DRAFT National Strategy for Trusted Identities in CyberspaceThis Strategy provides a vision for how users, service providers, and other stakeholders can improve their use of digital identities in online transactions. High-level actions are proposed that support the development and maintenance of governance, management, and execution-level activities needed to achieve the Identity Ecosystem. Our reliance on cyberspace as a means to conduct business and exchange information will continue to grow in the years ahead, and with it our need to trust the identities of those with whom we interact online. The protection of the identities of individuals and organizations while conducting online transactions is pivotal to protecting open commerce, promoting innovation, and securing our Nation’s critical assets. The Identity Ecosystem demonstrates the ability to protect individual rights, provide enhanced privacy, and prevent fraud to mitigate the risk of identity theft and malfeasant behavior online. The Federal Government, in collaboration with individuals, businesses, non-profits, advocacy groups, associations, and other governments, must lead the way to improve how identities are trusted and used in cyberspace. Ongoing collaboration between private and public sectors has already resulted in significant gains towards establishing Identity Ecosystem components. However, much more remains to be done. There is a compelling need to address these problems as soon as is practical, making progress in the short-term and planning for the long-term. For the Nation to realize the vision of this Strategy and associated benefits, all stakeholders must come together in a collaborative partnership. The scope of this effort requires coordination across many boundaries and will require involvement and leadership from all sectors.To be determined_4604f380-8229-11df-ba87-13577a64ea2aIndividuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation._46050050-8229-11df-ba87-13577a64ea2aTo provide a vision for how users, service providers, and other stakeholders can improve their use of digital identities in online transactions and propose high-level actions that support the development and maintenance of governance, management, and execution-level activities needed to achieve the Identity Ecosystem._4605030c-8229-11df-ba87-13577a64ea2aSecurity and ResiliencyIdentity Solutions will be Secure and Resilient - Securing identity solutions against attack or misuse is paramount. Security ensures the confidentiality, integrity, and availability of identity solutions. Strong cryptography, the use of open and well-vetted security standards, and the presence of auditable security processes are critical to the trustworthiness of an identity solution. Identity solutions should have security built into them such that they detect and prevent intrusions, corruption, and disruption to the maximum extent possible. Identity solutions should be resilient, able to recover and adapt to drastic or abrupt change. They should be capable of timely restoration after disruption occurs and should adapt to the dynamic nature of technology. Tolerance to loss, compromise, or theft is crucial for maintaining services during and after disruption. Security infrastructure should prevent unauthorized transactions by authorized individuals/entities. The ability to support robust forensic capabilities maximizes recovery efforts and provides a valuable opportunity to apply lessons learned to future enhancements.InteroperabilityIdentity Solutions will be Interoperable - Interoperability encourages service providers to accept a variety of credential and identity media, similar to the way ATMs accept credit and debit cards from different banks. Interoperability supports identity portability by allowing individuals to use a variety of credentials in asserting their digital identities to various service providers. This principle recognizes two interoperability ideals within the Identity Ecosystem: 1. There will be standardized, reliable credentials and identity media in widespread use; and 2. If an individual, device, or software presents a valid and appropriate credential, any qualified relying party could accept the credential as proof of identity and attributes. To achieve these ideals, identity solutions should be scalable across multiple federations, spanning traditional geographic borders. An identity federation allows an organization to accept and trust external users authenticated by a third party. Within the Identity Ecosystem, individuals will have the capability to conduct online transactions seamlessly across numerous service providers and identity federations. Identity solutions achieve scalability when all participants in the various federations agree upon a common set of standards, requirements, and enforcement mechanisms for securely exchanging digital identity information, resulting in authentication across federations. There are three types of interoperability requirements for identity solutions: * Technical Interoperability – The ability for different technologies to communicate and exchange data based upon well defined and widely adopted interface standards. * Semantic Interoperability – The ability of each end-point to communicate data and have the receiving party understand the message in the sense intended by the sending party. * Policy Interoperability – Common business policies and processes (e.g., identity proofing and vetting) related to the transmission, receipt, and acceptance of data between systems, which a legal framework supports. Lastly, the Identity Ecosystem will encourage identity solutions to utilize non-proprietary standards to help ensure interoperability. In addition, identity solutions will be modular, allowing service providers to build sophisticated identity systems using smaller and simpler sub-systems. This improves the flexibility, reliability, and reuse of these systems, and allows for simplicity and efficiency in change management as service providers can add and remove components without requiring wholesale updates.Privacy and NoncoersionIdentity Solutions will be Privacy Enhancing and Voluntary for the Public There are practical barriers in place that preserve individual privacy in the offline world. For example, an individual can utilize a driver’s license to open a bank account, get onto an airplane, or get into an age-restricted movie. The Department of Motor Vehicles does not know all the places that service providers accept driver’s licenses as identification. It is also difficult for the bank, the airport, and the movie theater to get together and link the transactions together. At the same time, there are aspects of these offline transactions that are not privacy-protective. The movie theater attendant that checks the driver’s license only needs to know that the individual is over age 18. However, the driver’s license reveals unnecessary information, such as address and actual date of birth, when the individual provides it for age verification. Ideally, identity solutions should preserve the positive privacy benefits of offline transactions, while mitigating some of the negative privacy aspects. The eight Fair Information Practice Principles (FIPPs)7 — Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing — are the widely accepted framework for evaluating and mitigating privacy impacts. Universal and integrated adoption of the FIPPs in the Identity Ecosystem should enable individuals to understand and make meaningful choices about the use of their personal information in cyberspace. Adoption of the FIPPs should also ensure that organizations limit data collection, only use and distribute information that is relevant and necessary, maintain appropriate safeguards on that information, and are responsive and accountable to individuals’ privacy expectations. Fully integrating all of the FIPPs into the Identity Ecosystem will be the key to achieving trusted identities in cyberspace that are truly privacy enhancing. For example, many privacy approaches focus on the principles of Transparency and Individual Participation, which include the provision of privacy notices and individual privacy choices. However, if such approaches fail to incorporate the other FIPPs, the entire burden of implementing privacy protections is on the individual. Alternatively, an Identity Ecosystem grounded in a more holistic adoption of the FIPPs provides multi-faceted privacy protections. It includes, for example, the creation and adoption of privacy-enhancing technical standards that allow individuals to transmit the minimum amount of information necessary to the transaction. Such policies and standards would also minimize the linkage of credential use among and between service providers. In circumstances where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices are communicated to and implemented by all subsequent data holders. In addition, the Identity Ecosystem includes limits on the length of time organizations can retain personal information and requires such organizations to provide individuals with appropriate opportunities to access, correct, and delete it. The Identity Ecosystem also requires organizations to maintain auditable records regarding the use and protection of personal information and compliance with applicable standards, law, and policies. Voluntary participation is another critical element of this Strategy. Engaging in online transactions should be voluntary to both organizations and individuals. The Federal Government will not require organizations to adopt specific identity solutions or to provide online services, nor require individuals to obtain high-assurance digital credentials if they do not want to engage in high-risk online transactions with the government or otherwise. The Identity Ecosystem should encompass a range of transactions from anonymous to high assurance. Thus, the Identity Ecosystem should allow an individual to select the credential he or she deems most appropriate for the transaction, provided the credential meets the risk requirements of the relying party.Cost-Effectiveness and Ease of UseIdentity Solutions will be Cost-Effective and Easy To Use From the individual’s perspective, the increasing complexity and risk of managing multiple credentials threaten the convenience associated with online transactions. The number and diversity of service providers requires individuals to have multiple usernames and passwords, generally one for each provider. Many require complex and frequent password changes, a burden for both the service provider and the individual. This also imparts an increased risk of account compromise through insecure user management of account credentials and an increased likelihood of account abandonment. The Identity Ecosystem must address this complexity as well as the underlying security vulnerabilities created by it. The Identity Ecosystem will promote federated identity solutions and foster the reduction and elimination of silos that require individuals to maintain multiple identity credentials. Individuals will benefit from the federated identity solution by establishing a small number of identity credentials that they can leverage across a wide variety of service providers. Organizational entities will benefit from the federated identity solution through the elimination of locally administered or application-specific credential issuance and maintenance. Identity solutions can result in efficiencies for all parties due in part to reduction in fraud, help desk costs, and expensive paper-based processes. Further, identity solutions that leverage reusable infrastructure promote operational efficiency and further reduce the cost of implementation, thereby increasing the potential return on investment. Identity solutions should be simple to understand, intuitive, easy to use, and enabled by technology that requires minimal user training. Service providers should perform usability studies to quantify ease-of-use. Many existing infrastructure components in use today (e.g., cell phones, smart cards, personal computers) should be leveraged to facilitate ease-of-use through their wide adoption, accessibility, and availability. Whenever possible, identity solutions should be “built-in” to the infrastructure to enable usability.Identity Ecosystem FrameworkDevelop a comprehensive Identity Ecosystem Framework._46050690-8229-11df-ba87-13577a64ea2a1The Identity Ecosystem Framework guides the development of individual Trust Frameworks within the Identity Ecosystem. The Identity Ecosystem Framework will enable policy development and creation of robust practices for identity assurance across the Nation. The Identity Ecosystem Framework will also be flexible enough to accommodate the differing needs of the various participants in the Identity Ecosystem. The Identity Ecosystem Framework should address the following barriers in the current environment: · Service providers base their current authentication processes and requirements on individual business uses rather than a commonly understood notion of the risk associated with a transaction. · There is an absence of a common framework to help establish trusted identities among participants in a broad, diverse landscape of online transactions. · Existing standards do not drive sufficient interoperability across service providers. · Concerns regarding liability for providing identity, credential, and attribute-related services have prevented development of the Identity Ecosystem.Identification and Authentication StandardsEstablish comprehensive identification and authentication standards based on defined risk models._46050802-8229-11df-ba87-13577a64ea2a1.1The development and adoption of national standards of practice for online identification and authentication processes is critical in promoting consistency and trust in a distributed online environment with radically diverse transaction types and diverse identity management solutions. A risk model provides the capability to assess and tailor the level of security to the risk of the transaction; it also provides a common understanding of the level of assurance required based upon the types of threats and the potential severity of impacts when conducting a particular type of transaction. These standards, which may be based on existing efforts within international standards organizations, will define how to remotely authenticate and govern, manage and execute the digital identity of users, devices, and services over open networks to provide the desired level of interoperability and security commensurate with the risk of the transaction. The standards must also enable consistency, while maintaining agility to adapt as security threats evolve and the market innovates.Participant ResponsibilitiesDefine participant responsibilities in the Identity Ecosystem and establish mechanisms to provide accountability._4605094c-8229-11df-ba87-13577a64ea2a1.2Key elements of the Identity Ecosystem Framework are defining the rights and responsibilities of the various participants in the Identity Ecosystem and establishing an enforcement mechanism, if participants do not carry out these responsibilities. To define these responsibilities, the Federal Government must address liability issues within the Identity Ecosystem (e.g., should there be liability caps or floors on identity providers if credentials are fraudulently used?). These liability concerns have historically prevented organizations from providing and using identity and attribute provider services. The Federal Government needs to establish new or amend existing policies and laws to address these liability concerns and to establish the enforcement mechanisms that provide accountability. Multiple entities currently enforce online security and privacy standards in a distributed fashion across both government and the private sector. Any new laws and policies must maintain the flexibility of this approach, while harmonizing a diverse and sometimes conflicting set of requirements that currently prevents interoperability and trust across communities.Identity InfrastructureBuild and implement interoperable identity infrastructure aligned with the common Identity Ecosystem Framework._46050a96-8229-11df-ba87-13577a64ea2a2Creating trusted identities among participants in the Identity Ecosystem requires an infrastructure to support the interactions between transaction participants. This goal seeks to address the following barriers in the current environment: · Slow implementation pace of identity solutions to provide secure, streamlined access to online services. · Lack of diverse identity solutions capable of operating successfully together. · Lack of secure, convenient, user-friendly options for user authentication and identification. · The high relative implementation and management costs that have prevented a rapid growth in the market for identity and attribute provider services.Leadership and AdoptionContinue government leadership and adoption of the Identity Ecosystem Framework._46050bf4-8229-11df-ba87-13577a64ea2a2.1Government is both a significant provider and customer of a large number of valuable online services. Through this role, Federal, state, local, and tribal governments must continue to lead by example and be early adopters of identity solutions that align to the Identity Ecosystem Framework. Over time, this will help drive consumer expectations and demand for improved identity solutions across all online services. Government must also continue to leverage its buying power as a significant customer of private sector to enhance the business case and marketplace for these solutions.DeploymentPromote swift deployment of solutions to implement the Identity Ecosystem Framework._46050d48-8229-11df-ba87-13577a64ea2a2.2In order to realize the benefits of the Identity Ecosystem Framework, the Federal Government must promote and incentivize swift implementation of private sector solutions and business models that support trusted identities for online transactions. Efforts in this area will drive innovation in the marketplace and will quicken the pace of adoption of existing identity solutions and promote the development of new ones. The Federal Government should work with industry to organize, coordinate and fund pilot programs, which could transform the landscape by expanding into a broad web of multiple interoperable offerings across numerous communities and transaction types.AvailabilityPromote broad availability of solutions to strengthen user value._46050eba-8229-11df-ba87-13577a64ea2a2.3A limitation of the current environment is that most identity solutions apply to a specific business process or service, which results in a lack of identity portability and interoperability across services. This stove-piped approach offers little value or convenience to users. The Federal Government must take steps to incentivize all levels of interoperability among participants in the Identity Ecosystem, encourage the creation of a diverse set of identity providers both inside and outside of government, and promote the widespread use of Identity Ecosystem solutions by all citizens.Confidence and ParticipationEnhance confidence and willingness to participate in the Identity Ecosystem._46051018-8229-11df-ba87-13577a64ea2a3Individuals and organizations must have confidence in the Identity Ecosystem and be willing to participate in it. This Strategy will promote confidence via mechanisms that address privacy protection, data integrity, and data confidentiality associated with identity solutions. The Strategy will also address awareness and education of both the risks associated with poor identification and authentication approaches and the ways in which identity solutions mitigate those risks. The Federal Government is already doing much work in this area, and the intention is to leverage existing activities to the greatest extent possible. The Federal Government will couple messaging on general awareness with the information necessary to drive long-term changes in behavior. The knowledge and awareness activities should be mindful of the different perspectives of individuals, government, and the private sector. This goal seeks to address the following barriers in the current environment: * Concerns regarding personal privacy and the potential for unauthorized collection, aggregation, use, or release of identity information. * Concerns regarding the protection of intellectual property. * General lack of awareness regarding trusted digital identities.Privacy and Transaction SecurityImprove privacy and transaction security through fair and responsible management of information and solutions._46051180-8229-11df-ba87-13577a64ea2a3.1Implementation of the Identity Ecosystem Framework must provide strong privacy and security protections to individuals in addition to creating clear rules and guidelines concerning the circumstances under which a service provider or relying party may share information and the kinds of information that they may share. These protections support the general obligation to protect users from online threats and assure individuals of the protections to facilitate willing participation in online transactions. Efforts in this area will address inconsistencies in the way that service providers manage information across transactions in the current environment. New privacy protections will shift the current model of application-specific collection of identity information to a distributed, user-centric model that supports an individual’s capability to assert personal attributes without being required to provide all identifying data. Service providers should use, collect, share, and retain information only as required to accomplish the purposes of the transaction. In addition, the Federal Government should work with state governments and the private sector to establish redress mechanisms to adjust inaccurate personal data and provide consumers with a streamlined ability to change incorrect data in one place and have it propagated to the providers of their choice.Awareness and EducationProvide awareness and education to enable informed decisions._460512f2-8229-11df-ba87-13577a64ea2a3.2Education and awareness efforts will raise the understanding of the importance of trusted identities and will teach users how to create trusted identities. The Federal Government, working with the private sector, will customize these education and awareness efforts to the relevant demographics. Meaningful consumer choice among multiple identity media and service providers and awareness of the available choices are a crucial aspect in promoting participation on the part of individual users. Programs associated with this Strategy must provide awareness of the available market choices, their benefits and protections for the user, and the information necessary to make an informed choice. There is also a growing need for awareness and education across the service provider community, particularly as it relates to the service provider’s responsibilities associated with the overall security and privacy protections established by the Identity Ecosystem Framework. The Federal Government, in conjunction with service providers, will develop educational resources for use by both large and small businesses in order to promote consistency and alignment within the Identity Ecosystem. As with the American public, service providers must understand not only their role in the solution, but also the role of other parties and the ways that these respective roles foster trust. Awareness and education activities must leverage existing programs and engagement efforts and begin as soon as possible to address known security risks and best practices. They must also evolve as the identity infrastructure matures to ensure that materials and messaging are in alignment with the current environment.Long-term SuccessEnsure the long-term success of the Identity Ecosystem._4605164e-8229-11df-ba87-13577a64ea2a4Due to the global nature of the economy and the Internet, the scope of the Strategy extends beyond national boundaries. Governance and leadership is required at the national and international levels to create the Identity Ecosystem, including standards development, research and development, and program coordination among public and private efforts. The Federal Government must undertake leadership, coordination, and collaboration roles in order to strengthen digital identities both nationally and internationally, to promote the next generation of identity solutions, and to establish the Federal programs to execute this Strategy. This goal seeks to address the following barriers in the current environment: * Insufficient resources focused on U.S. participation in national and international standards efforts. * The need for additional resources for research and development efforts to create innovative identity technologies. * The need for improved coordination across multiple programs and efforts within the Federal Government related to trusted digital identities.CoordinationCoordinate Federal Government efforts associated with digital identities (both domestically and internationally)._460517fc-8229-11df-ba87-13577a64ea2a4.1The United States has mobilized and established momentum in building a resilient and secure cyber infrastructure across government and private sector. In place are effective public/private collaboration mechanisms, as well as operational programs to provide solutions that mitigate the effects of cyber malfeasance. The Federal Government should build on these efforts and identity the appropriate coordination mechanisms for digital identity issues. Further, as cybersecurity policy is becoming a matter of diplomacy, activities under the Strategy intend to address the increased importance of international policy efforts. The Federal Government, by leading and coordinating national efforts, as well as collaborating on international policy efforts, can drive a unified approach to trusted digital identities.Technical Standards DevelopmentIncrease participation in technical standards development nationally and internationally._460519b4-8229-11df-ba87-13577a64ea2a4.2Continued progress and innovation in digital identities and the creation of a global, trusted infrastructure is reliant upon significant U.S. participation in national and international standards development. Today’s environment is driven by a global economy, with transactions occurring without regard to physical or political boundaries; the infrastructure developed under this Strategy will, to the extent feasible, be interoperable among these environments, while also respecting the laws and policies of different nations. Efforts under this Strategy must facilitate the development of technical standards for the identification and authentication of organizations, devices, software, data, and users.InnovationDrive innovation through aggressive, focused Research and Development (R&D) efforts._46051b44-8229-11df-ba87-13577a64ea2a4.3The Federal Government should align existing and future Federal R&D efforts with the requirements of the Identity Ecosystem. To be successful, the U.S. must focus on technologies and R&D that have the potential to shift the security, reliability, resilience, and trustworthiness paradigm to benefit those who conduct themselves responsibly online. Additionally, the Federal Government must continue to promote the transfer of the government's sponsored R&D results related to the Identity Ecosystem to the commercial sector. Lastly, R&D must be inclusive and highly collaborative among partners from varying communities and disciplines across the public and the private sector in order to develop innovative solutions rapidly.Commitment to ActionIdentify High Priority Actions that are critical items for implementation._46051cf2-8229-11df-ba87-13577a64ea2a5GovernmentThe Private SectorImplementation of the Identity Ecosystem requires a complex set of actions across policy, process, technology, and education disciplines that affect a wide range of autonomous stakeholders. This Strategy represents tasks that Government and the private sector can do together to improve identities in cyberspace. Successful implementation requires joint ownership, collaboration, and accountability across all participants in both the public and private sectors and across national borders. This section identifies High Priority Actions that are critical items for implementation. The Federal Government is committed to the actions herein and will move forward as a leader, first adopter, and enabler of the Identity Ecosystem. High Priority Actions The High Priority Actions that are listed here are not all encompassing of the actions needed to meet goals and objectives. Rather, they represent a summary of many work streams that the Federal Government will later detail in a Trusted Identity in Cyberspace Implementation Plan (see Action 2).Lead Federal AgencyDesignate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Advancing the Vision_46051ebe-8229-11df-ba87-13577a64ea2aA1The Federal Government must organize to provide leadership, accountability, and guidance in the implementation of the Identity Ecosystem. The White House will select an agency and hold it accountable for coordinating the process and organizations that will implement the Strategy. Many other Federal agencies will have implementation responsibilities associated with their respective mission areas, and some of these are outlined in this document. However, the Lead Agency will: * Assess progress against the goals, objectives and actions stated herein; * Ensure the government leads by example in developing and supporting the Identity Ecosystem; * Coordinate collaboration and joint-owned actions across private and public entities, as they work to develop the Identity Ecosystem; * Support interagency collaboration and coordinate interagency efforts associated with achieving the vision; and * Establish private sector advisory mechanisms and engagement strategies. The Lead Agency must actively seek interagency collaboration, harness multi-disciplinary and multisector contributions and provide collective thought leadership across Government in order to harmonize and integrate various public and private sector policies and efforts. The Office of the Cybersecurity Coordinator within the EOP will continue to lead inter-agency policy development specified in this action plan. The Lead Agency will work closely with the Office of the Cybersecurity Coordinator. In addition, the Lead Agency will participate in the Federal CIO Council and ensure coordination across existing and future relevant initiatives.Implementation PlanDevelop a Shared, Comprehensive Public/Private Sector Implementation Plan_4605206c-8229-11df-ba87-13577a64ea2aA2The actions in this section set the foundation and tone for future activities that public and private sector partners will execute together; yet these are not enough. The Federal Government will develop a detailed Implementation Plan that stresses swift deployment of the Identity Ecosystem, while identifying and planning for near and long-term actions. Development and socialization of the Implementation Plan with public and private sector stakeholders will leverage interagency processes and forums in place today to maintain momentum. The planning of action tasks, timelines, dependencies, and owners will center on reuse of existing investments, standards, innovation, and best practices from all stakeholder communities. Public and private sector collaboration will be required to identify integration points with existing efforts, enable advisory and communication channels, assign individual and joint task owners, determine timelines, task inputs and outputs, and define critical success factors to ensure completeness and traceability to the Goals and Objectives. Both public and private sector actions will be coordinated through the Implementation Plan.Services, Pilots, and PoliciesAccelerate the Expansion of Government Services, Pilots, and Policies that Align with the Identity Ecosystem_4605221a-8229-11df-ba87-13577a64ea2aA3The Federal Government must be a role model and early adopter of the Identity Ecosystem. All levels of Government will play