US Gov public web sites required to accept federated credentials

On October 6, 2011, the US Federal CIO signed the OMB Memo “Requirements for Accepting Externally-Issued Identity Credentials [PDF]” that requires US Government public facing web sites to accept federated (non-Government, externally issued) credentials.

Highlights from the OMB Memo:

“To decrease the burden on users of our systems, and reduce costs associated with managing credentials, agencies are to begin leveraging externally-issued credentials, in addition to continuing to offer federally-issued credentials. […]

Effective 90 days following final approval of at least one Trust Framework Provider (identified in Attachment A), agencies are to begin implementing the new requirement that will result in full implementation over the next three years by taking the following actions:

• All new development of assurance Level 1 web sites that allow members of the public and business partners to register or log on must be enabled to accept externally-issued credentials in accordance with government-wide requirements.
• Existing assurance Level 1 web sites that allow members of the public and business partners to register or log on must include the requirement to accept externally-issued credentials in accordance with government-wide requirements when those sites are enhanced or upgraded.

Additionally, where appropriate and as resources permit, Levels 2, 3 and 4 websites that allow members of the public and business partners to register or log on should be enabled to accept externally-issued credentials at higher levels of identity assurance in accordance with government-wide requirements.

To ensure federal privacy and security requirements are addressed, agencies are required to follow Office of Management and Budget (OMB) policy and may only accept externally issued credentials that are issued in accordance with National Institute of Standards and Technology guidelines and Federal Chief Information Officers Council processes. Refer to Attachment A for the current list of approved providers. For existing web sites accepting non-approved externally-issued credentials, the agency must have an OMB/agency agreed-upon plan for complying with the requirement to use approved providers and schemes.”

As you can imagine, this is a pretty big endorsement of Federated Identity by the US Government, and moves the ball forward significantly from the perspective of both FICAM and NSTIC. (I will provide a link to the official memo as soon as OMB puts it up on their web site.)

RELATED INFO

• OMB Memo: Requirements for Accepting Externally-Issued Identity Credentials [PDF]
• White House Blog: Advancing the National Strategy for Trusted Identities in Cyberspace: Government as Early Adopter
• HOW-TO: Fast Track to Federation for Web Sites
• HOW-TO: Conduct a Risk Assessment to Determine Acceptable Credentials
• Implications of US Gov Accepting Externally-Issued Credentials