National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and PrivacyThe National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy) charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions.Our economic, societal, and personal reliance on cyberspace will continue to grow in the years ahead, and with it our need to trust the identities of those with whom we interact online The protection of the identities of individuals and organizations while conducting online transactions is pivotal to protecting open commerce, promoting innovation, and securing our Nation This Strategy proposes an Identity Ecosystem that will encourage trusted online transactions, provide privacy enhancements and support civil liberties, and reduce fraud Ultimately, the Identity Ecosystem can only be designed and built by the private sector The Federal Government will support the private sector, ensure that the Identity Ecosystem respects the privacy and otherwise supports the civil liberties of individuals, and be a leader in implementing the Identity Ecosystem in its own services Existing efforts by the public and private sectors have already established services that are significant components of the Identity Ecosystem, but much remains to be done Individuals, businesses, non-profits, advocacy groups, associations, and all levels of government must work in partnership to improve how identities are trusted and used in cyberspace There is a compelling need to address these problems as soon as possible, making progress in the short- term and planning for the long-term Through a collaborative effort by the public and private sectors, we can realize the vision and benefits of this Strategy and thus create a more secure cyberspace for our NationPresident of the United StatesPOTUS_a2f9f214-2ab3-11e1-9d2c-416a7a64ea2aIndividuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation._a2f9f5a2-2ab3-11e1-9d2c-416a7a64ea2aTo chart a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions._a2f9f6ba-2ab3-11e1-9d2c-416a7a64ea2aPrivacy and NoncoercionIdentity Solutions will be Privacy-Enhancing and Voluntary -- The offline world has structural barriers that preserve individual privacy by limiting information collection, use, and disclosure to a specific context For example, consider a driver’s license: an individual can use a driver’s license to open a bank account, board an airplane, or view an age-restricted movie at the cinema, but the Department of Motor Vehicles does not know every place that accepts driver’s licenses as identification It is also difficult for the bank, the airport, and the movie theater to collaborate and link the transactions together At the same time, there are aspects of these offline transactions that are not privacy-protective The movie theater attendant who checks an individual’s driver’s license needs to know only that the individual is over age 17 But looking at the driver’s license reveals extraneous information, such as the individual’s address and full date of birth. Ideally, identity solutions should preserve the positive privacy benefits of offline transactions while mitigating some of the negative privacy aspects The Fair Information Practice Principles (FIPPs) are the widely accepted framework for evaluating and mitigating privacy impacts The eight FIPPs are transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing. The envisioned Identity Ecosystem will be grounded in a holistic implementation of the FIPPs in order to provide multi-faceted privacy protections For example, organizations will collect and distribute only the information necessary to the transaction, maintain appropriate safeguards on that information, and be responsive and accountable to individuals’ privacy expectations In circumstances where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices will be automatically applied to all parties with whom that individual interacts Consistent with the FIPPs-based approach, the Identity Ecosystem will include limits on the length of time organizations can retain personal information and will require them to provide individuals with appropriate opportunities to access, correct, and delete it The Identity Ecosystem will also require organizations to maintain auditable records regarding the use and protection of personal information Moreover, a FIPPs-based approach will promote the creation and adoption of privacy-enhancing technical standards Such standards will minimize the transmission of unnecessary information and eliminate the superfluous “leakage” of information that can be invisibly collected by third parties Such standards will also minimize the ability to link credential use among multiple service providers, thereby preventing them from developing a complete picture of an individual’s activities online Finally, service providers will request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction As a result, implementation of the FIPPs will protect individuals’ capacity to engage anonymously in cyberspace Universal adoption of the FIPPs in the envisioned Identity Ecosystem will enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified -- while providing robust privacy protections that promote usability and trust Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party Individuals’ participation in the Identity Ecosystem will be a day-to-day -- or even a transaction-to-transaction -- choice.Security and ResiliencyIdentity Solutions will be Secure and Resilient -- Identity solutions and the processes and techniques used to establish trust must be secure against attack or misuse Security ensures the confidentiality, integrity, and availability of identity solutions and, when appropriate, the non-repudiation of transactions The use of open and collaboratively developed security standards and the presence of auditable security processes are critical to an identity solution’s trustworthiness Identity solutions must have security built into them so that whenever possible, the security is transparent to the user Identity solutions will provide secure and reliable methods of electronic authentication Authentication credentials are secure when they are (a) issued based on sound criteria for verifying the identity of individuals and devices; (b) resistant to theft, tampering, counterfeiting, and exploitation; and (c) issued only by providers who fulfill the necessary requirements In addition, the ability to support robust forensic capabilities will maximize recovery efforts, enable enhancements to protect against evolving threats, and permit attribution, when appropriate, to ensure that criminals can be held accountable for their activities Reliable identity solutions will also be available and resilient Identity solutions are available when they meet appropriate service-level requirements agreed upon by the individuals and organizations that use them Credentials are resilient when they can recover from loss, compromise, theft—and can be effectively revoked or suspended in instances of misuse Another contributor to resilience is the existence of a diverse and heterogeneous environment of providers and methods of authentication In a diverse ecosystem, a participant can easily switch providers if their existing provider becomes insolvent, incapable of adhering to policies, or revises their terms of service Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.InteroperabilityIdentity Solutions will be Interoperable -- Interoperability encourages service providers to accept a variety of credential and identity media, similar to the way ATMs accept credit and debit cards from different banks Interoperability also supports identity portability: it enables individuals to use a variety of credentials in asserting their digital identity to a service provider Finally, the interoperability of identity solutions envisioned in this Strategy will enable individuals to easily switch providers, thus harnessing market incentives to meet individuals’ expectations This guiding principle recognizes two interoperability ideals within the Identity Ecosystem: * There will be standardized, reliable credentials and identity media in widespread use in both the public and private sectors; and * If an individual, device, or system presents a valid and appropriate credential, any qualified relying party is capable of accepting and verifying the credential as proof of identity and attributes To achieve these ideals, identity solutions should be scalable across multiple communities, spanning traditional geographic borders Interoperable identity solutions will allow organizations to accept and trust external users authenticated by a third party Identity solutions achieve scalability when all participants in the various identity federations agree upon a common set of standards, requirements, and accountability mechanisms for securely exchanging digital identity information, resulting in authentication across identity federations Identity solutions will achieve at least two types of interoperability: technical and policy-level Technical interoperability (including semantic interoperability) refers to the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards Policy- level interoperability is the ability for organizations to adopt common business policies and processes (e g , liability, identity proofing, and vetting) related to the transmission, receipt, and acceptance of data between systems There are many existing standards and standards organizations that address these issues, and the Identity Ecosystem will encourage the use of existing, non-proprietary solutions When new standards are needed, the Identity Ecosystem will emphasize non-proprietary, international, and industry-led standards In addition, identity solutions will be modular, allowing service providers to build sophisticated identity systems using smaller and simpler sub-systems This implementation philosophy will improve the flexibility, reliability, and reuse of these systems, and it will allow for simplicity and efficiency in change management: service providers can add and remove components as the Identity Ecosystem evolves.Cost-Effectiveness and Ease of UseIdentity Solutions will be Cost-Effective and Easy To Use -- From the individual’s perspective, the increasing complexity and risk of managing multiple credentials threaten the convenience associated with online transactions The Identity Ecosystem will promote identity solutions that foster the reduction and elimination of policy and technology silos that require individuals to maintain multiple identity credentials Individuals will be able to establish a small number of identity credentials that they can leverage across a wide variety of service providers Organizations will no longer have to issue and maintain credentials for each of their users Individuals, businesses, organizations, and all levels of government will benefit from the reduced cost of online transactions: fewer redundant account procedures, a reduction in fraud, decreased help-desk costs, and a transition away from expensive paper-based processes Furthermore, reusable identity solutions promote operational efficiency and will further reduce the cost of implementing online services The use of existing identity solutions that align with the Strategy is one way of quickly achieving these efficiencies Identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training Many existing technology components in widespread use today, such as cell phones, smart cards, and personal computers, can be leveraged to act as or contain a credential Whenever possible, identity solutions should be built into online services to enhance their usability Identity solutions must also bridge the ‘digital divide’; they must be available to all individuals, and they must be accessible to the disadvantaged and disabled.Identity Ecosystem FrameworkDevelop a comprehensive Identity Ecosystem Framework._a2f9f7be-2ab3-11e1-9d2c-416a7a64ea2a1The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that govern the Identity Ecosystem It will guide the development of individual trust frameworks and will be flexible enough to accommodate the varied needs of Identity Ecosystem participants.Privacy ProtectionEstablish improved privacy protection mechanisms._a2f9f93a-2ab3-11e1-9d2c-416a7a64ea2a1.1The Identity Ecosystem Framework must offer individuals better means of protecting their privacy by establishing clear rules and guidelines based upon the FIPPs These rules and guidelines must address not only the circumstances under which a service provider or relying party may share information but also the kinds of information that they may collect and how that information is used New privacy protections will shift the current model of application-specific collection of identity information to a distributed, user-centric model that supports an individual’s capability to manage an array of cyber identities and to manage and assert personal attributes without having to provide identifying data The new model will reduce the number of service providers with whom individuals must share their personal information in the course of everyday transactions. The Executive Branch of the Federal Government will work with the private sector and, if necessary, propose legislation to strengthen privacy protections for individuals These protections will enable individuals to form consistent expectations about the treatment of their information in cyberspace Although individuals will retain the right to exchange their personal information in return for services they value, these protections will ensure that the default behavior of Identity Ecosystem providers is to: * Limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements; * Limit the use of the individual’s data that is collected and transmitted to specified purposes; * Limit the retention of data to the time necessary for providing and administering the services to the individual end-user for which the data was collected, except as otherwise required by law; * Provide concise, meaningful, timely, and easy-to-understand notice to end-users on how providers collect, use, disseminate, and maintain personal information; * Minimize data aggregation and linkages across transactions; * Provide appropriate mechanisms to allow individuals to access, correct, and delete personal information; * Establish accuracy standards for data used in identity assurance solutions; * Protect, transfer at the individual’s request, and securely destroy information when terminating business operations or overall participation in the Identity Ecosystem; * Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and * Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused.StandardsEstablish comprehensive identification and authentication standards based on defined risk models._a2f9faac-2ab3-11e1-9d2c-416a7a64ea2a1.2Risk models provide a common understanding of the level of assurance required for a type of transaction, based upon the threats to that type of transaction and the potential severity of their impact For example, the level of authentication required for online banking is likely to differ from that required to access an online magazine subscription Technical and policy standards based on these risk models will define how to remotely authenticate and manage the digital identities of subjects, including the management of personal information in accordance with privacy laws and best practices The Federal Government will facilitate private-sector efforts to establish these risk models and standards in accord with the vision of the Strategy The effort to develop technical standards should use open, transparent fora and leverage existing, market-recognized guidance on assessing required authentication levels It should also be informed by and, when possible, seek alignment with international efforts Both technical and policy standards must enable consistency and interoperability while remaining flexible enough to adapt as security threats evolve and the market innovates They must also take individual privacy protection into consideration, ensuring that resulting standards have privacy “built in ” These technical and policy standards will establish a cross-sector baseline of interoperability and behavior, and they will enhance the confidence of businesses seeking to invest in identity solutions The ultimate goal of risk-based models and assessment tools will be to support the decisions that organizations make to determine how they will operate within the Identity Ecosystem Developing standards that cover interoperability requirements, trustmark criteria, and accreditation will pave the way for choice across solutions, ultimately accelerating Identity Ecosystem adoption.Participant ResponsibilitiesDefine participant responsibilities in the Identity Ecosystem and establish mechanisms to provide accountability._a2f9fe3a-2ab3-11e1-9d2c-416a7a64ea2a1.3The Identity Ecosystem Framework will define the minimum rights and responsibilities of the various participants in the Identity Ecosystem and establish consequences for those that do not uphold their responsibilities As part of defining these responsibilities, the Identity Ecosystem Framework must establish the accountability and remediation process when an identity credential is fraudulently issued or used or when other breakdowns in the Identity Ecosystem occur To date, these concerns have been a barrier to the development of widespread identity and authentication solutions at all levels of assurance These concerns affect both individuals and service providers The Identity Ecosystem Framework must in general protect individuals from unbounded liability and in particular ensure that individuals are not held liable for losses that they were powerless to prevent The Identity Ecosystem Framework should also clarify service provider accountability in order to overcome the uncertainty and fear of unbounded liability that have limited the market’s growth For example, it must answer questions such as whether or not identity providers should have legal protection if they have complied with the defined standards and credentials are nonetheless issued or used incorrectly The Federal Government may need to establish or amend both policies and laws to address these concerns Multiple entities currently enforce online security and privacy standards in a distributed fashion across both government and the private sector Any new laws and policies must maintain the flexibility of this approach, while harmonizing a diverse and sometimes conflicting set of requirements that currently prevent interoperability and trust across communities.Steering GroupEstablish a steering group to administer the standards development and accreditation process for the Identity Ecosystem Framework._a2fa0042-2ab3-11e1-9d2c-416a7a64ea2a1.4The policy and technical standards necessary for the Identity Ecosystem may be developed in different fora A steering group will thus administer the process for policy and technical standards development for the Identity Ecosystem Framework The group will bring together all of the interested stakeholders to ensure that the Identity Ecosystem Framework provides a minimum baseline of privacy, security, and interoperability through standards, policies, and laws—without creating unnecessary barriers to entry The steering group will work diligently to follow the Guiding Principles in this Strategy; it will organize and conduct itself in the spirit of those principles, as the inclusive, transparent, pragmatic, and committed leadership group building toward the Strategy’s vision To that end, the steering group will also set milestones and measure progress against them The steering group will also ensure that accreditation authorities validate participants’ adherence to the requirements of the Identity Ecosystem FrameworkIdentity EcosystemBuild and implement the Identity Ecosystem._a2fa0222-2ab3-11e1-9d2c-416a7a64ea2a2The Identity Ecosystem Framework includes the standards, policies, and laws that serve as a platform for the Identity Ecosystem; however, it is not the Ecosystem The Identity Ecosystem must be built and implemented, primarily by the private sector, with interoperable identity solutions that are aligned with the Identity Ecosystem Framework.Private-Sector ElementsImplement the private-sector elements of the Identity Ecosystem. _a2fa040c-2ab3-11e1-9d2c-416a7a64ea2a2.1The Strategy can only succeed if the private sector voluntarily implements the Identity Ecosystem and only if it makes business sense to do so The vast majority of the Identity Ecosystem will be built by the private sector, and almost all of the Identity Ecosystem’s subjects, relying parties, identity providers, attribute providers, and accreditation authorities will be in the private sector The private sector is already providing many services that, if they choose, could be a part of the Identity Ecosystem We encourage these providers to participate in the development of the Identity Ecosystem Framework and the implementation of the Identity Ecosystem, to ensure that both incorporate these providers’ knowledge and experience To support the private sector, the Federal Government will work to promote and incentivize both innovation in the marketplace and the private sector’s implementation of the Identity Ecosystem in accordance with the Identity Ecosystem Framework.Nonfederal Government ElementsImplement the state, local, tribal, and territorial government elements of the Identity Ecosystem._a2fa0600-2ab3-11e1-9d2c-416a7a64ea2a2.2State GovernmentsLocal GovernmentsTribal GovernmentsTerritorial GovernmentsState, local, tribal, and territorial governments have a significant role in building the Identity Ecosystem These levels of government may at times act as identity or attribute providers They will also offer services online as relying parties and, as subjects, will use services provided by others These levels of government have a high level of interaction with their constituents, and they have a unique insight into the needs of individuals and local organizations Their participation in the Identity Ecosystem will significantly increase the value that it provides to the Nation Similar to its efforts with the private sector, the Federal Government will promote and incentivize all levels of governments’ implementation of the Identity Ecosystem in accordance with the Identity Ecosystem Framework.Federal Government ElementsImplement the Federal Government elements of the Identity Ecosystem._a2fa0808-2ab3-11e1-9d2c-416a7a64ea2a2.3The