When you think about 2016, the first thing that comes to mind is innovation in the identity ecosystem. That can’t just be us, right? While there has been a host of high-profile bad things that happened in digital identity this year, we try to keep our eyes on the prize. And there’s been a lot of progress toward the long-term goal.
“Ch-ch-ch-ch-changes—just gonna have to be a different man”
Before we take a look at 2016, a quick programming note: the President established a 10-year timeframe for NSTIC implementation. Halfway through, we are tracking well to the benchmarks established in the strategy (more on this in early 2017). Still, as long as there is the internet there will be a need to empower individuals, businesses, and government to leverage digital identities to interact online. Goal four of the NSTIC calls for an ongoing evolution and sustainment of the identity ecosystem and, as such, many of our upcoming initiatives will extend beyond 2021. For that reason, we will be branding most of our work as the Trusted Identities Group, which we lovingly call “the TIG.”
NIST, and specifically the TIG, is proud to remain the National Program Office for implementing a strategy that is widely-recognized as the foundation for a strong and vibrant identity ecosystem. While we’re excited about the increased pun opportunities that the TIG provides over NSTIC NPO, above all, we think of the TIG as the home of the ongoing and persistent partnership model we have built over the last few years. We remain dedicated to working with our partners and advancing this important work.
Nothing has changed besides the name (oh, and a new blog theme coming next week). We simply think this better reflects our recent new home at NIST, where we’re putting the “applied” in the Applied Cybersecurity Division for the Information Technology Laboratory—making sure everything we do ends in a positive impact for real people with a real need for better digital identity solutions.
“Stop! Look what’s behind you. Fame and love gonna find you. We’re just here to remind you.”
We considered 2016 a transitional year for our office as we turned our focus toward scaling adoption of quality digital identity solutions and making progress in standards and guidelines toward measuring the quality of solutions in the identity ecosystem. This year we released eight different publications—four times as many as last year—on topics ranging from attribute metadata to trust frameworks to strength of biometric authentication.
We saw the introduction of the IDESG’s registry for the Identity Ecosystem Framework, and experienced a stunning level of growth in adoption of our solutions from our pilots program, which (as of just September 30) has impacted more than 6.7 million individuals across 12 sectors.
“Hey, people now, smile on your brother. Let me see you get together.”
We started off 2016 by listening to our community. The Applying Measurement Science in the Identity Ecosystem workshop in January brought together more than 200 security practitioners, identity solution providers, subject matter experts, and policy makers from across sectors to discuss the application of metrics and measurement science to common identity management practices. This laid out some of our main efforts of 2016: projects to advance measurement science in digital identity. We proposed approaches and frameworks and asked for the community’s input. The TIG is all about building partnerships to advance digital identity, so let’s review how we collaborated on projects driving trust, convenience, and innovation in the identity ecosystem in 2016.
“Your faith was strong but you needed proof”
A primary focus for the TIG this year was updating Special Publication 800-63-3: Digital Identity Guideline (SP 800-63-3) to simplify the document and better align with Executive Order 13681, market advancements, and the international community. But we needed community feedback to make the document as useful as possible. Between May 8 and September 17, 2016—our first foray into using GitHub—there were more than 3,700 unique visitors to our GitHub repository, with contributors submitting 258 “issues,” i.e., items for our review. The open-source nature of this approach enabled direct communication with commenters and real-time updates so you could tell us if we got it right.
“Me miro en el espejo y veo en mi rostro” (I look at myself in the mirror and see my face)
Measuring the strength of an authenticator can be a thorny issue but it’s one that the TIG is up for tackling. In the Strength of Function for Authenticators – Biometrics (SOFA-B) Discussion Draft, we propose a framework to evaluate and compare the strength of authentication solutions. We are initially focusing on biometric authenticators due to increased availability of biometric sensors in the consumer space. They also represent the ideal initiation point for the SOFA framework: a diverse and emerging set of technologies with varying performance, configurations, and capabilities, which also have limited security guidance in place.
This document attempts to provide a starting point for the overall SOFA framework by identifying the ways biometric authenticator strength can be measured and evaluated. It focuses on three core concepts: False Match Rate, Presentation Attack Detection Error Rate (spoof detection), and Effort, that is, what it takes to break a system. We accepted comments via GitHub through mid-December and held a webinar to engage with the community on their feedback.
“Sometimes clothes do not make the man”
…but attributes do. The TIG provided a metadata schema for attributes that can be asserted about an individual during an online transaction in draft NISTIR 8112: Attribute Metadata. The NISTIR outlines a plan that can be used by relying parties to enhance access control policies and perform real-time evaluation of an individual’s ability to access protected resources. We propose a schema for attribute metadata and attribute value metadata that can convey information about a subject’s attribute(s) so relying parties can better understand how attributes and values are obtained, have greater confidence in applying authorization decisions, and promote federation of attributes.
“Who can you trust, who can ya?”
As the rules of the road for federated identity systems, trust frameworks detail the business, legal, and technical requirements for all parties involved. The TIG explored concepts around trust frameworks and identity federation while also providing areas for discussion when developing these systems in draft NISTIR 8149: Developing Trust Frameworks to Support Identity Federations. The NISTIR is intended to spread knowledge on identity federations and trust frameworks to a more general audience. NIST also seeks to increase standardization of the language around these practices and set a common understanding to facilitate widespread adoption.
“The plan is to stay focused, only then I can grow”
In 2016, we saw explosive growth in adoption of our pilots’ solutions and record growth in the number of grant recipients and partners. We added six new pilots across 10 states and Washington, D.C., bringing the grand total of projects funded to 24. In our largest pilot award to date, projects include helping states ease citizen access to online services, issuing mobile driver licenses in four states and D.C., and improving access to health records for patients and practitioners.
“And take it to the limit, one more time”
The TIG has grand plans for the new year, like working with agencies to implement some of the changes in SP 800-63-3. This means the unveiling of a new initiative where we will assist federal agencies in deploying trusted identity solutions for citizen-to-government access. To do so, we’re working with our sibling group, the National Cybersecurity Center of Excellence (NCCoE), to launch an effort to make the great solutions in the market and the great progress we’ve made on standards and guidance real and easily implementable for agencies and industry alike.
We’ll also follow up on the documents we released for public comment, starting with the release of SP 800-63-3 for a traditional public comment period before releasing the final version later in the year. Beyond that, we’ve already begun work on the next new aspect of our guidance on digital identity, a companion implementation guide to SP 800-63 that, like our work in the NCCoE, will help bridge the gap between outcome-based guidance and the on-the-wire outcomes themselves.
We also plan to finalize the attribute NISTIR. We’ll continue our work to finalize the SOFA-B framework, of which you can get an early preview at RSA in February. Plus, we’ll carry on and build out our efforts in market intelligence, which help us keep up with the pulse of the market and hone our efforts in on specific market impediments.
To keep pace with our work in 2016, next year we’ll release a recap of how the market has changed since the NSTIC was released in 2011, along with our roadmap for continuing the momentum over the next five years. We’ll release a new pilots-based NISTIR, a lightweight, non-technical document focused on the business aspects of developing and deploying identity and access management solutions.
We’ll also be announcing new ways to engage with the community and new efforts to take NSTIC implementation, under the new TIG banner, global. We have no doubt 2017 will bring more opportunities to work together to advance digital identity and we couldn’t be more excited to continue this great partnership this community has built.