According to a recent roadmap, NIST is looking to issue guidance on how federal, state and local governments can offer attribute validation services.
The National Institute of Standards and Technology released a new draft roadmap of its upcoming work on identity and access management Friday, giving stakeholders insight into the agency’s plans and an opportunity to provide feedback through June 1.
The roadmap details forthcoming short- and long-term work NIST will do on IAM, including focuses on mobile drivers licenses, phishing-resistant multi-factor authentication, authorization in zero trust trust environments and more.
NIST is also going to be implementing new authorities and directives included in the 2022 CHIPS and Science Act, which required the agency to develop voluntary guidance for digital identity management systems.
That will include information for how federal, state and local governments can offer attribute validation services, which is where a government confirms if a submitted piece of information about someone, such as their social security number, matches what the agencies have on file.
Verifying attributes about individuals can be part of how governments and private sector entities verify users’ identities. The General Services Administration’s Login.gov service, for example, verifies personal information against sources like state DMVs.
“The idea is whether it's State Department validating passport info, a DMV validating driver's license info or a local vital records bureau validating a birth certificate, every level of government has a consistent set of standards and best practices to deliver a high bar for security and privacy in a way that is interoperable,” Jeremy Grant, a former senior executive advisor for identity management at NIST, told FCW via email.
Grant is currently a managing director in the Technology and Innovation Group at Venable LLP, and also serves as coordinator for the Better Identity Coalition, which has previously pushed for the Biden White House to focus on offering these sorts of attribute validation services.
Still, although the guidance could help agencies currently wary of offering these services by providing a set of common standards, Grant told FCW attribute validation services currently performed by government agencies are often confined to narrow, specific use cases.
The Social Security Agency’s validation service, called Electronic Consent Based Social Security Number Verification, is available to certain financial institutions to check information against SSA data, for example, but isn’t available to government agencies, according to the Better Identity Coalition.
Other parts of the roadmap include biometric research and testing – also featured in the 2022 CHIPS and Science Act, which required the development of performance standards and guidelines for government biometric identification systems deemed “high risk.”
The agency says in the roadmap that it is juggling both increasing fraud and more sophisticated hackers that are changing the threat environment with things like automated attacks, synthetic identities, phishing and ransomware, as well as changing public opinion – specifically a “surging awareness and concern around data privacy, bias and usability” that have put “greater emphasis on the needs of individuals.”
“IAM sits at the nexus of cybersecurity and customer experience, making it a key component to creating trusted, modern digital services,” the roadmap said.