Federal Government will also implement the Identity Ecosystem In the areas where it has unique capabilities, the Federal Government may act as an identity or attribute provider It will also offer services online as a relying party and, as a subject, will use services provided by others The Federal Government must continue to lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework By adopting Identity Ecosystem solutions as a service provider, the Federal Government will raise individual’s expectations and thus drive individuals’ demand for interoperability in their transactions with the private sector and other levels of government. As a subject, the Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions To that end, the expansion of government services, pilots, and policies that align with the Identity Ecosystem should be accelerated 10 The Federal Government will continue to follow the FICAM Roadmap and Implementation Guidance and will build upon that work to further advance the Identity Ecosystem.DeploymentPromote the deployment of interoperable solutions to implement the Identity Ecosystem Framework. _a2fa0a24-2ab3-11e1-9d2c-416a7a64ea2a2.4The Federal Government must promote the implementation of interoperable solutions that support trusted identities for online transactions The Federal Government will work with the private sector and all other levels of government to organize, coordinate, promote, and participate in pilot programs that are interoperable across sectors and that implement the Identity Ecosystem The Federal Government will also seek to initiate and support pilots that address the needs of individuals, the private sector, and of all levels of government Finally, the Federal Government will promote interoperability by sharing its existing and new infrastructure, such as test beds and approved products and services, with the other participants on the Identity Ecosystem The private sector and all levels of government should share information on the lessons learned from these and other implementation efforts.Confidence and ParticipationEnhance confidence and willingness to participate in the Identity Ecosystem._a2fa0c54-2ab3-11e1-9d2c-416a7a64ea2a3The greater the number of participants in the Identity Ecosystem, the greater the value that each will obtain from participation Individuals benefit when they can choose to use any single identity provider to access a large number of relying parties Relying parties benefit when they can more easily access a wide pool of customers The success of the Identity Ecosystem thus depends, in large part, on encouraging individuals and organizations to adopt it.Awareness and EducationProvide awareness and education to enable informed decisions._a2fa0f06-2ab3-11e1-9d2c-416a7a64ea2a3.1The public and private sector will use awareness and education programs to encourage demand for the Identity Ecosystem and to inform its use Awareness efforts will help inform individuals and organizations about the security and privacy risks associated with existing, weak authentication mechanisms These efforts will also communicate the benefits of the Identity Ecosystem to all of the potential participants, including individuals, relying parties, and potential identity and attribute providers Education programs will ensure that individuals know how to obtain and use Identity Ecosystem credentials For service providers, education programs can provide information on implementing Identity Ecosystem solutions and abiding by Identity Ecosystem policies. Education and awareness is an important area in which the Federal Government can assist individuals, other levels of government, and the private sector The Federal Government is already working to raise public awareness regarding cybersecurity, and these efforts should be leveraged to raise awareness of the Identity Ecosystem The Federal Government will work with the private sector and other levels of government to develop education and awareness programs and to customize them for groups like individuals and small businesses, who have unique needs The Federal Government will also work with the private sector to provide information to potential service providers, to communicate how they can participate in and benefit from the Identity Ecosystem.AdoptionIdentify other means to drive widespread adoption of the Identity Ecosystem._a2fa1172-2ab3-11e1-9d2c-416a7a64ea2a3.2All levels of government can assist the private sector by helping to jumpstart the adoption of the Identity Ecosystem, ensuring that it becomes widespread enough to be self-sustaining In order to provide this jumpstart, all levels of government should work with the private sector to help identify economic incentives to encourage private-sector adoption of the Identity Ecosystem The Federal Government will also align identity solution requirements in existing programs against the Identity Ecosystem Finally, the Federal Government will evaluate regulatory changes as necessary.Success and SustainabilityEnsure the long-term success and sustainability of the Identity Ecosystem._a2fa13de-2ab3-11e1-9d2c-416a7a64ea2a4Over the long term, the Identity Ecosystem should become a self-sustaining marketplace, but the public and private sector must continue to participate in its maintenance, technical evolution, international integration, and adherence to the Guiding Principles.R&DDrive innovation through aggressive science and technology (S&T) and research and development (R&D) efforts._a2fa1640-2ab3-11e1-9d2c-416a7a64ea2a4.1The Identity Ecosystem is composed of technology and policy that must evolve to accommodate: * Rapid and unanticipated advances in technologies that continuously revolutionize what can be done, how it is done, and who can participate in cyberspace 11 * Continuous innovation in imaginative new services, resources, and capabilities that increase the value of cyberspace to all sectors of society * Ever increasing needs and expectations for cyberspace As these trends constantly reshape cyberspace, the Identity Ecosystem must be continuously improved, stretching to meet new needs, enable new opportunities, and address future cyberspace threats This requires the Federal Government to work in partnership with the academic and private sectors, both domestic and international, on interdisciplinary S&T and R&D We need sustained, strategic investments to continually improve the security, reliability, resilience, and trustworthiness of the identification, authentication, and authorization of entities in cyberspace Moreover, these efforts should extend beyond the technical to address issues like usability, privacy, incentives, and processes The Federal Government will also continue to promote the transfer of government-sponsored S&T and R&D results to the private sector, to ensure that the Identity Ecosystem adopts and deploys the advances that emerge from this effort.International IntegrationIntegrate the Identity Ecosystem internationally. _a2fa18ac-2ab3-11e1-9d2c-416a7a64ea2a4.2Given the global nature of online commerce, the Identity Ecosystem cannot be isolated from internationally available online services and their identity solutions Without compromising the guiding principles of the Strategy, the public and private sectors will strive to enable international interoperability In order for the U S to benefit from other nations’ best practices and achieve international interoperability, the U S public and private sectors must be active participants in international technical and policy standardization fora No single entity, including the Federal Government, can effectively participate in every international standards effort The private sector is already involved in many international standards initiatives; ultimately, then, the international integration of the Identity Ecosystem will depend in great part upon private-sector leadership To better support the private sector, the Federal Government will increase its prioritization, coordination, and participation in relevant international technical and policy fora.Commitment to ActionIdentify the respective roles of the public and private sectors and the Federal Government implementation activities that are critical to building and maintaining the Identity Ecosystem._a2fa1b22-2ab3-11e1-9d2c-416a7a64ea2a5The Private SectorRole of the Private Sector Only the private sector has the ability to build and operate the complete Identity Ecosystem, and the final success of the Strategy depends upon private-sector leadership and innovation The key operational roles within the Identity Ecosystem include: subjects, relying parties, identity providers, attribute providers, and accreditation authorities For each of these ecosystem roles, the private sector will constitute the majority of the actors For example, most identity and attribute providers will be private-sector organizations The Strategy can only succeed if the Identity Ecosystem is self-sustaining, which will require the development of business models for each of the service provider roles in the ecosystem Many of these business models will be entirely new, and only the private sector can provide the innovation necessary to realize them The private sector must also play a leadership role in the design and operation of the Identity Ecosystem The development of the Identity Ecosystem Framework and the ongoing work to maintain accountability to that framework will require a true public-private partnership The private sector has the insight into the needs of the market that is necessary to develop effective technical and policy standards for the Identity Ecosystem For-profit organizations can help ensure that the Identity Ecosystem Framework provides sustainable business models and is not an onerous burden on the private sector Advocacy groups and non-profits can magnify the voices of individuals and under-represented groups, and they can work to ensure the enhancement of privacy and to otherwise support civil libertiesFederal GovernmentRole of the Federal Government The Federal Government’s role is to: * Advocate for and protect individuals; • Support the private sector’s development and adoption of the Identity Ecosystem; * Partner with the private sector to ensure that the Identity Ecosystem is sufficiently interoperable, secure, and privacy protecting; * Provide and accept Identity Ecosystem services for which it is uniquely suited; and * Lead by example and implement the Identity Ecosystem for the services it provides internally and externally The Federal Government will support the private sector’s development and adoption of the Identity Ecosystem through activities such as: convening technology and policy standardization workshops, building consensus, establishing public policy frameworks, participating in international fora, funding research, supporting pilots, and initiating education and awareness efforts The Federal Government will partner with the private sector and participate in the development of the Identity Ecosystem Framework to ensure that it establishes a sufficient baseline of interoperability, security, and privacy The Federal Government’s role in this area is to help ensure the outcome; the private sector is better suited to ascertaining the means of achieving that outcome This participation