Mapping out our Destination: Responsible Innovation via the NIST Identity Roadmap

RSA
Conference
week
is
always
a
whirlwind.
NIST
was
there
front
and
center
last
month,
and
we
learned
a
lot,
shared
a
lot,
and
made
a
big
announcement
during
the
festivities…

We
were
excited
to
announce
that
NIST’s


DRAFT
Identity
and
Access
Management
Roadmap
was
released
for
public
comment
on
Friday,
April
14^th
and
that
the
comment
period
will
be
extended
to

June
16^th.

What
is
the
Roadmap?

The
Roadmap
provides
a
consolidated
view
of
NIST’s
planned
identity
efforts
over
the
coming
years
and
serves
as
a
vehicle
to
communicate
our
priorities.
It
provides
guiding
principles,
strategic
objectives,
aligns
NIST
efforts
with
nationally-defined
priorities,
and
supports
long-term
planning
of
identity
and
access
management
(IAM)
initiatives.
It
covers
a
diverse
array
of
projects
including
biometric
technology
evaluation,
Mobile
Driver’s
License,
and
fraud
detection
using
Privacy
Enhancing
Technology.
It
also
integrates
teams
and
disciplines
from
across
NIST. 

What
are
NIST’s
IAM
Guiding
Principles?

In
addition
to
communicating
strategic
priorities,
we
are
using
the
roadmap
to
reinforce
the
core
values
that
define
our
efforts.
These
are
represented
by
five
guiding
principles
that
will
be
imbued
in
our
work,
whether
it
be
via
guidance,
research,
or
reference
implementations:

1. 
   
   
   Enhance
   privacy
   and
   security
   by
   integrating
   confidentiality,
   integrity,
   and
   availability
   into
   our
   efforts
   alongside
   the
   core
   privacy
   engineering
   objectives
   of
   predictability,
   manageability,
   and
   disassociability.
2. 
   
   
   Foster
   equity
   and
   individual
   choice
   by
   exploring
   the
   diverse
   socio-technical
   impacts
   of
   identity
   technology
   and
   integrating
   optionality
   and
   flexibility
   into
   our
   work
   products.
3. 
   
   
   Promote
   usability
   and
   accessibility
   by
   assessing
   the
   impacts
   of
   technology
   on
   diverse
   communities
   with
   varying
   levels
   of
   technology
   access,
   knowledge,
   and
   capabilities.
4. 
   
   
   Enhance
   interoperability
   and
   standardization
   by
   creating
   or
   contributing
   to
   accessible
   and
   technically
   viable
   standards,
   guidance,
   and
   specifications.
5. 
   
   
   Improve
   measurement
   and
   transparency
   of
   identity
   technology
   by
   creating
   methodologies
   and
   metrics
   that
   enhance
   the
   fundamental
   understanding
   of
   how
   technologies
   perform
   and
   are
   open
   and
   available
   to
   the
   public.

Taken
together,
these
principles
are
intended
to
set
the
conditions
for


responsible
innovation
–
the
idea
of
driving
towards
new
technologies
and
solutions
in
a
manner
that
is
informed
by
the
broader
impacts
associated
with
technological
change.

What
are
NIST’s
Strategic
Objectives?

The
Roadmap
highlights
eight
strategic
objectives
–
with
numerous
planned
supporting
activities
that
NIST
intends
to
explore
in
the
coming
years:

1. 
   
   Accelerate
   implementation
   and
   adoption
   of
   mobile
   driver’s
   license
   and
   user-controlled
   digital
   identities
2. 
   
   Expand
   and
   enhance
   biometric
   and
   identity
   measurement
   programs
3. 
   
   Promote
   technologies
   that
   enable
   authoritative
   attribute
   validation
4. 
   
   Advance
   secure,
   private,
   usable,
   and
   equitable
   identity
   proofing
   and
   fraud
   mitigation
   options
5. 
   
   Accelerate
   the
   use
   of
   phishing
   resistant,
   modern
   multi-factor
   authentication
   (MFA)
6. 
   
   Modernize
   Federal
   Personal
   Identity
   Verification
   (PIV)
   guidance
   and
   Infrastructure
7. 
   
   Promote
   greater
   federation
   and
   interoperability
   of
   identity
   solutions
8. 
   
   Advance
   Dynamic
   Authorization
   and
   Access
   Control
   Schemes

Each
of
these
objectives
are
multi-year
in
nature,
with
expected
collaboration
between
and
across
government,
academia,
and
industry—
which
NIST
considers
a
critically
important
part
of
the
process
(and
ultimately,
necessary
for
success).
Projects
in
support
of
these
objectives
will
run
the
spectrum
from
foundational,
pre-standardization
research
to

full
National
Cybersecurity
Center
of
Excellence
(NCCoE)
Practice
Guides
(basically,
our
“how
to”
resources).

How
can
I
get
involved?

You
can
start
by
commenting
on
the
roadmap!
We
published
it
to
gain
feedback
from
the
broadest
possible
spectrum
of
interested
parties.
So…please
read
it,
send
it
to
a
friend,
pass
it
around
your
community,
and
send
us
your
thoughts!
To
submit
your
comments
email
us
at


digital_identity
[at]

nist.gov
by

June
16^th,
2023.

You
can
also
follow
our
work
on
the

IAM
Program
page,
join
one
of
our

Communities
of
Interest
at
the
NCCoE
(such
as
the
one
for

Digital
Identities
–
Mobile
Driver’s
License),
attend
our
events,
or
comment
on
our
guidance.
For
those
of
you
attending
Identiverse
we
will
be
giving
a

presentation
covering
the
roadmap
with
a
specific
emphasis
on
our
mDL,
PIV
Modernization,
and
international
interoperability
efforts.
We
look
forward
to
hearing
and
learning
from
you
all
along
the
way.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts