DirectTrust Submits Comments to NIST on Identity and Access Roadmap

Our Identity Management Policy (IdMP) Sub-Workgroup has been hard at work. Following on the heels of our response to NIST SP 800-63-4, NIST released another publication for public comment.  DirectTrust is pleased to announce our response to the National Institute of Standards and Technology (NIST) Identity and Access Management (IAM) Roadmap. 

Why Did NIST Release this IAM Roadmap?

In the words of NIST:

“NIST has long played a leadership role in advancing critical research, standards, and technology in support of IAM efforts, including through development of the Digital Identity Guidelines (Special Publication 800-63). This role continues today with refreshed emphasis driven by federal legislation and priorities such as the CHIPS and Science Act (CHIPS) and the National Cybersecurity Strategy (NCS).”

In fact, NIST was mentioned 50 times in CHIPS and 6 times in the NCS. Needless to say, NIST is slated to play a significant role in our nation’s technology innovation and development in the coming years. 

All the references to NIST in recent publications by the White House did not relate to Identity and Access Management. Nevertheless, there was enough emphasis to trigger NIST to collect feedback from the industry on how it will allocate its resources to the IAM space in the coming years.

Why Does the NIST IAM Roadmap Matter to DirectTrust?

NIST’s publications in the IAM space serve as the bedrock on which DirectTrust policies are built. For example, DirectTrust policies were founded on revision 2 of the NIST SP 800-63 series. Further still, the DirectTrust policies currently observe the third revision of the guidelines. Our policies and accreditation programs also reference several other NIST publications and Federal Information Processing Standards (FIPS), which all come under the purview of NIST. 

Digital identity and cybersecurity play a fundamental role in nearly everything we do at DirectTrust. Health information cannot be shared securely without knowing who an organization is communicating with over the internet, with confidence.

That’s why we accredit our Certificate Authorities and Registration Authorities (called Credential Service Providers by NIST) against our DirectTrust policies that have been founded and ratified through our mature governance processes.

What Did the IAM Roadmap Include?

The IAM roadmap laid out the NIST’s guiding principles, drivers, and specific strategic objectives. The principles that were laid out embody the ideals that one might expect from an organization operating at the caliber of NIST. Privacy, security, equity, accessibility, interoperability, transparency, and measurement were all referenced, among others. 

The drivers that motivate NIST were comprehensive, including staying ahead of attackers, managing public expectations and sentiments, advancing industry capabilities, and of course, policies, directives, and Acts (such as CHIPS). 

Lastly, the IAM roadmap included the following strategic objectives:

• Accelerate Implementation and Adoption of Mobile Driver’s Licenses (mDL) and User Controlled Digital Credentials
• Expand and Enhance Biometric and Identity Measurement Programs
• Promote Technology that Enables Authoritative Attribute Validation
• Advance Secure, Privacy-Protective, and Equitable Identity Proofing and Fraud Mitigation Options
• Accelerate the Use of Phishing Resistant, Modern Multi-Factor Authentication
• Promote Greater Interoperability of Identity Solutions
• Advance Dynamic Authorization and Access Control Schemes
• Modernize the Federal PIV Architecture and Guidance

What Were DirectTrust’s Recommendations?

All told, our IdMP felt that NIST did an excellent job taking a leadership role in defining the road ahead for IAM. We felt the roadmap embraced a lot of the changes that are taking place in the digital identity industry today.

However, we did have some specific recommendations back to NIST on a few areas that the community felt were very important for NIST to consider. We suggested two new strategic objectives, edits to three of NIST’s existing strategic objectives, and two specific research activities that we felt NIST should focus on.

New Strategic Objectives

The first strategic objective we suggested was a focus on identity resolution. In healthcare, we call this problem “patient matching”. We decided to break this out into its own objective, separate from the others because it represents a different problem set from digital identity credentials. Due to the scale of the problem, it also requires a distinct allocation of resources to solve. To get a better understanding of how identity resolution is different from digital identity credentials, please see our blog post on this topic. 

The second objective we suggested was a focus on educating the public on expectations, risks, and general orientation around digital identity. To quote an excerpt from our response:

“Many consumers harbor fears regarding identity proofing and authentication technologies simply because they lack understanding. By providing educational resources, NIST can bridge this knowledge gap and alleviate these fears, empowering consumers to make informed decisions about their digital identity credentials and associated transactions.”

Recommended Additions to Existing Strategic Objectives

With respect to the IAM Roadmap’s existing objective, we recommended that NIST align its efforts with our nation’s partners, such as the European Telecommunications Standards Institute (ETSI). We also suggest NIST increase its emphasis on User Controlled Credentials, such as the mDL and other similar capabilities. 

However, perhaps most importantly, we spent a great deal of energy laying out a case for NIST to update its objective that focused on promoting greater interoperability of identity solutions. We noted that NIST did not mention the concept of cryptographic trust in this objective. We feel that managing cryptographic trust is already an underserved priority. Unfortunately, that priority is only going to increase in importance as new disparate identity infrastructures come online. Cryptographic trust and trust store management are the bedrock on which interoperability can be built. We feel that a failure to acknowledge this important aspect of interoperability will likely result in the failure of the whole strategic objective. We recommended that NIST explicitly mention the management of cryptographic trust within its stated objective of supporting the interoperability of identity solutions.

Lastly, our IdMP recommended that NIST allocate resources to producing guidance to the industry on Zero Knowledge Proofs (ZKPs) and techniques for combatting AI for unsupervised remote identity proofing.  

What’s Next?

Many of the items in NIST’s IAM Roadmap, as well as some that weren’t, are already underway within the DirectTrust community. It appears NIST and DirectTrust are marching to the beat of the same drum. From our work on identity resolution to our educational blog series on digital identity, DirectTrust will continue to align itself with NIST and what healthcare needs the most when it comes to trust and interoperability.