Making Privacy Concrete (Three Words Not Usually Found Together)

By: Sean Brooks, Mike Garcia, Naomi Lefkovitz, Suzanne Lightman, Ellen Nadeau

Most in the IT space won’t know this, but NIST has one of the world’s best concrete engineering programs. Maybe we just have concrete on the mind since a couple of us in the office are doing house renovations, but with today’s publication of the NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems (NISTIR 8062), we are taking a page from the concrete folks’ book with a document that we believe hardens the way we treat privacy, moving us one step closer to making privacy more science than art. NISTIR 8062 introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on federal systems.

There were several reasons for venturing into this territory. Certainly the Office of Management and Budget’s July 2016 update to Circular A-130 gave us a strong impetus, but our ongoing trusted identities pilot program was also a significant earlier driver. The pilots need to demonstrate their alignment with the NSTIC Guiding Principles, but in the first couple of years of the program, grant recipients often had difficulty expressing to us how their solutions aligned with the Privacy Guiding Principle. Even agreeing about the kinds of privacy risks that were of greatest concern in federated identity solutions could drag out over multiple rounds of discussion.

NIST has produced a wealth of guidance on information security risk management (the foundation of which is NIST’s Risk Management Framework), but there is no comparable body of work for privacy. While there are international privacy framework standards that include the need for identifying privacy risk, there are no widely accepted models for doing the actual assessment.

We learned from stakeholders that part of the problem is the absence of a universal vocabulary for talking about the privacy outcomes that organizations want to see in their systems. In information security, organizations understand that they are trying to avoid losses of confidentiality, integrity and availability in their systems. The privacy field has the Fair Information Practice Principles, but as high-level principles they aren’t written in terms that system engineers can easily understand and apply. Oftentimes, privacy policy teams must make ad hoc translations to implement them in specific systems.

To try to bridge this communication gap and produce processes that are repeatable and could lead to measurable results, we began by considering how privacy and information security are related and how they are distinct. The Venn diagram below illustrates how information security operates in the space of unauthorized behavior within the system, whereas privacy can be better described as dealing with the aspects of system processing of personally identifiable information (PII) that is permissible, or authorized. The two fields overlap around security of PII.

Security and Privacy Concerns Venn Diagram

We also reflected on whether having privacy engineering objectives that had some functional equivalency to confidentiality, integrity, and availability could help bridge the gap between privacy principles and their implementation in systems. Here’s what we came up with.

privacy engineering objectives

Lastly, we developed, and confirmed with stakeholders, a privacy risk model to use in conducting privacy risk assessments. We needed a frame of reference for analysis—a clear outcome—that organizations could understand and identify. In information security, the risk model is based on the likelihood that a system vulnerability could be exploited by a threat, and the impact if that occurs. What is the adverse event though when systems are processing data about people in an authorized manner – meaning any life cycle action the system takes with data from collection through disposal? We know that people can experience a variety of problems as a result of data processing such as psychologically-based problems like embarrassment or more quantifiable problems like identity theft. We think that if organizations could focus on identifying whether there was a likelihood that any given action the system was taking with data could create a problem for individuals, and what the impact would be, this would give them a clearer frame of reference for analyzing their systems and addressing any concerns they discovered.

How did this work out for our pilots? Frankly, it exceeded our expectations. Using this privacy risk model, they could identify new privacy risks, prioritize the risks, communicate them to senior management, and implement controls as appropriate (usually some combination of policy-based and technical controls). Shoutout to the pilots—we greatly appreciate your insights!

NISTIR 8062 is only an introduction to privacy engineering and risk management concepts. In the coming months and years, we will continue our engagement with stakeholders to refine these ideas and develop guidance on how to apply them. One of the properties of concrete that makes it so useful is that you can mold it into just about any shape, but once it sets you know exactly what to expect of its performance. This sort of flexible but consistent performance has long eluded those who care about systems-implementable privacy protections.

Posted in Uncategorized | Tagged , , | 5 Comments

2016 Year in Review: (TIG-ing stock of) Innovation in the Identity Ecosystem

When you think about 2016, the first thing that comes to mind is innovation in the identity ecosystem. That can’t just be us, right? While there has been a host of high-profile bad things that happened in digital identity this year, we try to keep our eyes on the prize. And there’s been a lot of progress toward the long-term goal.

“Ch-ch-ch-ch-changes—just gonna have to be a different man”

Before we take a look at 2016, a quick programming note: the President established a 10-year timeframe for NSTIC implementation. Halfway through, we are tracking well to the benchmarks established in the strategy (more on this in early 2017). Still, as long as there is the internet there will be a need to empower individuals, businesses, and government to leverage digital identities to interact online. Goal four of the NSTIC calls for an ongoing evolution and sustainment of the identity ecosystem and, as such, many of our upcoming initiatives will extend beyond 2021. For that reason, we will be branding most of our work as the Trusted Identities Group, which we lovingly call “the TIG.”

NIST, and specifically the TIG, is proud to remain the National Program Office for implementing a strategy that is widely-recognized as the foundation for a strong and vibrant identity ecosystem. While we’re excited about the increased pun opportunities that the TIG provides over NSTIC NPO, above all, we think of the TIG as the home of the ongoing and persistent partnership model we have built over the last few years. We remain dedicated to working with our partners and advancing this important work.

Nothing has changed besides the name (oh, and the awesome new name for our blog—shout out to office blog-naming champion Danna). We simply think this better reflects our recent new home at NIST, where we’re putting the “applied” in the Applied Cybersecurity Division for the Information Technology Laboratory—making sure everything we do ends in a positive impact for real people with a real need for better digital identity solutions.

“Stop! Look what’s behind you. Fame and love gonna find you. We’re just here to remind you.”

We considered 2016 a transitional year for our office as we turned our focus toward scaling adoption of quality digital identity solutions and making progress in standards and guidelines toward measuring the quality of solutions in the identity ecosystem. This year we released eight different publications—four times as many as last year—on topics ranging from attribute metadata to trust frameworks to strength of biometric authentication.

We saw the introduction of the IDESG’s registry for the Identity Ecosystem Framework, and experienced a stunning level of growth in adoption of our solutions from our pilots program, which (as of just September 30) has impacted more than 6.7 million individuals across 12 sectors.

pilots impact infographic

“Hey, people now, smile on your brother. Let me see you get together.”

We started off 2016 by listening to our community. The Applying Measurement Science in the Identity Ecosystem workshop in January brought together more than 200 security practitioners, identity solution providers, subject matter experts, and policy makers from across sectors to discuss the application of metrics and measurement science to common identity management practices. This laid out some of our main efforts of 2016: projects to advance measurement science in digital identity. We proposed approaches and frameworks and asked for the community’s input. The TIG is all about building partnerships to advance digital identity, so let’s review how we collaborated on projects driving trust, convenience, and innovation in the identity ecosystem in 2016.

“Your faith was strong but you needed proof

A primary focus for the TIG this year was updating Special Publication 800-63-3: Digital Identity Guideline (SP 800-63-3) to simplify the document and better align with Executive Order 13681, market advancements, and the international community. But we needed community feedback to make the document as useful as possible. Between May 8 and September 17, 2016—our first foray into using GitHub—there were more than 3,700 unique visitors to our GitHub repository, with contributors submitting 258 “issues,” i.e., items for our review. The open-source nature of this approach enabled direct communication with commenters and real-time updates so you could tell us if we got it right.

“Me miro en el espejo y veo en mi rostro” (I look at myself in the mirror and see my face)

Measuring the strength of an authenticator can be a thorny issue but it’s one that the TIG is up for tackling. In the Strength of Function for Authenticators – Biometrics (SOFA-B) Discussion Draft, we propose a framework to evaluate and compare the strength of authentication solutions. We are initially focusing on biometric authenticators due to increased availability of biometric sensors in the consumer space. They also represent the ideal initiation point for the SOFA framework: a diverse and emerging set of technologies with varying performance, configurations, and capabilities, which also have limited security guidance in place.

This document attempts to provide a starting point for the overall SOFA framework by identifying the ways biometric authenticator strength can be measured and evaluated. It focuses on three core concepts: False Match Rate, Presentation Attack Detection Error Rate (spoof detection), and Effort, that is, what it takes to break a system. We accepted comments via GitHub through mid-December and held a webinar to engage with the community on their feedback.

“Sometimes clothes do not make the man”

…but attributes do. The TIG provided a metadata schema for attributes that can be asserted about an individual during an online transaction in draft NISTIR 8112: Attribute Metadata. The NISTIR outlines a plan that can be used by relying parties to enhance access control policies and perform real-time evaluation of an individual’s ability to access protected resources. We propose a schema for attribute metadata and attribute value metadata that can convey information about a subject’s attribute(s) so relying parties can better understand how attributes and values are obtained, have greater confidence in applying authorization decisions, and promote federation of attributes.

“Who can you trust, who can ya?”

As the rules of the road for federated identity systems, trust frameworks detail the business, legal, and technical requirements for all parties involved. The TIG explored concepts around trust frameworks and identity federation while also providing areas for discussion when developing these systems in draft NISTIR 8149: Developing Trust Frameworks to Support Identity Federations. The NISTIR is intended to spread knowledge on identity federations and trust frameworks to a more general audience. NIST also seeks to increase standardization of the language around these practices and set a common understanding to facilitate widespread adoption.

“The plan is to stay focused, only then I can grow

In 2016, we saw explosive growth in adoption of our pilots’ solutions and record growth in the number of grant recipients and partners. We added six new pilots across 10 states and Washington, D.C., bringing the grand total of projects funded to 24. In our largest pilot award to date, projects include helping states ease citizen access to online services, issuing mobile driver licenses in four states and D.C., and improving access to health records for patients and practitioners.

United States map showing pilot partner locations

“And take it to the limit, one more time

The TIG has grand plans for the new year, like working with agencies to implement some of the changes in SP 800-63-3. This means the unveiling of a new initiative where we will assist federal agencies in deploying trusted identity solutions for citizen-to-government access. To do so, we’re working with our sibling group, the National Cybersecurity Center of Excellence (NCCoE), to launch an effort to make the great solutions in the market and the great progress we’ve made on standards and guidance real and easily implementable for agencies and industry alike.

We’ll also follow up on the documents we released for public comment, starting with the release of SP 800-63-3 for a traditional public comment period before releasing the final version later in the year. Beyond that, we’ve already begun work on the next new aspect of our guidance on digital identity, a companion implementation guide to SP 800-63 that, like our work in the NCCoE, will help bridge the gap between outcome-based guidance and the on-the-wire outcomes themselves.

We also plan to finalize the attribute NISTIR. We’ll continue our work to finalize the SOFA-B framework, of which you can get an early preview at RSA in February. Plus, we’ll carry on and build out our efforts in market intelligence, which help us keep up with the pulse of the market and hone our efforts in on specific market impediments.

To keep pace with our work in 2016, next year we’ll release a recap of how the market has changed since the NSTIC was released in 2011, along with our roadmap for continuing the momentum over the next five years. We’ll release a new pilots-based NISTIR, a lightweight, non-technical document focused on the business aspects of developing and deploying identity and access management solutions.

We’ll also be announcing new ways to engage with the community and new efforts to take NSTIC implementation, under the new TIG banner, global. We have no doubt 2017 will bring more opportunities to work together to advance digital identity and we couldn’t be more excited to continue this great partnership this community has built.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , | Leave a comment

SOFA Talk: Strength of Function for Authenticators Framework Now Open for Comment!

Author: Elaine Newton, Identity and Standards Development Strategist

Back in January, NIST’s Applied Cybersecurity Division hosted the “Applying Measurement Science in the Identity Ecosystem” workshop. Among the knotty issues under consideration, 220+ participants discussed the concept of measuring the strength of authentication.

Through a combination of input from that workshop and analysis performed by experts (both internal and external to NIST) we have developed a proposed framework that can be used to quantify the security of authentication solutions – and now, we want to hear from you again. I’m happy to announce that the Strength of Function for Authenticators – Biometrics (SOFA-B) Discussion Draft is now open for comment.

SOFA is a proposed framework to evaluate and compare the strength of authentication solutions. SOFA-B is the strength of function for biometric authentication. This was our initial focus due to increased availability of biometric sensors in the consumer space. The SOFA model incorporates three aspects, explained further in the draft: matching performance, presentation attack detection (aka spoof detection), and effort (to break a system).

