TeamStation AI System Report LATAM IT Salaries 2024
CIS13: FCCX and IDESG: An Industry Perspectives
1. 1
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
NSTIC
in
Mo+on
Pilots,
Policy
and
Progress
Jeremy
Grant
Senior
Execu+ve
Advisor,
Iden+ty
Management
Na+onal
Ins+tute
of
Standards
and
Technology
(NIST)
2. 2
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
NSTIC
Workshop
Agenda
Sessions
1pm
Part
1
• “The
State
of
the
NSTIC”
–
Jeremy
Grant
• Pilot
Report
#1:
MFA
in
the
Commercial
Sector
–
Cathy
Tilton,
Daon
2pm
Part
2
• Pilot
Report
#2:
AKribute
Exchange
Network
–
Dave
Coxe,
Criterion
Systems
• Pilot
Report
#3:
Scalable
Privacy
and
MFA
–
Ken
Klingenstein,
Internet2
3pm
Part
3
• Iden%ty
Ecosystem
Steering
Group
(IDESG)
–
Bob
Blakely,
Ci%group
• Federal
Cloud
Creden%al
Exchange
(FCCX)
–
Jeremy
Grant
(NIST)
and
Doug
Glair
(USPS)
• NSTIC
and
the
Na%onal
Cybersecurity
Center
of
Excellence
(NCCoE)
–
Nate
Lesser
(NIST)
• Discussion
and
Perspec%ves
4. 4
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Imagine
if…
Four
years
from
now,
80%
of
your
customers
arrived
at
your
website
already
holding
a
secure
creden+al
for
iden+fica+on
and
authen+ca+on
–
and
you
could
trust
this
creden+al
in
lieu
of
your
exis+ng
username/password
system.
Interoperable
with
your
login
system
(you
don’t
have
to
issue
creden%als)
Mul%-‐factor
authen%ca%on
(no
more
password
management)
Tied
to
a
robust
iden%ty
proofing
mechanism
(you
know
if
they
are
who
they
claim
to
be)
With
baked-‐in
rules
to
limit
liability
and
protect
privacy
5. 5
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
What
would
this
mean…
For
Security
and
Loss
Preven+on?
• 5
of
the
top
6
vectors
of
aKack
in
2011
data
breaches
%ed
to
passwords;
76%
of
all
2012
records
breached
%ed
to
passwords.
• The
number
of
Americans
impacted
by
data
breaches
rose
67%
from
2010
to
2011
• Weak
iden%ty
systems
fuel
online
fraud,
make
it
impossible
to
know
who
is
a
“dog
on
the
Internet”
For
Reducing
Fric+on
in
Online
Commerce?
• Today,
75%
of
customers
will
avoid
crea%ng
new
accounts.
54%
leave
the
site
or
do
not
return
• Today,
45%
of
consumers
will
abandon
a
site
rather
than
aKempt
to
reset
their
passwords
or
answer
security
ques%ons
6. 6
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Two
years,
two
months
and
24
days
ago…
An
Iden+ty
Ecosystem…with
4
Guiding
Principles
• Privacy-‐Enhancing
and
Voluntary
• Secure
and
Resilient
• Interoperable
• Cost-‐Effec%ve
and
Easy
To
Use
7. 7
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
There
is
a
marketplace
today
–
but
there
are
barriers
the
market
has
not
yet
addressed
on
its
own
Why
NSTIC?
8. 8
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Barriers:
Security
is
a
big
issue
Source:
2012
Data
Breach
Inves%ga%ons
Report,
Verizon
and
USSS
2011:
5
of
the
top
6
aKack
vectors
are
%ed
to
passwords
2010:
4
of
the
top
10
9. 9
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Business
Models
But
–
it’s
not
all
about
security
Usability
Liability
Interoperability
Privacy
Source:
xkcd
10. 10
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
There
is
a
marketplace
today
–
but
there
are
barriers
the
market
has
not
yet
addressed
on
its
own.
Government
can
serve
as
a
convener
and
facilitator,
and
a
catalyst.
Why
NSTIC?
11. 11
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Our
Implementa+on
Strategy
12. 12
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
We don’t want to boil the ocean.
