White House may cut purse strings to enforce online credentialing

Administration officials are considering withholding money from agencies that don't offer Web visitors the option to log on with usernames and passwords issued by an outside entity.

Federal agencies that fail to give website visitors the option to log on with outside credentials, such as their Gmail usernames and passwords, may lose funding, White House officials told Nextgov.

Federal Chief Information Officer Steven VanRoekel last week released a long-awaited memorandum requiring that, over the next three years, agencies launching or upgrading sites that prompt people to obtain a username and password also must be compatible with logon services handled by certified third-party vendors.

So-called federated identity management allows agency and corporate sites to trust credentials that are issued by an outside entity. Currently, dot-gov visitors must remember multiple names and codes to interact with agencies, and each federal site must pay to maintain its own independent ID validation system. Sites are continuously asking for more personal information than is necessary simply to send citizens and customers alerts or let them save webpage settings, privacy groups complain. By accepting credentials issued by trusted third parties, agencies are expected to cut down on the cost of system upkeep and save taxpayers some grief, federal officials say.

For agencies that do not abide by the rules on embedding external sign-on services, "we will discuss options for getting into compliance and will not rule out funding as an option," Office of Management and Budget spokeswoman Moira Mack said. Agencies that neglect to heed the memo during site overhauls will be required to develop a plan for adding third-party registration options, she said. The mandate kicks in 90 days after the government approves a "trust framework provider" -- an organization that will evaluate the commercial ID vendors.

With sites that require a higher level of assurance about identities, such as smart card authentication or in-person ID verification, the policy states that agencies have to accept outside credentials only "where appropriate and as resources permit." Currently, no ID management vendors are certified to provide those credentials, according to federal officials.

The move to shared credentialing ties into a broader public-private initiative aimed at fighting identity theft, enhancing accessibility and saving money by ridding organizations of duplicate credentialing systems, officials say. In April, the Obama administration released the National Strategy for Trusted Identities in Cyberspace to build an ecosystem of authentication services, similar to today's credit card payment system, for protecting online transactions worldwide.

"With any of these memos, it takes time" for agencies to adapt, said Jeremy Grant, who is heading the NSTIC effort as a senior executive adviser at the National Institute of Standards and Technology. For example, although the White House seven years ago ordered agencies to outfit federal buildings and systems with electronic ID card readers, only now is OMB penalizing agencies that do not comply by withholding money for other programs.

Some agencies, however, are very interested in fulfilling the memo's goals, Grant said. "Since it's come out, our office has been getting an increased number of calls" to learn how to comply, he said.

By encouraging its agencies to adopt federated identity management, the administration hopes to lead by example, federal officials say.

"This memorandum marks a new day for federal efficiency: a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has -- a university-issued credential for example -- across sites hosted by the departments of Veterans Affairs, Education and Treasury," White House cyber czar Howard Schmidt said in a blog post last week. "The federal government's role in facilitating the growth of the identity ecosystem is only half the story. . .We are eager to see -- particularly at the higher levels of credential assurance -- a larger, vibrant pool of accredited identity providers to provide more choices for people and federal agencies."

But other federal officials say the guidance misses a big money-saver by requiring agencies to still let visitors establish separate dot-gov usernames and passwords. Forcing agencies to manage in-house credentials and subscribe to third-party ID services adds cost, they argue. The memo seems to contradict itself by stating that "to reduce costs associated with managing credentials, agencies are to begin leveraging externally issued credentials in addition to continuing to offer federally issued credentials."

On Thursday, Mack disputed that interpretation, saying, "The continued use of in-house credentials is not required. The guidance provides the flexibility for agencies to identify the most effective and cost efficient options that meet their needs and the needs of the American people they serve."

Former federal CIO Vivek Kundra shared the memo with industry members in April, said Mike Ozburn, a principal at Booz Allen Hamilton who consults clients on federal identity safeguards. "It represents a consistent policy view from government that they desire what [Schmidt] called a vibrant marketplace in the private sector for digital credentials that can be issued to individuals by trusted sources, and accepted by government to reduce costs, implement digital discipline over business processes and offer better services to individuals."