White House may cut purse strings to enforce online credentialing

Administration officials are considering withholding money from agencies that don't offer Web visitors the option to log on with usernames and passwords issued by an outside entity.

Federal agencies that fail to give website visitors the option to log on with outside credentials, such as their Gmail usernames and passwords, may lose funding, White House officials told Nextgov.

Federal Chief Information Officer Steven VanRoekel last week released a long-awaited memorandum requiring that, over the next three years, agencies launching or upgrading sites that prompt people to obtain a username and password also must be compatible with logon services handled by certified third-party vendors.

So-called federated identity management allows agency and corporate sites to trust credentials that are issued by an outside entity. Currently, dot-gov visitors must remember multiple names and codes to interact with agencies, and each federal site must pay to maintain its own independent ID validation system. Sites are continuously asking for more personal information than is necessary simply to send citizens and customers alerts or let them save webpage settings, privacy groups complain. By accepting credentials issued by trusted third parties, agencies are expected to cut down on the cost of system upkeep and save taxpayers some grief, federal officials say.

For agencies that do not abide by the rules on embedding external sign-on services, "we will discuss options for getting into compliance and will not rule out funding as an option," Office of Management and Budget spokeswoman Moira Mack said. Agencies that neglect to heed the memo during site overhauls will be required to develop a plan for adding third-party registration options, she said. The mandate kicks in 90 days after the government approves a "trust framework provider" -- an organization that will evaluate the commercial ID vendors.

With sites that require a higher level of assurance about identities, such as smart card authentication or in-person ID verification, the policy states that agencies have to accept outside credentials only "where appropriate and as resources permit." Currently, no ID management vendors are certified to provide those credentials, according to federal officials.

The move to shared credentialing ties into a broader public-private initiative aimed at fighting identity theft, enhancing accessibility and saving money by ridding organizations of duplicate credentialing systems, officials say. In April, the Obama administration released the National Strategy for Trusted Identities in Cyberspace to build an ecosystem of authentication services, similar to today's credit card payment system, for protecting online transactions worldwide.

"With any of these memos, it takes time" for agencies to adapt, said Jeremy Grant, who is heading the NSTIC effort as a senior executive adviser at the National Institute of Standards and Technology. For example, although the White House seven years ago ordered agencies to outfit federal buildings and systems with electronic ID card readers, only now is OMB penalizing agencies that do not comply by withholding money for other programs.

Some agencies, however, are very interested in fulfilling the memo's goals, Grant said. "Since it's come out, our office has been getting an increased number of calls" to learn how to comply, he said.

By encouraging its agencies to adopt federated identity management, the administration hopes to lead by example, federal officials say.

"This memorandum marks a new day for federal efficiency: a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has -- a university-issued credential for example -- across sites hosted by the departments of Veterans Affairs, Education and Treasury," White House cyber czar Howard Schmidt said in a blog post last week. "The federal government's role in facilitating the growth of the identity ecosystem is only half the story. . .We are eager to see -- particularly at the higher levels of credential assurance -- a larger, vibrant pool of accredited identity providers to provide more choices for people and federal agencies."

But other federal officials say the guidance misses a big money-saver by requiring agencies to still let visitors establish separate dot-gov usernames and passwords. Forcing agencies to manage in-house credentials and subscribe to third-party ID services adds cost, they argue. The memo seems to contradict itself by stating that "to reduce costs associated with managing credentials, agencies are to begin leveraging externally issued credentials in addition to continuing to offer federally issued credentials."

On Thursday, Mack disputed that interpretation, saying, "The continued use of in-house credentials is not required. The guidance provides the flexibility for agencies to identify the most effective and cost efficient options that meet their needs and the needs of the American people they serve."

Former federal CIO Vivek Kundra shared the memo with industry members in April, said Mike Ozburn, a principal at Booz Allen Hamilton who consults clients on federal identity safeguards. "It represents a consistent policy view from government that they desire what [Schmidt] called a vibrant marketplace in the private sector for digital credentials that can be issued to individuals by trusted sources, and accepted by government to reduce costs, implement digital discipline over business processes and offer better services to individuals."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.