Cloud

As ID management pilot takes shape, early agencies hop aboard

cloud concept with man in suit

Less than two weeks after the U.S. Postal Service awarded a contract worth up to $15 million to Toronto-based SecureKey Technologies to provide the infrastructure for the government's first cloud-based identity management pilot, several agencies have already jumped onboard.

The USPS, which plans to develop the Federal Cloud Credential Exchange (FCCX), has been joined by the Department of Veterans Affairs and the National Institute of Standards and Technology; the General Services Administration will also play a role, according to a blog post by NIST senior privacy policy advisor Naomi Lefkovitz.

GSA is charged with overseeing the successful integration of FCCX with the Federal Identity Credential and Access Management (FICAM) policy – the process by which trusted framework providers are certified. GSA is also expected to build a governance framework and successful business model, Lefkovitz said in the post.

It has been rumored that a few other agencies are mulling participation in the pilot program, including the Internal Revenue Service, Department of Education and Social Security Administration, all of which assisted to some degree in developing the pilot's requirements.

The case for IRS involvement is a strong one given the results of a case study earlier in 2013 that suggested the IRS could save as much as $300 million annually by adopting an improved identify management system.

According to a USPS official, however, the pilot participants have not been finalized at this time.

FCCX is a direct result of the White House's National Strategy for Trusted Identities in Cyberspace initiative (NSTIC). If successful, its benefits will be simplifying the way citizens use government websites while theoretically reducing costs for participating agencies that would no longer have to utilize in-house ID management systems.

While the FCCX pilot is not finalized yet, the blueprint already exists through similar work SecureKey has done with the Canadian government, managing 1 million transactions per month and up to 10 million users. FCCX's capacity will be much larger, scaling to potentially handle hundreds of millions of users. The company has not announced its cloud partner yet.

The service works in much the same fashion that online payment gateway systems operate, according to SecureKey chief marketing officer Andre Boysen. From almost anywhere in the world, a credit card customer can withdraw money from an ATM without a merchant viewing the customer's credit card bill, and that kind of assurance coupled with privacy is exactly what the government wants for FCCX.

Boysen said FCCX will use a "triple blind" process that keeps the FCCX hub and relaying agency from knowing a user's personal information, while hiding the identity of the credential issuer and preventing user log-in data from being shared between agencies.

In this way, Boysen said, no party is privy to a majority of a user's private information.

The system works because of trust, he added. Participating agencies must trust the ID proofing and authentication of third-party credential providers, which must be approved by the Federal Identity, Credential, and Access Management (FICAM )program. Boysen said users play a role in that trust as well, selecting what kinds of personal information they wish to share and with whom.

In a hypothetical example, Joe User surfs to the IRS website and is offered log-in options that include FCCX. He chooses FCCX and is given a listing of FICAM-approved third-party certificate providers. If Joe User is a Citibank customer and Citibank is one of the approved certificate providers, he can use his banking username and password to authenticate his identity.

If the log-in is successful, Citibank – the credential provider – creates what Boysen called an "anonymous token" that gets passed to FCCX, which in turn "re-wraps it," hiding user information, and gives it to the requesting agency.

The agency then determines if the user is logging in for the first time, in which case he would go through a first-time enrollment process. If the user has logged in before based on the token information and identify proofing shows the user meets proper levels of assurance, he is logged in.

In the hypothetical example, Boysen said anonymous tokens ensure agencies cannot track users who log-in across different agencies. If Joe User goes to the VA's website after his visit to the IRS, neither agency would know.

While it sounds complex , Boysen said the whole process takes seconds.

"What we're trying to do is make use of the five to 10 things you use daily – those things you know really well and have no problem accessing or remembering," Boysen said.

About the Author

Frank Konkel is a former staff writer for FCW.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Wed, Sep 4, 2013 Michael Hardy

Reporter Frank Konkel responds to a reader question on this story in The Conversation blog at fcw.com.

Fri, Aug 30, 2013 john denver

I'd like to see the background of how we decided having a foreign country be the epicenter of our credentialing system makes good sense. I'm sure logic was used in that decision, I'm just not seeing it.

Thu, Aug 29, 2013 Beltway Bill

This is nice, but still not multi-factor. When are we finally going to get smartcard passports and driver licenses? Then I'll only have to carry that card and remember one password/PIN to have strong, multi-factor authentication.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above