Requirements for Accepting Externally-Issued Identity Credentials [PDF]" that requires US Government public facing web sites to accept federated (non-Government, externally issued) credentials.

" /> Requirements for Accepting Externally-Issued Identity Credentials [PDF]" that requires US Government public facing web sites to accept federated (non-Government, externally issued) credentials.

" /> Requirements for Accepting Externally-Issued Identity Credentials [PDF]" that requires US Government public facing web sites to accept federated (non-Government, externally issued) credentials.

" />
Anil John
Making Digital Services Secure and Trustworthy

Anil John

US Gov public web sites required to accept federated credentials

 Tweet  Share  Share  Comment  Print  Email

On October 6, 2011, the US Federal CIO signed the OMB Memo "Requirements for Accepting Externally-Issued Identity Credentials [PDF]" that requires US Government public facing web sites to accept federated (non-Government, externally issued) credentials.

Highlights from the OMB Memo:

"To decrease the burden on users of our systems, and reduce costs associated with managing credentials, agencies are to begin leveraging externally-issued credentials, in addition to continuing to offer federally-issued credentials. [...]

Effective 90 days following final approval of at least one Trust Framework Provider (identified in Attachment A), agencies are to begin implementing the new requirement that will result in full implementation over the next three years by taking the following actions:

  • All new development of assurance Level 1 web sites that allow members of the public and business partners to register or log on must be enabled to accept externally-issued credentials in accordance with government-wide requirements.
  • Existing assurance Level 1 web sites that allow members of the public and business partners to register or log on must include the requirement to accept externally-issued credentials in accordance with government-wide requirements when those sites are enhanced or upgraded.

Additionally, where appropriate and as resources permit, Levels 2, 3 and 4 websites that allow members of the public and business partners to register or log on should be enabled to accept externally-issued credentials at higher levels of identity assurance in accordance with government-wide requirements.

To ensure federal privacy and security requirements are addressed, agencies are required to follow Office of Management and Budget (OMB) policy and may only accept externally issued credentials that are issued in accordance with National Institute of Standards and Technology guidelines and Federal Chief Information Officers Council processes. Refer to Attachment A for the current list of approved providers. For existing web sites accepting non-approved externally-issued credentials, the agency must have an OMB/agency agreed-upon plan for complying with the requirement to use approved providers and schemes."

As you can imagine, this is a pretty big endorsement of Federated Identity by the US Government, and moves the ball forward significantly from the perspective of both FICAM and NSTIC. (I will provide a link to the official memo as soon as OMB puts it up on their web site.)

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone