National Strategy for Trusted Identities in Cyberspace


The National Strategy for Trusted Identities in Cyberspace (NSTIC, or Strategy) is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of online transactions.

In the current online environment, individuals are asked to maintain dozens of different usernames and passwords, usually one for each website with which they interact. This approach is a burden to individuals, and it encourages behavior—like the reuse of passwords—that makes online fraud and identity theft easier.

At the same time, businesses are faced with ever-increasing costs for managing customer accounts, the consequences of online fraud, and the loss of business that results from individuals’ unwillingness to create yet another account. Moreover, both businesses and governments are unable to offer many services online because they cannot effectively identify the individuals with whom they interact.

The NSTIC Vision[1]#

Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

The realization of this vision is the user-centric Identity Ecosystem," an online environment where individuals and organizations are able to Trust each other because they follow agreed upon standards to obtain and Authenticate their Digital Identities—and the digital identities of devices.

The Strategy specifies four Guiding Principles to which the Identity Ecosystem must adhere:

  • Identity solutions will be privacy-enhancing and voluntary
  • Identity solutions will be secure and resilient
  • Identity solutions will be interoperable
  • Identity solutions will be cost-effective and easy to use

The Strategy will only be a success—and the ideal of the Identity Ecosystem will only be fulfilled—if these Guiding Principles are achieved.

Components of the Identity Ecosystem#

The Identity Ecosystem will consist of different online communities that use interoperable technology, processes, and policies. These will be developed over time—but always with a baseline of privacy, interoperability, and security.

The different components include:

  • Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.
  • Steering Group will administer the development of policy, standards, and accreditation processes for the Identity Ecosystem Framework in accordance with the Guiding Principles in the Strategy. The steering group will also ensure that Accreditation Authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework.
  • Trust Frameworks are developed by a community whose members have similar goals and perspectives.
  • Accreditation authorities assess and validate identity providers, attribute providers, relying parties, and identity media, ensuring that they all adhere to an agreed-upon trust framework. Accreditation authorities can issue trustmarks to the participants that they validate.
  • Trustmark Schemes are the combination of criteria that is measured to determine service provider compliance with the Identity Ecosystem Framework.

The Identity Ecosystem Framework provides a baseline set of standards and policies that apply to all of the participating trust frameworks. This baseline is more permissive at the lowest Level Of Assurance, to ensure that it does not serve as an undue barrier to entry, and more detailed at higher Level Of Assurance, to ensure that requirements are aligned with the risk any given transaction.

The Identity Ecosystem Framework will not be developed overnight. It will take time for different participants to reach agreement on all of the policy and technical standards necessary to fulfill the NSTIC’s vision. Initially, an interim Identity Ecosystem Framework is likely to contain a fairly minimal set of commonly agreed upon standards and policies. The Identity Ecosystem Framework will become more robust over time as participants are able to come to agreement on different standards and policies.

Additional Information[2]#

The White House's National Strategy for Trusted Identities in Cyberspace was released on April 15, 2011 during a formal event at the U.S. Chamber of Commerce. The Strategy is housed at the National Institute for Standards and Technology (NIST) within the Department of Commerce, where a new Program Office has been created. The Program Office is currently headed by Jeremy Grant, former co-chair of the Identity Management Committee at TechAmerica.

As an aspirational document, the NSTIC makes many promising statements. Among these is a often repeated promise to "enhance" privacy and security in online transactions. Much like the preceding draft document, the NSTIC emphasizes the role of the private sector as the "primary developer, implementer, owner, and operator of the Identity Ecosystem."

The NSTIC identifies four parties that will contribute to transactions under the Identity Ecosystem:

  • An individual or non-person entity is the party seeking to engage in an online transaction and the owner of the credential at issue in the transaction.
  • An Identity Provider (IDP) - "is responsible for establishing, maintaining, and securing the digital identity associated" with an individual or non-person entity, including "revoking, suspending, and restoring the subject's digital identity if necessary."
  • An Attribute Provider (AP) - "is responsible for the processes associated with establishing and maintaining identity attributes ... including validating, updating, and revoking the attribute claim.
  • A Relying Party (RP) - is the party with which the individual or non-person Entity wishes to transact. "Within the Identity Ecosystem, the relying party selects and trusts the identity and attribute providers of their choice, based on the risk of credential types and identity media."

In addition, the document calls for the incorporation of clear rules and guidelines based on eight Best Practices, which the document defines in an Appendix. Though these practices are to "address not only the circumstances under which a service provider or relying party may share information but also the kinds of information that they may collect and how that information is used," the NSTIC does not mandate the practices to be implemented as they are defined within it:

  • Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).
  • Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.
  • Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
  • Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
  • Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.
  • Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
  • Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
  • Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

More Information#

There might be more information for this subject on one of the following: