recommended reading

White House to unveil revised ID management plan Friday

"We should not have to dramatically change the way we do business," cyber chief Howard Schmidt said.Flickr user hubertk

The White House on Friday will release the second draft of a plan for managing identities in cyberspace, President Obama's cyber chief said during a conference in Washington.

The latest version of the National Strategy for Trusted Identities in Cyberspace will build on existing efforts to ensure people, organizations and computers are who they claim to be on the Internet, according to Howard Schmidt, White House cyber coordinator. Those include the George W. Bush administration's Homeland Security Presidential Directive 12, which established a common identification standard for federal employees and contractors to access government buildings and computers, and a requirement to add authentication tools to federal websites to prevent hackers from hijacking Internet traffic and redirecting it to bogus sites.

"We should not have to dramatically change the way we do business," Schmidt said in a keynote address at the Symantec Government Symposium on Tuesday. "This should be a natural path forward."

The plan will focus on identity management at the transaction level -- for instance, when people access electronic health records, conduct online banking, purchase items over the Internet, or send an e-mail.

"Everyone in my office digitally signs e-mail," Schmidt noted. "How does that help? If I see 110 e-mails with a digital signature attached, I know they're trusted. I can then focus on those other 10 e-mails [to figure out], 'Is this who it says it is?' It narrows the scope."

One hurdle will be ensuring existing policies are implemented properly. Established by President Bush in 2004, HSPD-12 experienced numerous logistical and technological challenges that led to significant delays. The Obama administration has barely mentioned the initiative.

"When I ask people about their card, they say, 'Yes I got it,' " Schmidt said. "And then I ask the question, 'Do you use it?' And they say that they don't know what to do with it, or [their agency] has not been issued a smart card reader" for scanning credentials when they enter federal buildings or log on to networks.

"We need to figure out how we get those things to work at the national level," he added.

The national plan will seek tested solutions that are interoperable, cost effective and enhance privacy by limiting the amount of personal information needed to complete transactions online.

To do that, Schmidt said the plan will require what he called an "identity ecosystem" that brings together government, industry and academia to design and build a solution that uses both new and existing infrastructure, and then to establish processes for effectively managing the solution.

"This strategy cannot exist in isolation; it's going to take a commitment," Schmidt said, noting that it is one piece of a much bigger strategy to enhance the security of computer networks and systems.

"I'm very positive about where we're going," he said. "I think we are better. If we weren't, it means all the work is for naught, and I don't believe that for a moment."

The administration will use Web 2.0 technologies to enable online feedback on the latest draft of the plan, according to Schmidt.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.