13. 13
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Let’s go surfing where the waves are…
NSTIC
14. 14
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Private
sector
will
lead
the
effort
Federal
government
will
provide
support
• Not
a
government-‐run
iden%ty
program
• Private
sector
is
in
the
best
posi%on
to
drive
technologies
and
solu%ons…
• …and
ensure
the
Iden%ty
Ecosystem
offers
improved
online
trust
and
beKer
customer
experiences
• Support
development
of
a
private-‐sector
led
governance
model
• Facilitate
and
lead
development
of
interoperable
standards
• Provide
clarity
on
na%onal
policy
and
legal
issues
(i.e.,
liability
and
privacy)
• Fund
pilots
to
s%mulate
the
marketplace
• Act
as
an
early
adopter
to
s%mulate
demand
What
does
NSTIC
call
for?
18. 18
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
…I
now
am
managing
one-‐off
2FA
solu+ons
for
19. 19
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
NSTIC
has
funded
5
pilots…with
more
coming
AAMVA
• Focus:
Develop
public-‐private
partnership
to
strengthen
private-‐sector
creden%als
with
aKributes
from
a
state
DMV
• Virginia
DMV,
Microsom,
CA,
AT&T
are
key
partners
• Coming
soon:
an
important
health
care
RP
Daon
• Focus:
deploy
smartphone
based,
mul%-‐
factor
authen%ca%on
to
consumers
• AARP,
PayPal,
Purdue
are
key
relying
par%es
• A
major
bank
(not
yet
publicly
named)
will
also
be
an
RP
Criterion
• Focus:
develop
a
viable
business
model
for
Iden%ty
Ecosystem
and
aKribute
exchange
• Broadridge
Financial,
eBay,
Wal-‐Mart,
AOL,
Verizon,
GE,
Experian,
Lexis
Nexis,
Ping,
CA,
PacificEast
are
key
partners
Internet2
• Focus:
deploy
smartphone
based,
mul%-‐
factor
authen%ca%on
across
3
major
universi%es,
integrate
it
with
a
privacy-‐
protec%ng
infrastructure.
• MIT,
University
of
Texas,
University
of
Utah
are
deployment
sites
Resilient
• Focus:
test
“privacy
enhancing”
infrastructure
in
health
care
and
K-‐12
environments.
• AMA,
American
College
of
Cardiology,
LexisNexis,
Neustar,
Knowledgefactor
are
key
partners
20. 20
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Pilots
lessons
learned
Each
pilot
has
run
into
the
same
challenges
–
underscoring
the
need
for
a
robust
Iden%ty
Ecosystem
Framework.
Common
considera%ons:
o No
standard
way
to
bring
on
new
RP’s
(technical/policy/legal)
o Exis%ng
trust
frameworks
only
go
so
far
o RP’s
struggle
to
sort
out
how
to
apply
risk
assessment
to
determine
creden%al
strength/LOA
(800-‐63
aside,
no
great
alterna%ves)
o Trust
frameworks
do
not
extend
to
aKribute
providers/verifiers
o How
to
ensure
“data
minimiza%on”
in
aKribute
exchange,
when
some
APs
offer
“data
promiscuity”
o How
to
flow
down
consent
requirements
to
end-‐users
in
a
logical
fashion
21. 21
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
The
Iden+ty
Ecosystem
Steering
Group
Source:
Phil
Wolff,
hKp://www.flickr.com/photos/philwolff/7789263898/in/photostream
First
plenary,
August
2012
22. 22
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
The
Iden+ty
Ecosystem
Steering
Group:
Bringing
together
many
types
of
stakeholders
23. 23
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
• 200+
firms/organiza%ons;
60+
individuals
• Elected
Plenary
Chair
(Bob
Blakley/Ci%)
and
Management
Council
Chair
(Peter
Brown);
Elected
16
delegates
to
Management
Council
• Member
firms
include:
Verizon,
Visa,
PayPal,
Fidelity,
Ci%group,
Mass
Mutual,
IBM,
Bank
of
America,
Microsom,
Oracle,
3M,
CA,
Symantec,
Lexis
Nexis,
Experian,
Equifax,
Neiman
Marcus,
Aetna,
Merck,
United
Health,
Intel.
• Also:
AARP,
ACLU,
EPIC,
EFF,
and
more
than
65
universi%es.
Par%cipants
from
12+
countries.
• CommiKees
include:
The
Iden+ty
Ecosystem
Steering
Group
o Standards
o Policy
o Privacy
o User
Experience
o Security
o Trust
Frameworks
&
Trustmarks
o Health
Care
o Financial
Sector
o Interna%onal
Coordina%on
24. 24
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Linking
Strategy
to
Execu+on
• Voluntary,
mul%-‐stakeholder
collabora%ve
efforts
are
hard.
