Exclusive

Federal, state, local programs working off of the same sheet of identity music

Jason Miller: Federal, state, local programs working off of the same sheet of identity music

The Chief Information Officer’s Council, FirstNet and the Next Generation 911 services are on the same page when it comes to verifying and authenticating identities.

KPaul
Kshemendra Paul

The reason these organizations and others are working from the same sheet of music is in part due to the Information Sharing Environment’s workaround standards and support of pilots over the last decade.

The ISE, which sent its annual report to Congress in September, celebrated its 10th anniversary in April, and now can see its impact through a host of initiatives, but maybe none more important than those around identity management.

“The federal CIO Council under the Office of Management and Budget’s leadership, under the General Services Administration’s leadership and all the different participating agencies have been advancing the federal identity, credential and access management (FICAM) roadmap, and there has been really good work that we’re plugged into with OMB, the National Institute of Standards and Technology, department and agency partners, within those federal CIO Council’s working groups and committees and the rest,” said Kshemendra Paul, the program manager of the Information Sharing Environment , in an exclusive interview with Federal News Radio. “That is the work to update the FICAM roadmap to make it a little bit more accessible, to increase the footprint of the attribute-based access control, to look at a little bit more on risk based postures, interoperable credentials and the further adoption of personnel identity verification (PIV) and PIV-industry. We see that as full integrated into project interoperability and that’s part of what we are doing.”

Project interoperability uses best practices to promote information sharing through the use of standards for data and technology designs, and through governance policies that promote interoperability and sharing.

Paul said the different communities also are using the FICAM concepts through the sensitive but unclassified (SBU) network working group. The group includes a series of  law enforcement networks such as the FBI’s Law Enforcement Online (LEO), the Homeland Security Department’s Homeland Security Information Network (HSIN), and IntelLink. Paul said in all about 400,000 registered users are using these and other networks are following the identity management framework.

“You have single sign-on now across all those networks,” he said. “We currently are working with those networks and mission partners to turn that technical capability into actual mission impact. We already starting to see that broadly.”

Advertisement

The work on identity and access management is but one example of how the ISE continues to influence the development of trusted information sharing networks over the last year.

Paul said the core message of the annual report to Congress is there is a lot of maturation across information sharing communities, there is a pathway to scale the frameworks and standards created over the last decade, and the effort is both long-term and sustainable.

“We have examples of agency and department’s information sharing environments,” Paul said. “We have examples of domain specific information sharing environments. The maritime domain across the federal agencies with our state and local partners and with the private sector is an example there. And then we have an initiative around statewide information sharing environments where there is a lot of exciting work going on there also.”

The ISE also has been helping to usher several identity management projects, including one with GSA on the backend attribute exchange. The BAE  lets organizations transfer data, such as user logins and credentials, seamlessly. It protects privacy and security, but can pull attributes from multiple sources as needed.

The organization also recently worked on another program around an attribute registry service, which minimizes time, effort and uncertainty required for relying and trusting parties to identify users and their authorization attributes for access to services and information resources.

Paul said the ISE has led the effort to define what the authoritative attributes are at the SBU level.

“We hosted a summit last year and published the report on our website really thinking about what are the identity credential and access management considerations around FirstNet, the public safety broadband network,” he said. “It’s a big initiative for state, local and federal partners. There was a really positive development there in that the FirstNet community really is committed to working in the public safety ICAM arena. We are a key part of that with our partners at DHS, DoJ and the Federal Communications Commission.”

Paul said the ISE also is working with the FCC on the Next Generation 911.

“There is a real desire across the public safety community to converge on these practices, the federated identity credential and access management,” he said. “We think that’s tremendously positive news as we scale the ISE. They are not looking at it as aligned under CIO Council. But we are working pretty diligently with all the different stakeholders with the underlying concepts that the federal CIO Council is using, that these others are using and these are all based on a similar set of standards. There is alignment going on under the covers. That’s sort of what we get paid to do, help facilitate that.”

All of this work “under-the-covers” helps align the technical standards so the interoperability can happen machine-to-machine and so different stakeholders can trust each other’s identity proofing efforts.

Paul said the ISE’s goal is never to run or manage a program, but give the users the pieces and parts to make information sharing happen more smoothly.

Moving into 2016, Paul said the ISE is focused across three areas:

  • Continuing to advance the national strategies and policies, such as 2012 National Strategy for Information Sharing and Safeguarding, and address the concerns of the Government Accountability Office. GAO put information sharing on its 2015 high risk list.
  • Helping to align the architecture and integration of national security and public safety in a way to protect privacy and civil rights while also leads to greater degrees of efficiency, effectiveness, mission agility and information sharing. Paul said a statewide ISE initiative is part of that to create a national capability for information sharing.
  • Expanding project interoperability. Paul said the work of the standards coordinating councils (SCC) will help make progress to distill out these capabilities and frameworks. “An example here is there is a beta version of a playbook. The SCC modeled after the U.S. Digital Services playbook to provide a programmatic view into this body of knowledge and provide on-ramps. Each play highlights different resources and ways to leverage these tools, and building in reuse, building in the safeguarding — the privacy and security piece — building in the community of interest view.”