~ June 2015 ~

Welcome from the Executive Director

Recently, NIST invited open comments to SP 800-63-2, Electronic Authentication Guideline to which the IDESG responded. Submitting comments is critical to the creation and success of an Identity Ecosystem and the IDESG is a vital part of this relevant discussion. Our charter mandates that we educate and inform all parties - whether they be public or private sector - on issues related to strengthening identity credentials that enhance privacy, security and usability. Increasing and instilling consumer confidence in online transactions when engaging with identity credentials is paramount in deterring misuse of consumer data, online fraud and identity theft, and the Identity Ecosystem Framework (IDEF) is key to this effort.

Equally as important is the need to establish what new best practices and standards are necessary to protect online identity, and how to anticipate and incorporate innovations that may arise in the next 10 years. If the Guideline is to remain as authoritative, relevant, and useful in its second decade of direction as it was in its first, it must be updated to incorporate the guidance set forth in the NSTIC, and require its adherence by all who would follow the Guideline, whether they are a public or private sector actor. We are pleased to submit comments to NIST that affect the core principles of the NSTIC, the work the pilots are conducting and the great strides the IDESG is making to realize a fully functioning Identity Ecosystem that reflects the NSTIC. With our combined efforts, we are close to finishing the first of the IDEF and I look forward to the successive products coming from the IDESG. Our comments can be found at www.IDecosystem.org.

~ Marc-Anthony Signorino, IDESG Executive Director

Chairperson's Corner

By Kimberly Little Sutherland, Plenary Chair

This month, the IDESG leaders from both the Management Council and all of the plenary committees convened together to engage in key tactical and strategic planning for our organization. It was a dynamic two day event and since that time together, I have reflected on the impact that our exchange of ideas can have on the IDESG as a whole. We discussed how much identity-related matters in our increasingly online society have evolved since the signing of the National Strategy for Trusted Identities in Cyberspace and how that has impacted even the stakeholders that are a part of our organization as well as those that we want to encourage to be engaged. As we roll out the upcoming framework (v1), we need to use these varied lenses and get people thinking about how they relate to the identity ecosystem. Hopefully, our framework will be used to help some people better understand what the Identity Ecosystem is, where they may fit and how we can start to raise the bar in terms of the expectations around aligning with the NSTIC principles.

There were a lot of great ideas and plans that came from our Leadership Retreat, and the key will be to take the action items and follow through with the deliverables. Look for some invitations for a few short term plenary working groups to help us with these work items; we'll need your involvement.

Around the Ecosystem

• May 4th - Kantara Initiative All Hands Europe, Munich, Germany, Ian Glazer
• May 5th
  • Design Principles of Relationships - Capturing Relationship Context in the Age of People, Entities, and Things, European Identity & Cloud Conference 2015, Ian Glazer
  • ID360 - Today's Digital Currency: Navigating the Impact on Identity Management and Security, Austin, TX, Kimberly Little Sutherland and Mark DiFraia moderated
  • Cartes-America, Mark DiFraia
• May 7th - Gemalto Identity Conference, Rome, Italy, Marc-Anthony
• May 14th - GSMA Mobile 360, Future Regulation and its Impact on the Mobile Industry, Ray Kimble
• May 27th - NSTIC Pilot Outbrief: select pilots conducted a virtual outbrief in which they shared their successes and lessons learned
• May 28th - Stop Treating Your Customers Like Your Employees, ForgeRock Identity Summit, Ian Glazer

From the FMO

• From May 19-20, the IDESG held a leadership retreat during which the FMO team led a discussion regarding enhancements to the current representation of the IDESG "Dashboard" deliverable tracking system. Several of the resulting suggestions will be incorporated in future versions of the Dashboard, including:
  • Clarifying which deliverables will ultimately be presented for Plenary approval
  • Allowing various display formats for respective classes of deliverables, such as eliminating some details for non-Plenary deliverables
  • Expected file names based on the file naming guidelines
  • Establishing expected dates for all deliverables, or identifying which dates are not yet determined
  • Creating a more detailed status tracking of the individual standards under evaluation within the Standards Approval Policy
  • Adding text descriptions of deliverables
  • Updating labels and individual owners for several items
  • Enabling tracking of deliverable reviews by additional committees, in addition to the Privacy Committee
  • Adding more status indicators for active, completed and inactive deliverables
  • Incorporating URL links for deliverables
  • Mapping deliverables to the Strategic Plan (Appendix A) where appropriate
• The FMO staff edited and collated the final edition of version 1.0 IDEF Baseline Functional Requirements from the IDESG committees who worked intensively during May to finalize these key statements. They have been submitted as a package to the Management Council for presentation during the upcoming Plenary meeting. These Requirements are the backbone of the Strategic Plan's deliverable of an IDESG Self-Assessment Listing Service (SALS) program. In the next month, the TFTM committee will continue to receive and review a set of guides, terms and conditions, and related materials to define the rules of the road and presentation style for the Requirements, as they will be presented to identity ecosystem stakeholders in the SALS program.

From the NSTIC NPO

• For those not able to attend the May 27th IDESG/NSTIC NPO virtual outbrief with updates from select pilots, the program has been recorded. The Web seminar included pilots from these organizations sharing their successes and lessons learned:
  • Michigan Department of Human Services
  • Commonwealth of Pennsylvania
  • American Association of Motor Vehicle Administrators (AAMVA)
  • Privacy Vaults Online, Inc. (PRIVO)
  • University Corporation for Advanced Internet Development (UCAID)
  Additional information about each pilot can be found here.
• NIST announced a request for public comment of SP 800-63-2: Electronic Authentication Guideline. As the first step in revising the publication, NIST solicited recommendations from experts-including those in industry, government, and educational fields-on which sections of the document need to be revised. The IDESG's comments can be found at www.IDecosystem.org. To find out more about the request for public comment, visit: https://www.nist.gov/itl/201504_eauth_rfc.cfm.
• The NSTIC NPO recently announced a Privacy Pilots Federal Funding Opportunity. The purpose of the new pilot program is to advance the NSTIC vision, objectives and guiding principles and tackle barriers that have, to date, impeded the Identity Ecosystem from being fully realized. The NSTIC NPO is soliciting applications to fund projects that are intended to overcome privacy-enhancing technology implementation barriers while advancing the NSTIC vision. For more information about the new pilot program, visit: https://go.usa.gov/3CS7V.
• The NSTIC NPO recently published a NISTIR called "NSTIC Pilots: Catalyzing the Identity Ecosystem" that details summaries and outcomes of the NSTIC pilots. It also explores common themes in the pilots' efforts as they develop and operate innovative identity solutions. To read the NISTIR, visit: https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8054.pdf.

Upcoming Events

14th Plenary Session
Thursday, June 25, 2015 from 1-5 p.m. EST, the IDESG will host the 14th plenary via virtual platform. More details will follow via direct email and through social media sites.

Upcoming Speaking Engagements

• June 3rd - Rene McIver at the Health Privacy Summit, Washington, DC, is part of Breakout Session 1c: The Low-Hanging Fruit: Why Data Breaches Continue and Panel Discussion
• June 4th - International Conference on Collaboration Technologies and Systems (CTS 2015) "Privacy in the Information Sharing Age: Lost Cause or the Next Frontier?" in Atlanta, GA
• June 8th - 10th - The 14th Annual Smart Card Alliance Government Conference in Washington, DC
  • Salvatore D'Agostino is presenting "What is an Identity Anyway and How is Identity Management Evolving?"
  • Rene McIver is a presenter in Track Session 2: ID Security Implementation & Policy, Speaker #3 on Connect.Gov - Simplifying Secure Access to Online Services
  • Sal D'Agostino will moderate "Challenges Agencies Are Facing To Use 2-Factor Authentication"
  • ID Security Implementation & Policy, Marc-Anthony Signorino & Rene McIver
  • Healthcare ID Security, Neville Pattinson
  • Government Use Cases for High Assurance Credentials, Mark DiFraia
• June 8th - 11th - Cloud Identity Summit in La Jolla, CA
  • Ian Glazer will present a Keynote Speech at the Cloud Identity Summit focusing on Identity's TCP/IP Moment
  • Michael Garcia and Kimberly Little Sutherland will present "State of the NSTIC: Introducing the Identity Ecosystem Framework"
• June 15th - Jack Suess will present at the Terena Conference in Portugal
• June 30th - Michael Garcia is attending OIX Economics of Identity Workshop in London, UK
• September 26th - October 1st - During the ASIS International 61st Annual Meeting (and pre-seminar programs), Sal D'Agostino will present:
  • New Frontiers: Legal and Operational Principles for Evaluating and Managing Emergent Security Technologies
  • Securing Healthcare Facilities with Future Expectations, New Programs, and Security Officer Implementations
  • Addressing Cyber Security Concerns in Physical Security
  • Panel Discussion: Role of Security Controls in Managing Risk

To share your presentations with IDESG members, send a hyperlink or attachment to maryalice@IDecosystem.org, and a link will be included in the next newsletter.

In The Media

• Getting ID Right in Virginia, Dave Burhop, IDESG Blog, May 26, 2015
• How many parties does it take to provide a single government login?, FCW, May 22, 2015
• Password Fatigue, Toledo Blade, May 22, 2015
• Privacy, security and one login to rule them all?, FCW, May 21,2015
• NIST Official: Businesses Need to Take More Responsibility for Cybersecurity, NextGov, May 20, 2015
• Global Cities Expo to Showcase 'Internet of Things' Apps, June 1, NIST Tech Beat, May 20, 2015
• Department of Defense far from adopting biometrics for identity and access management, Biometric Update, May 18, 2015
• DoD rethinks Identity and Access Management strategy, C4ISR & Networks, May 17, 2015
• Ron Ross: NIST Working on Final Guidance to Integrate Cyber Efforts, ExecutiveGov, May 15, 2015
• The new perimeter and the rise of IDaaS, GCN Blogs, May 8, 2015
• Senate Confirms Willie E. May as 15th NIST Director, NIST website, May 5, 2015
• An exit interview with Jeremy Grant, NSTIC director and NIST's lead on digital identity, FierceGovernment IT, May 4, 2015

This newsletter was prepared by the Identity Ecosystem Steering Group, Inc. using Federal funds under award 70NANB14H215 from the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Institute of Standards and Technology (NIST), U.S. Department of Commerce. The statements, findings, conclusions, and recommendations are those of the author(s) and do not necessarily reflect the views of NIST, NSTIC, or the U.S. Department of Commerce.