In June 2017, NIST released its new series of “Digital Identity Guidelines” (SP800-63-3), componentizing guidance across functions of a modern identity stack: Enrollment and Identity Proofing; Authentication and Lifecycle Management; and, Federation and Assertions. Further, with the release of OMB’s April 6, 2018 draft of M-18-XX, “Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management”, guidance is being shaped to implement these as enterprise services and older OMB memoranda (e.g., M-04-04, M-11-11, etc.) are being put to rest.
So, while government identity governance is coming together, it’s important to understand the impacts to each agency’s consumer-facing implementation. For example, it’s well known the tighter we wind identity verification, the more we could fail to serve constituents. This occurs when true consumers applying for government services are unable to supply the range of accurate, personal information necessary to achieve high assurance identity proofing. Furthermore, data breaches in recent years involving the release of personally identifiable information may have caused some consumers to freeze their credit profiles with the three main credit reporting agencies. While this approach was suggested by some media, the consequences were not well reported. Depending on the identity proofing strategy, a consumer’s frozen file may prevent government access to some data necessary for high assurance identity proofing.
Dealing with guidance that results in a positive consumer experience requires a better understanding of the targeted consumer populations. This is achieved by advance analysis that promotes a more comprehensive outline of the consumer demographic in question. I think the notion of measuring twice, cutting once indeed applies to serving the government’s constituency.