Mary Mitchell

1

Management Issues and the Business Case for
Authentication Services
IIBT Technology Managers Conference June 10, 2002

• Mary Mitchell
• E-Authentication Initiative
• Office of Electronic Government
• mary.mitchell_at_gsa.gov
• www.cio.gov/eauthentication

2
Topics

• Business Case Management Issues
• Project Mission, and Goals
• Objectives and Measures
• Overview of Concepts
• Planned Activities
• Next Steps
• Questions

3

• Identity is the most basic element in a
  high-value relationship

4
Trust Online

• Trust relys on the belief that Privacy and
  Security are being provided
• Users demand Recourse if something goes wrong
• Trust is aligned with Brand or Name Recognition
• Consumers want Accountability, Ease of Use, and
  Responsiveness
• Businesses want clearly assigned Responsibility
  and Liability

5
Management Issues

• Trust in doing business with the Government
  online
• Investment in information security infrastructure
• Reducing the burden of doing business
• Organize authentication needs along government
  lines of business
• No one solution fits all the needs
• Lack of consistent policy and interoperability
  except for PKI
• Issuing and managing identity credentials

6
PMC Cross-Agency E-Gov Initiatives
Government to Business
Government to Citizen
Managing Partner GSA DOT Treasury HHS SBA DOC
Managing Partner GSA Treasury DoEd DOI Labor
1. Federal Asset Sales 2. Online Rulemaking
Management 3. Simplified and Unified
Tax and Wage Reporting 4. Consolidated
Health Informatics 5. Business
Compliance 1 Stop 6. Intl Trade Process
Streamlining
1. USA Service 2. EZ Tax Filing
3. Online Access for Loans 4.
Recreation One Stop 5. Eligibility Assistance
Online (GovBenefits)
Cross-cutting E-Authentication GSA, Enterprise
Architecture OMB
Managing Partner OPM OPM OPM GSA OPM OPM GSA NARA
Government to Government
Internal Effectiveness Efficiency
Managing Partner SSA HHS FEMA DOI Treasury
1. e-Training 2.
Recruitment One Stop 3. Enterprise
HR Integration e-Travel eClearance ePayroll 4
. Integrated Acquisition 5. e-Records
Management
1. e-Vital 2. e-Grants 3. Disaster
Assistance and Crisis Response 4.
Geospatial Information One Stop 5.
Wireless Networks
7
eAuthentication Initiative Mission

• Public Trust in the security of information
  exchanged over the internet plays a vital role in
  the eGov transformation. The eAuthentication
  Initiative makes this trust possible.

8
eAuthentication InitiativeGoals

• To Build and Enable mutual Trust needed to
  support wide spread use of electronic
  interactions between the public and Government,
  and across Governments
• To minimize the burden on public when obtaining
  trusted electronic services from the Government,
  and across the governments
• Deliver common interoperable authentication
  solutions, ensuring they are an appropriate match
  for the levels of risk and business needs of each
  eGovernment initiative

9
Objectives and Measures

• Define operational concepts, to include critical
  success factors and requirements, in conjunction
  with each eGov Initiative
• First 12 or More by 07/02
• Remaining Completed 12/02
• Develop an outreach program to the eGov
  initiatives, industry, and customer groups
• Communications Plan by 04/02
• Approved 4-15-02
• Develop an initial authentication capability that
  will support multiple levels of assurance
• Gateway Prototype functional by 09/02
• FirstGov Interfaced with Gateway Prototype
• Two e-Gov Applications using Authentication
  Services
• Gateway Fully operational by 09/03

10
E-Authentication Vision
Strong
Digital Signature
Privileged Management
24 e-Gov Initiatives
Authentication Needs
Single Sign On
Click-wrap
None
None
PKI
One-Time Password
User ID/ Passwords PINS
Pen-based Signature
Biometrics
Solution Sets
Strong
Weak
11
Planned Activities

• Assess Authentication Needs and Risks Across
  e-Government Initiatives
• Identify Appropriate Levels of Assurance
• Assess Installed Base to Capitalize on Investment
• Aggregate Requirements for Common Solutions
• Drive Unification of Authentication Standards and
  Practices
• Develop the Gateway

12
Assessing Online Risk

• Three primary risks
• Program fraud
• Improper disclosure
• Image of the Agency
• Determining transaction risk
• Recommend an appropriate authentication
  mechanism for a given transaction
• Examine transaction flow and vulnerabilities
• Provide rough cost estimates
• Selected SEI Octave Risk Methodology

13
Gateway Notional Design
ID/Credential
Issuers
Identity
Verification
Not Required
State or Federal
Government
Identity
Verification Required
Credential
Validation
Protocol(s)
Authentication
Gateway
Federal Agency
Relying Parties
14
Next Steps

• Continue exchange with agencies and with industry
  in public meetings - Industry Day Jun 18
• Many E-Gov initiatives are still defining
  requirements
• Complete initial concept design alternatives for
  Gateway
• Survey of Initiatives and authentication needs
• Select at least 4 eGov Initiatives for initial
  OCTAVE Risk Assements
• Develop prototype gateway and demonstrate
  prototype with at least two applications

15
Questions

• Scope?
• Approach?
• Privacy?
• Policy?
• Financing?
• Acquisition strategy?

16
E-Authentication Partners
Contacts Project Manager Steve Timchak
703.872.8604 Progress www.cio.gov/eauthenticat
ion

• GSA
• NIH
• NASA
• Treasury
• SSA
• USDA
• CMU/SEI