will also enable the Federal Government to advocate for and protect individuals Among the actions that the Federal Government must undertake, privacy is the most important for individuals; as such the Federal Government will ensure that the FIPPs are effectively incorporated into the Identity Ecosystem Framework. The Federal Government has a wealth of information that can be useful to the private sector, but this information can be scattered amongst different agencies and difficult to find To better enable the private sector, the Federal Government will share its best practices and lessons learned in a centralized, accessible way The Federal Government must continue to be a leader through its own participation in the Identity Ecosystem as both a subject and relying party Whenever possible, the Federal Government will use existing private-sector Identity Ecosystem solutions rather than developing or operating its own Moreover, it must not require levels of assurance that are excessive compared to the risk of a given transaction Through these actions, the Federal Government will encourage the market toward trustworthy and interoperable identity solutions.The National Program OfficeThe Secretary of Commerce will establish within the Department of Commerce (Commerce) an interagency office to be known as the National Program Office (NPO) that is charged, consistent with statutory authorities, with achieving the goals of the Strategy The NPO will be responsible for coordinating the processes and activities of organizations that will implement the Strategy Commerce will host this interagency function, because it is uniquely suited to work with the private sector—and with government at all levels—to bring the collective expertise of the nation to bear in implementing the Strategy The NPO will lead the day-to-day coordination of NSTIC activities, working closely with the Cybersecurity Coordinator in the White House The National Program Office will: * Promote private-sector involvement and engagement; * Support interagency collaboration and coordinate interagency efforts associated with achieving programmatic goals; * Build consensus on policy frameworks necessary to achieve the vision; * Identify areas for the government to lead by example in developing and supporting the Identity Ecosystem, particularly in the Executive Branch’s role as a provider and validator of key credentials; * Actively participate within and across relevant public- and private-sector fora; and * Assess progress against the goals, objectives, and milestones of the Strategy and the associated implementation activities The NPO will actively seek interagency collaboration, partner with the private sector and individuals as necessary, harness multi-disciplinary and multi-sector contributions, and provide leadership across the Federal Government In addition to the NPO, the President will designate agencies as leads and partners with the private sector for individual tasks to fulfill the goals and objectives of this Strategy.Non-Federal GovernmentsRole of State, Local, Tribal, and Territorial Governments -- Individuals interact with their State, local, tribal, and territorial governments as much or more than with the Federal Government The Identity Ecosystem can help these governments decrease their costs, even as they increase the services they offer their constituents online Much like the Federal Government, these governments are well-positioned to lead efforts to protect individuals, help standardize policies, and act as early adopters in the provision and consumption of Identity Ecosystem services As such, State, local, tribal, and territorial governments are encouraged to align with the Identity Ecosystem Framework and to support its establishment by participating in its development As a first step, these governments are encouraged to align their efforts with existing Federal work like the FICAM Roadmap and Implementation Guidance One unique strength of these governments is their more direct and personal engagement with their constituents The Federal Government will thus encourage them to initiate education and awareness efforts to engage individuals, small and local businesses, and other local organizations.International PartnersRole of International Partners -- Other nations seek to supply their constituents with the benefits of more trusted identities online, and many are more advanced in their efforts than the United States The public- and private-sectors’ engagement with international partners will be critical to the success of the Identity Ecosystem: the long-term success of the Identity Ecosystem depends upon its international interoperability The Federal Government will thus seek to support the private sector’s engagement in international fora and to improve its own direct engagement in these fora The U S approach differs from that of many nations, who have or are pursuing national offline and online identities The Federal Government explicitly rejects that approach for its own citizens but will work to help the private sector achieve interoperability with the policy and technical standards of other nationsThe implementation of the Identity Ecosystem will require the collaboration and joint commitment of both the public and private sectors This section identifies, first, the respective roles of the public and private sectors and, second, the Federal Government implementation activities that are critical to building and maintaining the Identity Ecosystem._a2fa1db6-2ab3-11e1-9d2c-416a7a64ea2a2010-05-302011-12-19http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdfOwenAmburOwen.Ambur@verizon.net