$15 million cloud ID pilot another NSTIC milestone

Postal Service spearheading program to create, test Federal Cloud Credential Exchange

The U.S. government committed nearly $15 million Wednesday to move ahead with a project that will support creation of a common identity infrastructure for the Internet.

The United States Postal Service will oversee the pilot program to create a cloud-service hub that allows government agencies to accept citizen log-on credentials that are not issued by the government.

The program, called the Federal Cloud Credential Exchange (FCCX), tapped Canada-based vendor SecureKey to build the infrastructure under what could eventually be a $15 million enagement. The goal is to relieve each government agency of the financial and management burden of issuing and maintaining identity credentials for their constituencies.

Most important, it means citizens won't need a separate user name and password for every government agency they deal with such as the IRS or the Social Security Administration.

FCCX is one of three main initiatives as part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which was launched in 2011. The other two are the creation of the Identity Ecosystem Steering Group (IDESG) and the funding of a series of pilot projects to support NSTIC's goal of creating an "identity ecosystem" built and maintained by the private sector.

The USPS was tapped in Nov. 2012 to spearhead the FCCX project. The Veterans Administration and the National Institute for Standards and Technology (NIST) are also joining in. Also, participation by other agencies is expected over the next few months, according to a blog authored by Naomi Lefkovitz, senior privacy policy advisor for NIST, on the NSTIC web site.

The FCCX won't be just a federation proxy that takes in credentials on the citizen side and pushes them out the other side in a way that meets government configurations and protocols.

Per NSTIC guidelines, the FCCX service must provide anonymity so that the public data it takes in cannot be linked to its owner. It must also provide that the parties in the transaction cannot be identified, and that activity on government Web sites cannot be linked to third-party identity providers and vice versa, a condition known as "unlinkabilitiy."

"In simple terms, this means that private organizations that issue citizens credentials – and the agencies that accept them – will have no way to track where citizens use them," wrote Lefkovitz.

The FCCX pilot is designed to explore expected challenges such as security, privacy, governance and liability, as well as, prove out the scalability of such a system.

Lefkovitz wrote in her blog: "The General Services Administration (GSA) has established a program management office to coordinate the integration between the cloud solution and Federal Identity, Credential & Access Management (FICAM) policy around approved identity providers, as well as to support continued agency engagement in building a governance framework and a successful business model."

FICAM is a framework for creating systems that provide security and privacy, and reduce complexity and cost.

Lefkovitz said the goal is to create shared services that federal agencies can use as a means to run more efficiently. "FCCX’s value also lies in demonstrating that significant privacy risks can be managed through a combination of technical design and policy," she wrote.

The idea of government agencies accepting credentials issued by a third-party is not entirely new. The three-year-old National Institutes of Health’s PubMed site accepts third-party-issued authentication credentials.