 

Ready to get involved? NIST plans for the initial input period to run for 60 days, from October 17th to December 16th. Due to the great success we’ve had with GitHub in the recent past, we are excited to use it again! Direct suggestions or comments can be submitted to GitHub as issues following the directions on the SOFA page or via emails sent to sofa@nist.gov. Comments will likely be added to GitHub to maximize transparency and collaboration, so please note that emailed feedback will be made public.

We can’t wait to hear from you, and thank you for your ongoing participation and contributions in developing the framework. Happy commenting!

Twitter: @NSTICNPO

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

Got trust? Seeking public comment on new NIST publication for developing trust frameworks to support identity federation

Some communities and organizations that share common user bases and transaction types are addressing challenges to users’ privacy and security by allowing users to access multiple services through common login processes. This approach – known as federated identity management – enables users to access multiple online organizations and services through shared authentication processes, instead of authenticating separately with each service provider.

Federated identity management is based on trust, especially between the organizations and service providers that use it. The “rules” for federated identity management are known as “trust frameworks” and the organizations that agree to follow such rules and participate are known as “identity federations.”

 Want to know more about trust frameworks?

Check out today’s release of draft NIST Internal Report (NISTIR) 8149: Developing Trust Frameworks to Support Identity Federation. This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. We’re seeking feedback from the stakeholder community on this draft as well and would love to get your feedback—see below for details.

Why now?

The major end goal is simple: to facilitate the widespread adoption of trust frameworks for organizations and the communities that benefit from them. Trust frameworks aren’t new, so this document doesn’t intend to introduce them to the public. Rather, the draft NISTIR aims to educate communities interested in pursuing federated identity management as they try to establish the agreements that will make up the framework. It includes guidance on determining roles in an identity federation, what to consider from a legal standpoint, and understanding the issues of establishing and recognizing conformance.

Additionally, we hope we can help standardize the language around identity federation and trust frameworks in the future to contribute to a common understanding of the concepts.

What’s the central issue?

Online service providers are struggling more and more to find ways that are secure and protect user privacy to verify that their consumers are who they say they are. The default solution up until now has been to require consumers to register and create an account each time they access a new service, but this requires additional effort from service providers and puts the burden on consumers to keep track of many different accounts and login details. Remembering passwords for every single account is not practical and many consumers are ignoring well-known security best practices that recommend not reusing usernames and passwords between sites. Additionally, convincing users to adopt multi-factor authentication is that much harder when we must ask them to do so across dozens of sites.

Draft NISTIR 8149 covers all the critical topics of trust frameworks, including roles and responsibilities, framework components and rules, legal structures (including risk and liability), and establishing and recognizing conformance. We won’t go into the details here, so please take a look at the draft.

How to comment

 Like so many of our documents, it won’t be complete without feedback from our stakeholders; we rely on you telling us what we got wrong and what we outright missed.

Because of the positive feedback we continue to receive on our other documents hosted on GitHub, we’re doing so again via our NISTIR 8149 GitHub page. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a form. Using that tab, you can summarize your suggested changes and submit them for further discussion in a forum-style format. More instructions on this are available online.

Also, given that this is a more narrative style document, we understand that it might be easier for some to submit comments through a good old fashioned comment matrix. If so, please use this matrix and send it to trustframeworks@nist.gov. These comments will likely get added by us to GitHub for maximum transparency and collaboration—so please anticipate that any feedback emailed to us will be made public.

The 30-day open comment period is from October 3rd – November 1st, 2016.

While NIST is better known for its focus on developing standards and technology, we never lose sight of the many enablers of technology that can make or break a market. A sustainable marketplace requires active work to establish the organizational structures and agreements that make room for great technologies; whether a technologist or attorney, policymaker or executive, establishing trust in digital identities isn’t a spectator sport.

Twitter: @NSTICNPO

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , | Leave a comment

Many thanks for a successful 800-63-3 public preview!

A look back on the SP 800-63-3 public preview

As summer has flown by, you have kept us very busy reviewing your comments on GitHub to Special Publication (SP) 800-63-3 and engaged in a dialog about how this material can be enhanced to better support the public and private sectors. The response we’ve received to SP 800-63-3 – and this new approach – has been phenomenal and inspiring. And now, we’re excited to transition from the public preview period for draft NIST SP 800-63-3: Digital Authentication Guideline to the next critical phase – the 60-day public comment period. But before we do that, I’d like to explain what we learned this summer and where we are headed next…

Between May 8 and September 17, 2016 – our first foray into using GitHub to solicit and manage comments for a major document– there were at least 3,757 unique visitors to our GitHub repository, with contributors submitting 258 ‘issues’ (i.e. items for our review). The open-source nature of this approach allowed us to communicate directly with commenters, giving us a much better way of knowing whether we heard you. It also gave commenters the opportunity to review updates and tell us if we got it right. Our goal was to create a community-driven document, and we hope you agree that your thoughtful feedback substantially improved the document from its initial draft.

As of yesterday, we have temporarily stopped responding to issues posted on GitHub to prepare for the upcoming formal public comment phase. Anyone can view the document as it was yesterday. You can still open an issue—but please know that we will automatically close those issues and ask that you check the updated document when it is posted at the start of the public comment period. If you still see the issue, we ask you to please open it then.

What is coming next?

We’re aiming to release a new draft for public comment in mid-fall.

We’ll have full details upon release of the draft—and GitHub will remain the tool of choice during the public comment period—but we will also include a PDF version of the draft. In addition to submitting comments via GitHub, you will also have the option to submit comments to us via email. We always make comments publicly available, so our team will convert any comments that reach us via email to open GitHub ‘issues’ that everyone can see. This allows us to continue to be transparent about the issues that influence any changes we will ultimately make after the public comment period ends. It also encourages rich, ongoing dialogue—as anyone can discuss an open issue to help find the best possible resolution.

Thank you again for your contributions, support in this new approach, and willingness to be a part of this document’s evolution. We’re looking forward to keeping the discussion lively and impactful during the upcoming official public comment period this fall.

For those who want a deep dive into the latest draft, we’re planning a webinar at the beginning of the public comment period to answer any outstanding questions, and to give everyone an idea of what’s ahead for SP 800-63-3. Be sure to follow us on Twitter for future updates about the webinar including the date, registration details, and agenda.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | 2 Comments

Citius, Altius, Fortius: Announcing 6 new pilot projects across 10 states (and D.C.!)

As the sun was setting on the thirtieth modern Olympiad in London, NIST was preparing to announce our very first set of NSTIC pilot projects. As the flame goes out in Rio, we’re setting new records. In our largest pilot announcement to date, today NIST is proud to add six new projects to our ranks and bring the total number of projects to 24.

It’s a tricky needle to thread for government to successfully catalyze a marketplace of solutions without government creating the solutions itself. At NIST, we try to keep the model simple. We believe the government’s role in seeding this market is to help overcome the initial barriers to a successful market and, as the landscape evolves, break through barriers that hold specific parts of the market back.

In 2012, adoption of trusted identities that aligned with the NSTIC vision weren’t even a blip on the familiar ‘s-shaped’ technology adoption curve. We truly took an ecosystem approach: it’s not about a single killer app or any given shiny solution, it’s about creating the network effects by which all natural ecosystems support each other and by which we believe we can change the race-to-the-bottom history of identity, authentication, and the protection of personal information that, despite tremendous efforts by many, was all too common pre-NSTIC.

Today, that ecosystem is alive, well, and rapidly expanding. Our pilots family includes 24 projects and more than 150 total partners across 26 states and D.C. These projects have impacted more than 5.9 million individuals, and that impact is growing faster than ever before—a critical indication that the market is making a critical climb up that s-shaped curve. But the numbers run deeper than that. These solutions have impacted a dozen sectors, creating technology, business, and policy linkages that are mutually supportive and global in nature. It’s not just about the number of nodes but the strength of their bonds.

Pilots Graphic 8_25_2016

 

 

 

 

 

 

 

And, like any healthy ecosystem, it’s growing on its own. The variety of initiatives and solutions filling the marketplace outside the NSTIC program demonstrates just as strongly that the economic model is catching on.

As the fundamental economic proposition has changed, so too has the narrative. As just one example, adoption of multi-factor solutions is well out of the innovators and early adopters—and by some measures quite a way through the early majority as well. In 2015, 39% of consumers used two-factor authentication. Most individuals know that digital identity matters, even if fewer yet understand what to do about it. We know that 54% of consumers were not confident that the security of their personal data was protected on the internet in 2015, and 77% would be interested in an alternative to usernames and passwords to protect their security.

The success of a fundamental shift in the availability of multi-factor solutions in the marketplace has allowed us to turn to investing in solutions for other specific challenges in targeted areas where we believe (1) we can get the best marginal benefit for each taxpayer dollar and (2) we believe the model of these projects can serve as a positive feedback loop to advance two critical sectors that individuals rely on daily.

In this year’s targeted approach to driving innovation in digital identity, we’re pleased to announce six new projects ready to rise to the challenge of making more secure, privacy-enhancing, interoperable, and usable solutions for everyday identity hurdles. We’ve awarded five projects to streamline and secure online access to state and local government services while we’re awarding a sixth through a partnership with HHS’s Office of the National Coordinator for Health IT to deliver trusted identities in healthcare. In these two important domains, we see the potential for innovation to make critical services more convenient and trustworthy for the consumer while strengthening online service providers’ security.

With that lengthy preamble out of the way, I’d like to introduce you to the six newest members of our family:

Florida Department of Revenue, Child Support Program (Tallahassee, Fla.: $3,550,978)

The Florida Department of Revenue aims to improve identity processes for online access to several Child Support Program applications. The new registration and authentication process will: increase the number of online services available to customers, provide convenience through a single login identity, and improve security by offering customers device registration options. The solution will allow the Child Support Program to increase the efficiency and effectiveness of our services while meeting customer expectations and the growing desire to conduct business more efficiently and effectively through online interactions with government agencies.

Yubico, Inc. (Palo Alto, Calif.: $2,273,125)

Yubico will focus on enabling secure online access to educational resources for students in Wisconsin and to state services for residents of Colorado. In both states, Yubico will deploy FIDO Alliance Universal 2nd Factor-based YubiKeys and use OpenID Connect to develop an ‘identity toolkit’ – with the goal of making the solution as simple to use and deploy as possible.

State of Ohio, Department of Administrative Services (Columbus, Ohio: $2,967,993)

The State of Ohio Department of Administrative Services will implement a range of identity-related capabilities including multi-factor authentication to stronger identity proofing, for three state services. These services include enterprise e-licensing, online filing and payments for businesses in the state, and tax-related transactions with the Ohio Department of Taxation.

Gemalto, Inc. (Austin, Tex.: $2,022,102)

Gemalto will work with departments of motor vehicles to issue digital driver licenses to residents of Idaho, Maryland, Washington, D.C., and Colorado. Gemalto aims to improve the way people conveniently and securely present and prove their identities to business and government entities by offering a digital driver’s license, accessible via a mobile application. The benefits for citizens and relying parties is to be able to present and authenticate a trusted government-issued digital identity via mobile platforms that will facilitate and automate many applications that rely on the physical presentation of identity documents today.

ID.me, Inc. (McLean, Va.: $3,750,000)

ID.me will work with the City of Austin, Texas, to develop a city level blueprint for increased trust between participants in the sharing economy. The goal of the pilot is to demonstrate a viable model for strong authentication that is acceptable to key stakeholders in the sharing economy and replicable in other municipalities. With the State of Maine, ID.me will implement a federated identity model for applications to increase citizen access to benefits and to demonstrate interoperable credentials at the federal and state level.

Cedars-Sinai Medical Center (Los Angeles, Calif.: $999,836)

Cedars-Sinai Medical Center will implement a federated identity, single sign on, multi-factor authentication solution across distinct healthcare systems for patients and providers. The solution aims to simplify patient transition from Cedars-Sinai Medical Center, an acute-care setting, to post-acute care settings, such as California Rehabilitation Institute. Patients and providers will have a single credential on a portal with the purpose of giving them easier access to information to improve quality of care.

We expect each of these projects will make tangible differences in the everyday lives of millions more individuals by providing solutions that simultaneously improve the privacy, security, and convenience of those who use them through more convenient, interoperable, and user-centric approaches. And that they will provide a model for others to continue the remarkable gains of the last five years in pursuit of the NSTIC vision. We can’t wait for the great work that lies ahead.

