DMV driving Virginia's next-gen identity system

The Virginia Department of Motor Vehicle (DMV) is crushing every cliché ever uttered about a DMV by quietly becoming one of the most cutting-edge and strategic government agencies in the state, and perhaps the country.

The DMV has entered the implementation stage of a multi-year identity management plan that starts with sharing authentication data across agencies so that citizens can log in once and access services across many agencies.

The system allows those users to gain qualifying attributes along the way, such as validation of enrollment, depending on the agencies they visit and the services they are seeking.

The goal is to improve service, reduce fraud, and save enough money to cover the cost of the improvements and more.

With the DMV, the Commonwealth is starting where a deep well of identity data has already been collected, vetted, and stored, including core attributes such as name, date of birth, social security number, and gender.

"We look at the data that is in the DMVs across all states," said Dave Burhop, deputy commissioner and CIO of the Virginia DMV. "It is really golden; a golden record. And it is those data attributes, which are really trusted in the physical credential [drivers license], that we want to use in the virtual world."

The plan centers around something called the Commonwealth Authentication Service (CAS). That is the anchor for providing identity attributes on an enterprise scale, and for supplying an ID service to other Commonwealth agencies so they can stop issuing credentials and instead focus on their services.

At its full implementation, CAS will offer NIST Level of Assurance 1-3 compliant credentials that are interoperable with Level 4. These industry-defined levels describe how the identity was registered, how the user authenticates, and if the credential meets the needs of the Web site considering the authentication request.

Also, CAS will support the enterprise identity service, identity proofing, multifactor authentication, and identity binding.

The DMV's ID odyssey started about eight years ago with a whitepaper on the status of the state's identity and access management capabilities, and how single sign-on could benefit citizens dealing with the government.

But the business case wasn't crystal clear and the idea failed to win endorsements.

The idea was revived with the Federal Affordable Care Act in 2010, and then energized the next year with the introduction of the National Strategy for Trusted Identities in Cyberspace (NSTIC).

In fact, the Virginia DMV efforts are a focal point of a $1.6 million NSTIC grant given to the American Association of Motor Vehicle Administrators (AAMVA) in September 2012 to work on a pilot.

In addition, the program is targeted at gluing together state agencies, along with the Virginia Personal Identity Verification program for federal employees and contractors. And in alignment with the standards-based principles of NSTIC, the program will help support a trust framework with AAMVA, integration with other states via the State Identity and Credential Access Management (SICAM) architecture, and with agencies in Canada.

"We now have a business problem and a business case," said Burhop.

Today, citizens who get services from the Virginia Department of Social Services (DSS) can go through CAS to self-enroll and create accounts, a Level 1 credential. The DMV is currently installing identity vetting and binding capabilities that validate citizen IDs and the services available to those citizens, and allow bi-directional sharing of information (Level 2). The next move is to multi-factor authentication support for Level 3 credentials.

While DSS is the first online, other agencies will follow shortly.

"What we are doing is taking the burden of identity management off the agency's plate," said Michael Farnsworth, the CAS project manager. "[That burden] is someone having to understand the complexity of issuing, maintaining, and revoking a credential. This allows us to do everything in a more streamlined fashion."

Through the process, Farnsworth said that one focus has been on ensuring this project does not come off as a "Big Brother Syndrome".

"We built privacy in from the start," he said.

And, Farnsworth added, the benefit for the industry is that other governments or companies trying similar feats of single sign-on, cross-domain trust and integration are not alone.

"And the second thing is proving that it can actually be done," said Farnsworth. "We have had great success."