• What
is
the
art
of
the
possible?
• What
incen%ves
might
be
needed
to
fully
realize
the
NSTIC
vision?
25. 25
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
NSTIC
envisions
the
poten+al
need
for
new
policies
“The
Federal
Government
may
need
to
establish
or
amend
both
policies
and
laws
to
address"
concerns
such
as
"the
uncertainty
and
fear
of
unbounded
liability
that
have
limited
the
market's
growth.”
-‐NSTIC,
page
31
• The
IDESG
Policy
CommiKee
is
reviewing
this
topic
• A
unique
window
of
opportunity
26. 26
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Ensuring
the
U.S.
Government
can
be
an
early
Adopter
27. 27
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Making
progress
in
government
is
tough…
29. 29
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Where
we
started
FICAM
(TFPAP)
TFP
MoUs
Cer+fica+on
Agreements
IdP
IdP
IdP
TFP
Integra%on
???
$$$!!!
RP
RP
RP
RP
Agencies
32. 32
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
New
study
shows
real
USG
cost
savings
from
NSTIC
• Funded
by
NIST
Economic
Analysis
Office
,
conducted
in
partnership
with
the
IRS
• Focus:
cost-‐benefit
analysis
comparing
federa%on
(NSTIC)
approach
vs.
one-‐off
proprietary
authen%ca%on
system
• Looked
at
3
scenarios:
20%,
50%,
70%
adop%on
33. 33
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
New
study
shows
real
USG
cost
savings
from
NSTIC
Key
Findings
• Over
a
10-‐year
period,
IRS
would
save
$63
million
to
$298
million
by
aligning
its
ci%zen-‐facing
iden%ty
and
authen%ca%on
efforts
with
NSTIC
(vs.
building
a
stovepiped,
IRS-‐only
system)
• Up-‐front
adop%on
savings
would
be
$40
million
to
$111
million
• Savings
driven
both
by
avoidance
of
duplica%ve
iden%ty
proofing
and
authen%ca%on
costs,
as
well
as
increased
customer
uptake
of
online
offerings
• Opportunity:
IRS
spent
over
$1
billion
communica%ng
with
taxpayers
on
paper
and
by
telephone
in
2012
35. 35
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
$2
Trillion
The
total
projected
online
retail
sales
across
the
G20
na%ons
in
2016
$2.5
trillion
What
this
number
can
grow
to
if
consumers
believe
the
Internet
is
more
worthy
of
their
trust
$1.5
Trillion
What
this
number
will
fall
to
if
Trust
is
eroded
Trust
mafers
to
online
business
Source:
Rethinking
Personal
Data:
Strengthening
Trust.
World
Economic
Forum,
May
2012.
36. 36
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Ques+ons?
Jeremy
Grant
jgrant@nist.gov
202.482.3050
Iden+ty
Ecosystem
Steering
Group
www.idecosytem.org
idecosystem@trustedfederal.com
37. 37
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
NSTIC
Workshop
Agenda
Sessions
1pm
Part
1
• “The
State
of
the
NSTIC”
–
Jeremy
Grant
• Pilot
Report
#1:
MFA
in
the
Commercial
Sector
–
Cathy
Tilton,
Daon
2pm
Part
2
• Pilot
Report
#2:
AKribute
Exchange
Network
–
Dave
Coxe,
Criterion
Systems
• Pilot
Report
#3:
Scalable
Privacy
and
MFA
–
Ken
Klingenstein,
Internet2
3pm
Part
3
• Iden%ty
Ecosystem
Steering
Group
(IDESG)
–
Bob
Blakely,
Ci%group
• Federal
Cloud
Creden%al
Exchange
(FCCX)
–
Jeremy
Grant
(NIST)
and
Doug
Glair
(USPS)
• NSTIC
and
the
Na%onal
Cybersecurity
Center
of
Excellence
(NCCoE)
–
Nate
Lesser
(NIST)
• Discussion
and
Perspec%ves
39. 39
Na%onal
Strategy
for
Trusted
Iden%%es
in
Cyberspace
Created
to
administer
the
development
of
policies,
standards,
and
accreditaHon
processes
for
the
Iden&ty
Ecosystem
Framework.
www.idecosystem.org
The
Iden+ty
Ecosystem
Steering
Group