While we warmly welcome aboard these organizations and their partners to the NSTIC pilots family, we acknowledge the journey ahead. It takes a steady eye down a long road to see through to the goal. We will continue analyzing ongoing challenges and market impediments, and will shift investments toward the prickliest of problems in identity. As we set our sights on the future, here’s to more innovation in the Identity Ecosystem—Citius, Altius, Fortius, and on to the next Olympiad!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

REGISTER NOW: Privacy Controls Workshop on next steps for NIST SP 800-53, Appendix J!

We’re pleased to announce that on September 8, 2016, NIST and the Department of Transportation will hold a technical workshop on the next steps for NIST Special Publication 800-53, Appendix J…and registration is now open! Workshop participation from security and privacy engineers, privacy subject matter experts, and Senior Agency Officials for Privacy (SAOPs) is imperative for this workshop to be a success, so we encourage experts in these areas to register and attend. However, everyone is welcome so please feel free to join us if you are interested in the design of privacy protections in federal information systems.

Should Appendix J evolve in the next revision of the publication? We need your participation and input to get it right. Workshop attendees will explore the effectiveness and challenges of applying the current privacy controls in SP 800-53 and will discuss what adjustments should be made in the publication’s fifth revision.

Facilitated group discussions will cover a variety of topics, including: potential amendments to the privacy control families, broader guidance on the relationship between the privacy and security controls, and the need for additional NIST guidance on the implementation of controls in privacy risk management processes to support more effective privacy programs.

Shortly, we will release a discussion draft addressing each of the primary focus areas for the workshop. With the discussion draft as a starting point, attendees will have an opportunity to provide critical feedback prior to, during, and following this workshop to guide our next steps.

Your input is critical to making this process a success, so don’t forget to register…and stay tuned for an agenda, panelist announcements, and a discussion draft—which we will post on the event page soon.

Attendees can earn a maximum of five CPE credits through the International Association of Privacy Professionals (IAPP) for attending the workshop by simply submitting this form.

Please Note: If you are a U.S. citizen, the registration deadline is Friday, September 2nd at 12pm, EST. If you are not a U.S. citizen, the registration deadline is Monday, August 22nd at 12pm, EST. This event will be in-person; there will be no webcast.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | 2 Comments

Questions…and buzz surrounding draft NIST Special Publication 800-63-3

Here’s the backstory: You may have noticed that we’ve been getting a wee bit of attention on the proposed deprecation of SMS as an out-of-band second authentication factor in section 5.1.3.2 of draft NIST Special Publication 800-63-3: Digital Authentication Guideline. First, we’re happy to get the attention. Sure, this is a NIST document, but the point of public comment—and our extended public preview of the draft on GitHub—is to make sure the community is a part of creating it. The more eyes the better. The team here at NIST wouldn’t quite say many commenters make lighter work—but they sure do make a better end product.

All that said, accurately communicating information on technical standards can be pretty difficult, so we want to make sure folks know exactly what we mean with this proposal.

Here’s what we mean: There are really two separate changes worth explaining…

First: VoIP and other IP-based services. In today’s Identity Ecosystem, we worry especially about threats that are scalable and threats that can occur remotely. Yes, getting your phone stolen is a threat to all mobile-based two-factor authentication, but the cost to an attacker to steal a password and then steal a phone is much higher than when said swindler can access your accounts from their couch. It takes time and physical mobility, and they have to do the damage before the victim can act—which is typically much quicker when your phone is missing than when they’re remotely in your account.

So while no security approach is perfect, truly tying authentication to a physical device makes a real difference.

These days, not all SMS is a mobile phone-based communication. It’s a beautiful thing about SMS interoperability that we can send a message to a “phone number” without really caring if it’s an SMS, MMS, iMessage, or data message to some other internet service. An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn’t have to know the difference when they hit send—that’s part of the internet’s magic.

But it does matter for security. That’s why we’re proposing that federal agencies first verify that the phone number is truly attached to mobile phone. If not (and the user happens to protect her or his VoIP account with a password), the user might now be protecting sensitive personal information with two passwords—that’s two of one factor type (two of ‘something you know’) rather than actual two factor authentication (‘something you know’ and ‘something you have’). So we felt we had to propose ruling VoIP out.

