With $16.5 million in funding and $10 million earmarked for pilot programs, the government-led plan to facilitate the build out of an identity layer for the Internet has a year of organization under its belt, an implementation challenge for its future and a few critics chirping in its ear.
Last April, the National Strategy for Trusted Identities in Cyberspace (NSTIC) was an Obama Administration mandate, a press conference and one ambitious guy sitting in a Commerce Building office above the nation's oldest aquarium.
Today, its progress is a marvel of efficiency inside the Capital Beltway, but a race against Internet-time execution outside that circle.
NSTIC is working on creating a framework for an "identity eco-system" that will be built and maintained by the private sector. It will provide secure identities for online transactions, either business-to-consumer or business-to-business, while limiting the disclosure of personal information. The system calls for both public and private accredited identity providers and a choice of identity credentials.
In the past 12 months, NSTIC, which is run by the National Institute of Standards and Technology (NIST) and is under the control of the Commerce Department, has ridden on the back of its tireless leader Jeremy Grant, who recently added six staffers to his National Program Office.
NSTIC has used public input to create a framework for its policies and structure, received federal funding, picked finalists for its pilot program, earmarked $2.5 million for a private-sector led steering committee and repeated ad nauseam that NSTIC is not a plan for a national ID card.
But on the flip side, observers say while NSTIC has succeed in organization and outreach, it has yet to show tangible assets such as implementation guidelines, still faces the challenge of solving age-old identity federation problems, and lacks strong external advocates that can articulate to the public the importance of it work.
"We have a lot of internal metrics we can point to, but the thing I am most excited about are the dozens of firms, big and small, who have come to us and said, ‘We've read the NSTIC. We think it makes sense. And we'd like to tell you about what we're doing as companies to align our product lines with it,' " says Grant.
He doesn't minimize the accomplishments of the past 12 months, but is cautious not to be "too self-congratulatory."
"In Washington, where it often takes years to get anything done, we've gotten lots of praise for accomplishing so much so soon with so little. But in other circles, I get asked why it's been a year since the President signed the strategy and the world hasn't changed. Both sides have their points."
NSTIC's pilot funding program drew 186 proposals that last week were whittled down to 27. Up to eight will be selected in August to get a piece of a $10 million pot to develop their ideas.
One of those finalists, the Transglobal Secure Collaboration Program (TSCP), an aerospace and defense consortium that includes the U.S. Department of Defense and the UK Ministry of Defense, believes NSTIC is starting to bring together companies that want to build the identity ecosystem.
The group's NSTIC proposal focuses on combining work by TSCP members and the government on identities, credentials and authentication mechanisms using PKI and non-PKI with attributes and privacy controls and extending that to more distributed and common Internet applications.
Keith Ward, president and CEO of TSCP, said crafting its NSTIC proposal brought with it the realization TSCP will have to reach out to others, including competitors, to craft a competent proposal.
"Since the NSTIC pilots will initially be developed in separate environments, I would say that what will be important for NSTIC is to ensure that they facilitate collaboration in the governance across the pilots, i.e., policies and liabilities," said Ward.
This summer, NSTIC plans to have its private-sector led steering group in place to lead that collaboration.
Observers say NSTIC's developments reflect important groundwork but that it is not getting to the meat of NSTIC's goal.
"What we have seen is the pre-work," says Ian Glazer, an analyst with Gartner. "But we have not seen a formalized implementation guide that is blessed to say this is what a NSTIC implementation looks like. Something that acts as a starting point for a debate and to be vetted against real-world use cases."
Glazer praises the work of the past 12 months, and says as a sidebar NSTIC has ignited work on standards such as OpenID Connect, a lightweight federation spec, and OAuth 2.0, which will help secure mobile computing.
"This work may not be directly related but tangentially it is important to NSTIC," said Glazer.
The biggest hurdle NSTIC faces now is what has been an age-old federation problem, recruiting companies and organizations to become relying parties (RP). In an identity federation, the RPs rely on identity providers, those that issue credentials, to validate the identity of user's visiting the RP's site. Historically, it has been hard to recruit RPs because their role is the least understood on federated identity's value chain.
"I think you'll also see some exciting examples [this year] of government supporting the ecosystem as a relying party, including accepting privately-issued credentials," said Grant. "Agencies realize that there is no practical way to bring the next generation of killer apps online if they don't have a way to solve the identity conundrum: is this person who they claim to be, or a "dog on the Internet?"
Grant expects up to three federal agencies to announce major initiatives that align with NSTIC by the end of the year.
Critics say NSTIC needs to get similar alignment to happen outside of government.
"There is a perception this is a government thing," says Glazer. "NSTIC needs a voice from outside the process to talk about why this matters. Why there is value."
Grant says the most common criticism he hears is that NSTIC needs to move fast to stay relevant.
"I actually don't disagree with them," he says. Grant says over the next 24 months material improvements will be realized.
"So the message I'd deliver to any stakeholder who is not yet involved is: you may want to pay attention" says Grant.