recommended reading

White House may cut purse strings to enforce online credentialing

Federal agencies that fail to give website visitors the option to log on with outside credentials, such as their Gmail usernames and passwords, may lose funding, White House officials told Nextgov.

Federal Chief Information Officer Steven VanRoekel last week released a long-awaited memorandum requiring that, over the next three years, agencies launching or upgrading sites that prompt people to obtain a username and password also must be compatible with logon services handled by certified third-party vendors.

So-called federated identity management allows agency and corporate sites to trust credentials that are issued by an outside entity. Currently, dot-gov visitors must remember multiple names and codes to interact with agencies, and each federal site must pay to maintain its own independent ID validation system. Sites are continuously asking for more personal information than is necessary simply to send citizens and customers alerts or let them save webpage settings, privacy groups complain. By accepting credentials issued by trusted third parties, agencies are expected to cut down on the cost of system upkeep and save taxpayers some grief, federal officials say.

For agencies that do not abide by the rules on embedding external sign-on services, "we will discuss options for getting into compliance and will not rule out funding as an option," Office of Management and Budget spokeswoman Moira Mack said. Agencies that neglect to heed the memo during site overhauls will be required to develop a plan for adding third-party registration options, she said. The mandate kicks in 90 days after the government approves a "trust framework provider" -- an organization that will evaluate the commercial ID vendors.

With sites that require a higher level of assurance about identities, such as smart card authentication or in-person ID verification, the policy states that agencies have to accept outside credentials only "where appropriate and as resources permit." Currently, no ID management vendors are certified to provide those credentials, according to federal officials.

The move to shared credentialing ties into a broader public-private initiative aimed at fighting identity theft, enhancing accessibility and saving money by ridding organizations of duplicate credentialing systems, officials say. In April, the Obama administration released the National Strategy for Trusted Identities in Cyberspace to build an ecosystem of authentication services, similar to today's credit card payment system, for protecting online transactions worldwide.

"With any of these memos, it takes time" for agencies to adapt, said Jeremy Grant, who is heading the NSTIC effort as a senior executive adviser at the National Institute of Standards and Technology. For example, although the White House seven years ago ordered agencies to outfit federal buildings and systems with electronic ID card readers, only now is OMB penalizing agencies that do not comply by withholding money for other programs.

Some agencies, however, are very interested in fulfilling the memo's goals, Grant said. "Since it's come out, our office has been getting an increased number of calls" to learn how to comply, he said.

By encouraging its agencies to adopt federated identity management, the administration hopes to lead by example, federal officials say.

"This memorandum marks a new day for federal efficiency: a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has -- a university-issued credential for example -- across sites hosted by the departments of Veterans Affairs, Education and Treasury," White House cyber czar Howard Schmidt said in a blog post last week. "The federal government's role in facilitating the growth of the identity ecosystem is only half the story. . .We are eager to see -- particularly at the higher levels of credential assurance -- a larger, vibrant pool of accredited identity providers to provide more choices for people and federal agencies."

But other federal officials say the guidance misses a big money-saver by requiring agencies to still let visitors establish separate dot-gov usernames and passwords. Forcing agencies to manage in-house credentials and subscribe to third-party ID services adds cost, they argue. The memo seems to contradict itself by stating that "to reduce costs associated with managing credentials, agencies are to begin leveraging externally issued credentials in addition to continuing to offer federally issued credentials."

On Thursday, Mack disputed that interpretation, saying, "The continued use of in-house credentials is not required. The guidance provides the flexibility for agencies to identify the most effective and cost efficient options that meet their needs and the needs of the American people they serve."

Former federal CIO Vivek Kundra shared the memo with industry members in April, said Mike Ozburn, a principal at Booz Allen Hamilton who consults clients on federal identity safeguards. "It represents a consistent policy view from government that they desire what [Schmidt] called a vibrant marketplace in the private sector for digital credentials that can be issued to individuals by trusted sources, and accepted by government to reduce costs, implement digital discipline over business processes and offer better services to individuals."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.