Fed Websites to Accept External Credentials

Non-Fed Credentials Seen as Saving Gov't Millions of Dollars
Fed Websites to Accept External Credentials
More than 72,000 public users accessing information on National Institute of Health servers since June 2010 have used externally issued credentials, saving the Department of Health and Human Services agency nearly $3 million over five years.

The savings comes from NIH not having to manage user IDs and passwords on some 50 systems, says Federal CIO Steven VanRoekel.

VanRoekel's comments came in a memorandum he issued earlier this month to departmental and agency chief information officers to permit agencies to leverage externally issued credentials in addition to continuing to offer federally issued ones to authenticate users.

The memo calls for executive branch agencies to accept approved, externally issued credentials when they upgrade or develop Level 1 government websites that allow the public to register or log on. Websites requiring credentials with higher levels of assurance - Levels 2, 3 and 4 - should also be enabled to accept approved externally issued credentials when appropriate (see box for Office of Management and Budget definition of the four levels).

"In basic terms, this means that solutions from firms like Equifax, Google, PayPal, Symantec and Wave Systems - all of whom have had their credentialing solutions certified to meet federal security and privacy requirements - can be trusted identity providers for certain types of federal applications," White House Cybersecurity Coordinator Howard Schmidt writes in a blog.

Schmidt says a handful of identity providers have undergone or are undergoing the federal approval process. "We are eager to see - particularly at the higher levels of credential assurance - a larger, vibrant pool of accredited identity providers to provide more choices for people and federal agencies," he says. "The federal government has developed a viable framework for using federated digital credentials, and with this memorandum, taken a significant step towards creating a more efficient government that can meet the needs of the American people in the 21st century. Now we look to the private sector to support our efforts and reap the collective benefits."

VanRoekel says the initiative will take effect 90 days after final approval by the Federal CIO Council and General Services Administration of at least one trusted framework provider identified in an attachment to the memorandum.

The use of externally issued credentials is part of a public-private initiative known as the National Strategy for Trusted Identities in Cyberspace, or NSTIC (pronounced N-stick), that's aimed at enhancing efficiency, security and privacy in all transactions done online every day (see A Plan to Improve Online Security).

The Obama administration in April unveiled the federal government/private-sector strategy that it said would eventually let users obtain a single credential as a one-time digital password in the form of software on a mobile device, a smart card or token to transact business over the Internet (see Single Digital Password Credential Sought).


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.