USPS credential project linked to NSTIC dodges hackers

A $15 million Postal Service access control program set to go live was separate from hacked network

Hackers may have pilfered data from the United States Postal Service, but a $15 million project spearheaded by the mail carrier to create a cloud service to accept citizen credentials went untouched.


On Monday, the USPS said a hacker break-in was discovered in mid-September. It is believed that Chinese hackers stole the data of 800,000 postal employees — including the postmaster general.

That’s not good news for employees or for the USPS, which is leading an access control project slated to come online by the end of the year and ultimately intended for use among all government agencies.

The project, begun in August last year, is called the Federal Cloud Credential Exchange (FCCX) and is designed to create a cloud-service hub that allows government agencies to accept citizen log-on credentials that are not issued by the government.

The U.S. government committed $15 million and named the Postal Service to oversee FCCX (pronounced F-Six). Canada-based vendor SecureKey is building the cloud-based infrastructure with the goal of relieving each government agency of the financial and management burden of issuing and maintaining identity credentials for citizens.

Government agencies will offer a standard log-in form as part of an FCCX companion program known as Connect.Gov.

“Connect.Gov and FCCX are unrelated to the breach that was reported today,” said Andre Boysen, chief identity officer for SecureKey. “Certainly [the breach creates] a lot of work for the USPS, but the breach is not part of what we are doing.”

A portion of Connect.Gov and FCCX is slated to go live as early as this month at the Department of Veterans Affairs. Over the next 18-24 months other government agencies will be added, including the IRS.

FCCX is one of three main initiatives as part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which was launched in 2011. The other two are the  creation of the Identity Ecosystem Steering Group (IDESG)  and the  funding of a series of pilot projects  to support NSTIC's goal of creating an "identity ecosystem" built and maintained by the private sector.

The FCCX pilot is exploring expected challenges such as security, privacy, governance and liability, as well as, proving out the scalability of such a system.

By mandate, FCCX must provide anonymity so that the public data it takes in cannot be linked to its owner. It also must provide that the parties in the transaction cannot be identified, and that activity on government Web sites cannot be linked to third-party identity providers and vice versa, a condition known as "unlinkability."

USPS is implementing FCCX with support from the General Services Administration, and the NSTIC National Program Office.

The idea of government agencies accepting credentials issued by a third-party is not entirely new. The four-year-old National Institutes of Health’s PubMed site accepts third-party-issued authentication credentials.