a part in the adoption of the Identity Ecosystem for government services. As a major provider of services spanning individuals, private sector, and other governments, the Federal Government is positioned to enable high impact, high penetration Identity Ecosystem services. The sheer scale and diversity of service offerings and stakeholders provide an excellent proving ground for the Identity Ecosystem. Additionally, knowledge transfer of lessons learned from Federal initiatives and other pilot projects to the private sector will increase the number of attempted adoptions and their overall success rate. Government-led and funded programs, including pilots that implement ecosystem-aligned Federal services, are a crucial part of this action. The Federal Government will pay special attention to the potential for pilots in the health care, communications, information technology, Defense Industrial Base, energy, and financial sectors and with state government. To promote alignment, the Lead Agency in coordination with the White House should review internal Federal investments in identity solutions to maximize alignment to the Identity Ecosystem. In addition, Federal pilots should be extended wherever feasible to include transactions that support both the private sector and individuals. The Federal Government will also consider participation in international pilots to promote global alignment of Identity Ecosystem functions. The Federal Government should expedite the adoption and implementation of existing policies and mandates that support the Identity Ecosystem. Many Federal policies and directives support the deployment of authentication infrastructures for both NPEs and individuals. These can immediately help reduce cyber threats against Government, businesses, and individuals. In addition, the Federal Government has many existing identity programs, pilots and roadmaps that align with the Identity Ecosystem, such as the implementation of Homeland Security Presidential Directive 12, the Federal Public Key Infrastructure, DNSSEC, IPSEC, and the Federal Identity, Credential, and Access Management Roadmap activities. These should be heavily leveraged and accelerated where possible to support the Identity Ecosystem.Privacy ProtectionsWork to Implement Enhanced Privacy Protections_4605240e-8229-11df-ba87-13577a64ea2aA4The Federal Government will work with the private sector to determine approaches to implement the FIPPs. Early focus on privacy policy, process, and technology implementation will enable Identity Ecosystem participants to develop best practices, guidance and standards that will enhance the way entities collect, use, protect, transmit, retain, and destroy personally identifiable information. The Federal Government will create detailed action plans to strengthen privacy policy and implementation such that Identity Ecosystem providers will: * Provide concise, meaningful, timely, and easy-to-understand notice to end-users regarding collection, use, dissemination, and maintenance of PII in identity assurance solutions. * Limit collection and transmission of information by Identity Ecosystem participants to the minimum information necessary to fulfill the purpose of the transaction. * Limit secondary uses of individual data collected and transmitted in the Identity Ecosystem. * Limit retention of data to the period necessary for the provision of the services to the individual end-user for which the data were collected, except as otherwise required by law. * Minimize data aggregation and linkages across transactions in the Identity Ecosystem. * Provide mechanisms to allow individuals to access, correct, and delete information, as well as minimize barriers to individuals’ termination of their relationships with Identity Ecosystem participants. * Establish accuracy standards for data used in identity assurance solutions. * Protect and securely destroy information when terminating business or overall participation in the Identity Ecosystem. * Provide provision(s) of redress mechanisms to individuals who believe their data may have been misused. The user-centric nature of the Identity Ecosystem presents opportunities for individuals to control and release their private data in truly innovative ways. The Strategy calls for actions that will shape the way users provide data to organizations, as well as ways in which users can enjoy simple and effective mechanisms to update, publish, and redact their private information.Risk Models and Interoperability StandardsCoordinate the Development and Refinement of Risk Models and Interoperability Standards_46052760-8229-11df-ba87-13577a64ea2aA5A set of risk-based models and assessment tools will support the decisions that organizations make to determine how they will operate within the Identity Ecosystem. The risk model will minimize ambiguity associated with the ways in which risk-based controls are determined and established nationwide. Standards that cover interoperability requirements, trustmark criteria, and accreditation will pave a path that supports choice across solutions, ultimately accelerating Identity Ecosystem adoption. All detailed actions associated with Identity Ecosystem standards will build on existing efforts undertaken by the Federal Government, trust framework providers, private sector, standards bodies, and international organizations. Standards established