New ID policy looks to leverage government credentials

An updated credentialing policy from the White House looks to tap agency-issued identifiers like Social Security numbers to secure digital transactions.

A new memo from the Office of Management and Budget directs agencies to set up teams for each agency to govern identity management efforts. It also stresses the importance of making valid identities interoperable across agency boundaries.

To that end, the memo directs agencies to accept existing personal identity verification credentials rather than issue new ones and to use PIV credentials as "a method to encrypt information in transit and shared between two or more federal employees or contractors." It also tasks the National Institute of Standards and Technology, the Federal CIO Council and the Federal Privacy Council to collaborate with agencies to pilot alternatives to managing identities.

Chih-Wei Yi, a risk and financial advisory principal at Deloitte, said that while "most" of memo consisted of "codifying" best practices in industry, the focus on interoperability would make doing business across agencies easier.

Eventually the cross-government collaboration could mean that contractors and others who work with multiple agencies would not have to get individual PIV cards for each agency, which would save time, money and "make for a more productive workforce," Yi said.

In the private sector, organizations have been pushing for the federal government to update its identity management policy.

Jeremy Grant, coordinator of the Better Identity Coalition, called the new memo "a critical step" in better securing digital identity and closing the "identity gap" between traditional, physical credentials and digital environments.

"It lays the policy foundation for a new array of more secure, privacy-enhanced digital identity solutions to help consumers better protect their identities and more easily do business online," he said.

Last year, the Better Identity Coalition published a policy blueprint to help change the way individuals establish and maintain online identity. The OMB memo adopted the blueprint's recommendation that government offer new digital services to validate identities issued to consumers.

While the memo does not call for the $1 billion that the Better Identity Coalition outlined in its blueprint, it does target agencies that have more citizen-facing profiles and greater cybersecurity risks.

The memo directs "agencies that are authoritative sources for attributes," such as the Social Security Administration, to "establish privacy-enhanced data validation APIs for public and private sector identity proofing services to consume, providing a mechanism to improve the assurance of digital identity verification transactions based on consumer consent."

"Those selected agencies, in coordination with OMB, shall establish standard processes and terms of use for public and private sector identity proofing services that want to consume the APIs," it states.

Another key update in the memo is the inclusion of non-human entities as part of the identity management policy. Yi said he found the extension of the definition of identity to non-human entities to be pertinent.

"There are going to be more and more of these advanced technologies, and adding that layer to the workforce requires that agencies figure out how to have these bots access sensitive information," he said.