Second: SMS to mobile devices. Let’s move on to the case where we’re confident the SMS is really going to a mobile device.

We’re continually tracking security research on the evolving threat landscape. Following on our approach to limit scalability and remote attacks, security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse. While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3. It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.

Because of the risks, we are discouraging the use of SMS as an “out of band authenticator” — which is, essentially, a method for delivering a one-time use code for multi-factor authentication. This is why we suggest that the use of SMS as a second factor be reconsidered in future agency authentication systems.

But what’s this “deprecated” business all about?

Deprecation is standards-speak for “you can use this puppy for now, but it’s on its way out.” It’s a way of balancing the practicalities of today’s implementations with the needs of the future. While SMS is a popular and convenient option today, the security concerns of SMS as a second factor should be part of agencies’ decisions. Leveraging a SMS to mobile as a second factor today is less effective than some other approaches—but more effective than a single factor. This balancing act is difficult and inherently imperfect, which is why we propose changes to the community and seek comment before making guidance final.

We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones. It’s up to agencies to make the risk-based decisions that best serve their constituents today and future-proof systems for tomorrow.

The market is continually innovating in this space; but so are adversaries. We’re fortunate to have innovators that have given us many authentication options just as convenient, yet more secure, than SMS. We don’t take these decisions lightly, and we’re always looking for better approaches from our stakeholders.

If you think deprecating SMS is a step in the right direction, let us know through our public preview on GitHub. If not, we need to hear from you. If you have another idea, it won’t come to fruition if you don’t share it. In this way we hope to do our part for a better Identity Ecosystem that serves all users and providers of digital services—and these days that covers just about everyone.

Speaking of our GitHub public preview site, we wanted to clear up some confusion…

We have mentioned before that we hope to receive critical comments to draft 800-63-3 and finalize the document by the end of the year (we expect to close the public preview period by September 17, 2016). This approach has many benefits, one of which is to engage experts early in the drafting process so that we can accelerate release of a final publication.

But we’ve heard from many valued stakeholders that think this summer public preview is intended for individuals only—but this is not the case; this document needs organizational input as well (federal agencies: this also goes for you!). To comment as an organization, feel free to create an account representative of your ‘orgname’ or include your organization name in the comment itself. We can even update the issue template to include your organization name if you’d like us to.

Don’t let the term ‘public preview’ stop you. Public means open to all. We introduced this new phase to be as responsive as possible as we engage with the public and private sectors. We’d love a steady stream of substantive comments throughout the open period—so please help us keep things running smoothly and efficiently by submitting your comments as soon as possible. Thank you for your comments and for joining us in this quest to make this document the best it can be!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , | 2 Comments

Calling all 800-63-3 comments!

Have you done your summer reading yet? We’re approaching this summer’s halfway point – which means we’re halfway through the public preview of draft NIST Special Publication 800-63-3: Digital Authentication Guideline. Don’t let the dog days of summer get you down – we still need your feedback and expert opinions! For a refresher on some of the major changes to 800-63-3 and why we’re using GitHub to solicit comments, see our announcement blog.

Screen Shot 2016-07-18 at 10.58.22 AM 800_63 Github issues page

Screenshot of some of the open 800-63-3 GitHub issues we’re combing through – add yours today!

We hope to address comments and finalize this document by the end of the summer, and we expect to close the public preview period by September 17, 2016. We’d love a steady stream of substantive comments throughout the open period, so please help us keep things running smoothly and efficiently by submitting your comments as soon as possible – so it’s not a mad dash for us at the end of the process. Not only do we need time to resolve all open issues, but we also want the stakeholder community to weigh in using GitHub. We will, of course, listen to and account for your feedback no matter what—but the more comments we can get now, the better. To keep track of our plan, you can visit the milestones page to check on our status and if we’ve adjusted any dates (or added iterations).

To everyone who has already contributed to this document: THANK YOU. Your efforts have not gone unnoticed as we work together to enhance digital authentication guidelines and improve the Identity Ecosystem. We don’t take lightly the importance of stakeholder participation for the success of this document.

To everyone else: please head over to the public preview site to submit your feedback today!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment