini, chief technology officer and chief information security officer of SolPass LLC, said the memo is painful and a rehash of the same rhetoric over the last 25 years.
“What they need to do is get someone to do an analysis on this and at the end of the day they will see what we haven’t done over the past 20-to-25 years is choose not a brand or company but a single approach and move all of the relying party apps toward that approach,” said Turissini, who has been working on federal identity management for the past 20 years. “The problem with e-authentication and all the other efforts has been there hasn’t been any consistency. It’s all by committee and too many people on the committee have specific agendas and they want their tool or product or whatever to be implemented. I keep hearing this is too complex, but it’s really just changing the ecosystem. It’s very frustrating because the common denominator for last 20 years has been the inability of government to enforce that the relying parties use the same approach.”
Turissini said the Defense Department is the one outlier in government. He said their public-key infrastructure and certificate authority works because the Pentagon has as many as 10,000 apps using the same architecture no matter the technology.
Ron Martin, a retired federal employee who worked in the logical and physical security space and now teaches identity credentialing and access management (ICAM) courses at Capital Technology University in Laurel, Maryland, said the memo is calling for the same thing the Federal ICAM roadmap called for in 2011.
“To me, they changed happy to glad and sorry to sad,” Martin said. “This is just the newest thing, but they haven’t done what they were supposed to do with FICAM and a lot of folks in GSA and governmentwide are still talking about FICAM.”
Martin said there isn’t enough discussion on creating the trust between government and citizen.
“Adopting another secure identity service doesn’t make sense to me because I thought our identity services already were secure with personal identity verification (PIV) and DoD’s Common Access Card (CAC),” he said. “They should be focusing on strengthening what they’ve got. They should elevate and redefine FICAM, and stop saying some of the same things we’ve heard over the last decade.”
But a former federal CIO, who requested anonymity, said it’s good the program is being led and overseen by Scott.
“I have always been of the mind set the agencies need to get robust directory services set up and get roles based access in place for their information holdings,” the former CIO said. “I think it is interesting you are going to do architecture all over again, all of this should have been done if OMB had been doing its job of management and oversight.”
So here we go again. As I talked about a few weeks ago, 18F would be smart to bring in DoD, talk to some of the federal executives who have been around and worked on e-Authentication, Homeland Security Presidential Directive-12 (HSPD-12), the National Strategy for Trusted Identity in Cyberspace (NSTIC) and many other attempts to create a standard approach to identity management and authentication.
Otherwise, 18F and OMB are doomed to make the same mistakes as those before them, waste millions of dollars, and months, if not years, of effort, and still be in the same place as before — each agency going off on their own and buying proprietary identity management technologies and services.