The four-year-old U.S. government-facilitated plan to build out an identity layer for the Internet is at a strategic transition point with a new leader who is digging in for the next phase he plans to define with a high level of execution.
Mike Garcia has been sitting in the leader's chair at NIST's National Strategy for Trusted Identities in Cyberspace (NSTIC) just long enough to warm the vinyl, but he's already ticking off milestones. The NSTIC effort is overseen by the National Institute of Standards and Technology (NIST) working within the Department of Commerce.
"We are moving from a start-up phase to an operational execution phase," said Garcia, who took over as Acting Director in April for Jeremy Grant, who directed NSTIC from its 2011 inception.
"This transition will be a lot of my focus. How do we differentiate from start-up phase and determine where we want to go and where we want to end up over the long term," said Garcia, who co-directed the writing of the original NSTIC document.
Garcia, an economist by education and a veteran in the cybersecurity space, says his background will help as he turns NSTIC toward more of a business perspective.
"This is an economic problem as much as it is a national security problem and a technology problem," he said.
In order for NSTIC to thrive, he needs to create an organization that can evolve with the market place, he says.
With a nearly two-year run of massive breaches and password thefts, the marketplace is ripe for NSTIC's mission to create a secure identity ecosystem for the Internet.
Garcia is already actively reaching into the identity marketplace, recently announcing NIST membership in the FIDO Alliance that links the NSTIC office with a 200-member consortium building standards around the hottest trends in security, strong authentication, public key cryptography and biometrics.
In addition, Garcia cites work in the Open Identity Exchange around discovery services and trust frameworks, and identity assurance efforts within the Federal Identity Credential and Access Management (FICAM) initiative as other areas that blend with and benefit NSTIC.
"All these things align very well," he said. "If the ecosystem does its job, we can intersect all of these and other communities."
NSTIC's ultimate goal is to create an ecosystem run by the private sector and not the government.
The mission was crafted as an Obama Administration strategy and has struggled at times, but in the past four years since NSTIC's creation it has awarded more than $30 million in funding for pilot programs focused on infrastructure and tools aimed at reducing the need for passwords.
Garcia calls the pilot program one of NSTIC's biggest milestones. Another round of pilot submissions closed in late May, and it was the first round ever that has focused solely on a single topic (privacy enhancing technologies).
"NSTIC pilots have impacted 2.3 million individuals," Garcia said. "And there have been 125 organizations that have been involved as partners, relying parties or as direct recipients." Garcia points to vendor ID.Me, which has issued more than one million credentials as part of its pilot.
Other NSTIC milestones are hitting stride with momentum from Grant's tenure, private volunteers and vendors, including approval of key pieces of a foundational framework developed by NSTIC's Identity Ecosystem Steering Group (IDESG), and the success of Connect.Gov.
Connect.Gov, which began in 2013, defines a government program that supports a range of non-government-issued identity credentials citizens can use to log into federal agency websites. Just last week, MyHealtheVet, a Veterans Affairs application, went live with the promise to serve a large user population.
"We have several applications in a 'soft-launch' and others in various stages of implementation," says Garcia. "I think in 2016 we start to see enough adoption where the business model is viable for agencies and credential providers. If you think in terms of start-ups, it's a pretty quick turn."
Garcia also lauded progress at the IDESG as it nears finalization of Version 1.0 of the Identity Ecosystem Framework, including last week's consensus approval for the baseline requirements to which organizations will attest. Version 1.0 will include interoperability standards, privacy and liability policies, requirements, and accountability mechanisms.
"We are already thinking about version 2.0 of the framework and how it can serve a fully mature identity ecosystem," he said. "We are looking ahead and seeing where the obstacles are and the market impediments."
That framework is one of the NSTIC pillars called out in the original 2011 Obama strategy that Garcia helped write.
Garcia knows these developments are important, but also understands the end game. "It's not a good model to have NSTIC implementation government funded, it has to be turned into a private-sector, self-sustaining model." said Garcia. "If the end-users have to remember the acronym NSTIC then we have failed."
Going forward, Garcia says NSTIC will start to build trust in a multi-lateral way. "This has been one of the big problems with moving up the adoption curve in federation," he says. "When you do things in a bi-lateral way it is expensive, but once you reach a critical adoption it can really pay off."
NIST also is beginning work on privacy engineering documents to address rigorous risk management and focus on organizational privacy rather than being principal based. Garcia likens it to FIPS 199, which is designed to help federal agencies protect the information and information systems that support their operations and assets. The first of these documents is open for public comment until July 31.
It's an effort that won't be without hurdles, especially in the wake of government security debacles like the recent cyber theft of personal records on four million civilian employees from the U.S. Office of Personnel Management, or the upcoming 2016 presidential election, which could impact NSTIC's funding.
Over the next year or so, Garcia hopes to bring clarity to how all the ecosystem pieces fit together. "It will become extremely understandable how all of these organizations and initiatives complement each other," he said.
Above all, Garcia is pragmatic. He knows he's not constructing a Silicon Valley start-up racing for a billion dollar valuation.
"You build something from scratch and it takes a while," he said