NIST plays matchmaker on identity verification

Deputy Director Michael Garcia (left) and Senior Standards and Technology Advisor Paul Grassi (right) of NIST's National Strategy for Trusted Identities in Cyberspace speaking April 29 at FCW's Creating Trusted, Identity-Driven Federal Enterprises event.

Deputy Director Michael Garcia (left) and Senior Standards and Technology Advisor Paul Grassi (right) of NIST's National Strategy for Trusted Identities in Cyberspace spoke at FCW's Creating Trusted, Identity-Driven Federal Enterprises event on April 29.

The U.S. government wants to play facilitator rather than savior in verifying online identities.

Michael Garcia, a National Institute of Standards and Technology official focused on the issue, said one of his agency’s ongoing projects is to foster a private marketplace for identity verification best practices.

Security isn’t the only issue at stake with identity verification, according to Garcia, who is deputy director of the National Strategy for Trusted Identities in Cyberspace (NSTIC). Liability, interoperability and privacy are all at play, and progress is needed in each area “to actually get to a functional, sustainable marketplace,” he said April 29 at an FCW-sponsored conference in Washington, D.C.

The theft of online credentials, and the hassle of managing a proliferating crop of passwords, is a burden on the consumer. Forty-six percent of consumers abandon a website rather than try to reset a password or answer a security question, said Paul Grassi, NSTIC’s senior standards and technology adviser, citing data from Verizon Enterprise Solutions.

Passwords are a “perfect combination of a really bad user experience as well as being terrible at security,” Garcia quipped.

There is broad interest in improving that user experience, not least from businesses wanting to offer more services online and federal officials worried about the security of their employees.

To harness that interest, NIST has funded the creation of the Identity Ecosystem Steering Group, which includes a wide array of stakeholders ranging from big banks such as Citigroup to privacy advocates such as the Electronic Frontier Foundation. The group is now a non-profit and the goal is to wean it off of the government dime, Garcia said, adding that NIST has issued grants rather than contracts to the firms with that aim in mind.

The group will by summer’s end issue a preliminary framework of business rules and interoperability standards for identity verification to which private firms can attest, Garcia predicted. The next version of the framework will get more specific, with provisions on accountability mechanisms, risk models and liability arrangements, he said.

“If nothing else, if we do this right, it removes this bilateral need for rooms full of lawyers to get together and spend months trying to figure out whether or not they can work together,” Garcia said.

When asked at the conference whether the government can be a trusted broker of a privacy-enhancing initiative, Garcia said NIST is a “scientific organization. I think that benefits us significantly in the way that we’re able to communicate and interact, and how we’re perceived in doing so.”

Grassi stressed that no personally identifiable information is stored as part of, a digital credential initiative in which NIST participates. Dan Waddell, director of government affairs for (ISC)2, an IT security nonprofit, said Grassi’s message was a good one for building trust with the private sector and the American public. “The more messaging they can do around that, I think the better, because I think the perception from the public is that if [the government gets] hacked, my information is going to be leaked,” he told FCW.

About the Author

Sean Lyngaas is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.