NSTIC doc outlines transition to privately led ID effort

NSTIC doc outlines transition to privately led ID effort

Summary: The government's National Strategy for Trusted Identities in Cyberspace takes its most important step to date by releasing recommendations for turning the effort over to the private sector.


The strategy established by the Obama Administration to create a national digital identity infrastructure reached a significant milestone Tuesday as the government began handing the effort over to the private sector.

Jeremy Grant, who heads the National Strategy for Trusted Identities in Cyberspace (NSTIC), released recommendations for creating a NSTIC steering committee operated independent of the federal government. However, governments - state, local and federal - will get a seat within the committee.

The 51-page document, titled "Recommendations for Establishing an Identity Ecosystem Governance Structure" calls for creation of the steering group, its structure, representation and coordination with international groups.

"While NSTIC is a government initiative, the Identity Ecosystem it envisions must be led by the private sector," said Grant. "The recommendations we published today lay out a specific path to bring together all NSTIC stakeholders."

The goal of NSTIC, introduced in April 2011, is to create an "identity ecosystem" that provides secure identities for online transactions while limiting the disclosure of personal information. The system calls for both public and private accredited  identity providers and a choice of identity credentials.

The effort does not create a national ID card.

The steering group, expected to be formally established later this spring, will create policies and standards for that identity ecosystem framework as laid out by the NSTIC charter.

The framework includes interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms.

The recommendations document, introduced by NSTIC's stewards - The Department of Commerce and the National Institute of Standards and Technology (NIST) -  lays out in detail suggestions for the steering group's structure, including recommendations for governance models, voting methods, sub committees, stakeholder groups, the use of a consensus-driven process, and the need for openness and transparency.

Once the steering group is in place it is free to accept or reject any or all of the recommendations, which are a product of public input solicited last June by NSTIC.

The report recommends 14 initial stakeholder groups: Privacy and Civil Liberties; Usability & Human Factors; Consumer Advocates; U.S. Federal Government; U.S. State, Local, Tribal, and Territorial Government; Research; Development & Innovation, Identity & Attribute Providers; Interoperability, Information Technology Infrastructure; Regulated Industries; Small Business & Entrepreneurs; Security; Relying Parties; and Unaffiliated Individuals.

NSTIC plans to issue a Federal Funding Opportunity (FFO) in the next two weeks to seed the launch of the steering group and to provide ongoing secretarial, administrative and logistical support. Eventually, the group will have to create a way to self-fund its operation. Recommendations for that effort included transaction, accreditation or membership fees.

Just last week, NSTIC issued $10 million in FFO's to fund five to eight pilots focused on identity projects that support the NSTIC model, and it is currently soliciting proposals to fill those slots.

"Between the new NSTIC pilot program and our plan to help stakeholders create an identity ecosystem steering group, there should be no doubt that 2012 is going to be a big year for NSTIC," said Grant.

NSTIC plans to hold a workshop on March 15 to convene potential stakeholders, review the recommendations and jump-start establishment of the steering group.

It also plans to hold on Feb. 29 at the RSA Security Conference in San Francisco an update session that will feature Howard Schmidt, the White House cybersecurity coordinator.

Topics: Enterprise Software, Government, Government US, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • one question

    Do I have a choice; forehead or right hand?
  • RE: NSTIC doc outlines transition to privately led ID effort

    It's encouraging that NSTIC sees private as the way to go, but it'd be even better if Big Government kept out of online identity management entirely. I still remember the Clipper Chip; I don't view use of NSTIC as a backdoor for government management of online identity as far-fetched. Government funding still means "government control."
  • RE: NSTIC doc - Using the Private Sector to rollout a Global ID System

    "The effort does not create a national ID card."<br><br>At least not right away but it will create a global digital ID that can at a later time, after the private sector has fully implemented this thing, come back and take over the management of this process. In this model the government is using the private sector to rollout something that a government would have great difficulty doing do to resistance by the citizenry. Dont think for a second that the Federal government would never take over something from the private sector. Not only does it do this now and has done it in the past but when it cant take over something form the private sector it then implements public-private partnerships (often referred to as PPPs) which enable government and private corporations to do things neither could do alone. For example this PPP model lets a corporation use the power of government (via regulations, restrictions and targeted harassment and fines/fees against its competitors) to shut down the competition. <br><br>The National ID Card Effort: <br><br>As far as the idea of no National ID Card goes, the Federal Government already put into motion a National ID Card via the REAL ID Act of 2005 which requires all states to follow a set of guidelines set by the Federal government. These include what forms of ID are applicable to obtain a States Drivers License as well as what type of information the card must contain and of course security measures added to the card to prevent forgery. This Federally mandated States Drivers license is a de facto National ID Card.<br><br>The Real ID Act does not directly change the state level drivers license and so many who want to downplay the implications of this act will use that line to counter any National ID Card comments related to the Real ID Act. The way the Real ID Act implements this De facto National ID via the drivers license is by refusing to accept a states drivers license as proof of a persons ID for anything i.e. obtaining a passport) unless said state has set its drivers license model to meet the guidelines and requirements the Feds outlined in the Real ID Act. Its also my understanding that the Feds have threatened to withhold highway funds to states that have not implemented this by the cutoff date of 2013. That is monies collected from the states and sent to the Feds to then be redistributed back to the states. In other words the feds are able to require states to do as it says, even with regards to affairs that are those of the state and not the Feds like road repairs, and it does this by taking the states monies collected via taxes and not giving it back. A business model more like that of Organized crime then what our Federal Government is supposed to be. <br><br><br>Dont believe me? Then goggle the act yourself (while you still can, before one of the Internet Security laws gets passed and open use of the internet is shut down and the governments start to control the info that flows thru it ) and find out what your Federal government has been busily working on while you were busy working to pay your excessive income taxes.
    • warms my heart...

      @BlueCollarCritic I'm happy to see comments like yours here, I've been yelling in the night for 40+ years about this slippery slope downward into some kind of high tech command and control grid. We've reached the asymptote, it's straight to H - E - double toothpicks from here. People need to push back, as you say 'while they can.'