US Federal Cloud Credential Exchange

TheWindBringeth · Jan 8, 2013

Postal Service Pilots Next-Gen Authentication Tech
http://www.informationweek.com/gove...l-service-pilots-next-gen-authentic/240145559

The government hopes the pilot will serve as the foundation for a wider, federated approach to identity management for government services. Procurement documents characterize the goal as having a single "broker" to validate disparate identity credentials across a wide range of federal agencies. Federal CIO Steve VanRoekel set a requirement in October 2011 that within three years from that date, federal agencies would be able to accept third-party credentials to facilitate access to online government services.

The federated identity effort, known as the Federal Cloud Credential Exchange, is just one piece of a broader Obama administration online identity initiative...

FCCX will most likely not store personally identifiable information and will not have any visibility into any such data, but rather will rely on and support a number of third-party credentialing systems and protocols like SAML and OpenID.

Among the vendors already expressing interest in the pilot project are Symantec, McAfee, Amazon Web Services, Akamai, hybrid cloud authentication vendor Xceedium and a number of government contractors.
Click to expand...

From the linked to procurement document
https://www.fbo.gov/?s=opportunity&mode=form&id=9ac5ae26596477086305de4e56b6476b&tab=core&_cview=1

The internet continues to transform how we do business and communicate with one another, and citizens are increasingly looking to the Federal Government to provide services online. This need is often addressed by agencies offering citizens access to applications by means of usernames and passwords. While this enables agencies to provide some online government services, it creates a burden to the citizen to manage a username and password for each agency application they need to access - as well as a costly burden on each agency to issue and manage these usernames and passwords. Moreover, many high-value Federal applications cannot be put online because passwords do not provide a high enough level of assurance; the next generation of online government applications will require multi-factor authentication.
Click to expand...

A few thoughts...

The use of separate login mechanisms/databases/credentials *increases* security/privacy and fault tolerance through compartmentalization. I think that clearly trumps the convenience argument, which is extremely weak to begin with since those who (foolishly) want to use the same login credentials at different sites are free to do so while those who (wisely) want to use separate login credentials at different sites can very easily manage that. I question the costs savings argument in general but also from the POV that there are beneficial options that fall between consolidate all and consolidate none. Separate login credentials don't actually have to be password based so that is a non issue.

I don't understand the "FCCX will most likely not store personally identifiable information and will not have any visibility into any such data" claim. Basically, if a citizen has to log-in to a federal site to file an application or check a type of account, that federal site is going to have to know or receive the citizens personally identifiable information. It sounds as though the idea is to allow someone to log-in to government sites using credentials setup for commercial entities. Which would immediately and automatically cause everything held by those commercial entities to become correlated with everything held by the government entities. Perhaps the quoted claim is meant to reassure people that the government won't be able to see all the information held by those commercial entities. Needless to say, that is an extremely dubious claim.

I think citizens would be far better off if the federal government updated and perhaps to a limited extent consolidated things but otherwise continued to run/manage its own identity management systems which don't accept third party credentials. The idea should be to eliminate third parties and keep everything private between the two parties interacting. Which in this case is the citizen and the Federal Government. The last thing we need are commercial entities datamining those interactions, even if what could be datamined appears to be limited. Unfortunately, given the Google Analytics scripts on government websites, many government IT people don't even understand this simple concept

Log in or Sign up

US Federal Cloud Credential Exchange

TheWindBringeth Registered Member

Log in or Sign up

US Federal Cloud Credential Exchange

TheWindBringeth Registered Member

Useful Searches