within the Identity Ecosystem will require incorporation of privacy guidelines. They should also require, to the extent feasible, adoption of protocols that minimize the ability to link or aggregate transactions and transaction data across Identity Ecosystem participants and relying parties, while maintaining individual transaction history, integrity, and auditability. Standards development, adoption, or enhancement will support autonomy and choice among Identity Ecosystem providers and flexibility within industry sectors, while facilitating cross-sector and international interoperability.LiabilitiesAddress the Liability Concerns of Service Providers and Individuals_46052954-8229-11df-ba87-13577a64ea2aA6Identity Service ProvidersThis Strategy defines an Identity Ecosystem where one entity vets and establishes identities and another entity accepts them. To date, the appropriate apportionment of liability has prevented the cross-sector issuance and acceptance of identity credentials. The Federal Government must address this barrier through liability reform in order to establish the multi-directional trust required by transaction participants. The Identity Ecosystem promotes models that mitigate liability to an acceptable level relative to the benefits associated with participation in the ecosystem. In addition, the Strategy will further sustain existing liability models and strengthen legislation to protect individuals and deter organizations from holding lawful individuals responsible for losses caused by unauthorized transactions.Outreach and AwarenessPerform Outreach and Awareness across all Stakeholders_46052b7a-8229-11df-ba87-13577a64ea2aA7Individuals and the private sector play critical roles in the success of the Identity Ecosystem. They must understand the risks, benefits, and how to participate in the Identity Ecosystem. As a result, educational information should be easy to obtain and understand. Public and private sector outreach and awareness activities will include efforts to educate individuals and organizations on poor identification and authentication techniques and how to improve on them. The Federal Government will develop these efforts in conjunction with the National Initiative for Cybersecurity Education (NICE). Federal agencies will incorporate digital identity trust and protection into existing and future outreach and awareness programs. Private sector and other government entities have a distinct role to play in communicating with their specific stakeholders, both individuals and other organizations. The Federal Government in collaboration with the private sector will tailor awareness campaign activities based on audience type, and focused across varied media outlets to make individuals aware of appropriate security behavior now and in the future. The long-term campaign should promote awareness of the activities, offerings, and providers in place to support the Identity Ecosystem and ultimately promote participation. Any mechanisms developed to support this high priority action will measure effectiveness of the messaging and the Identity Ecosystem to inform further enhancements.International CollaborationContinue Collaborating in International Efforts_46052d64-8229-11df-ba87-13577a64ea2aA8The Federal Government will increase commitment to the global activities associated with privacy and trusted digital identities. The Federal Government will prioritize and appropriately staff existing international efforts associated with trusted digital identities. As discussed previously, standards development and adoption at the international level is a cornerstone of global commerce and information exchange. To avoid localized standards development and adoption, domestic efforts should endeavor to adopt international standards whenever they are consistent with domestic goals. Furthermore, information sharing and international forum and pilot participation will provide ongoing enhancement to the development of the Identity Ecosystem. Collaboration in international efforts is not only a Federal Government responsibility. The private sector shares responsibility for the Strategy’s implementation and adoption. Success of the Identity Ecosystem depends on participation from multi-national corporations and global providers in the use of federated identities that are interoperable and scalable to Internet levels. The Federal Government will increase prioritization, coordination, and participation of government representatives, and encourage greater private sector prioritization, coordination, and participation of their representatives in international standards development activities related to the Identity Ecosystem. These activities will include international policy and technical working groups, forums, and councils performing relevant work. In order for the U.S. to collaborate internationally and benefit from the lessons learned, best practices, and interoperability of international integration, U.S. presence in these forums must increase and support standards that align with the Identity Ecosystem.Other Means of AdoptionIdentify Other Means to Drive Adoption of the Identity Ecosystem across the Nation_46052f9e-8229-11df-ba87-13577a64ea2aA9Widespread adoption of more robust identity solutions will likely not occur without comprehensive incentives. The Federal Government will take steps to evaluate the efficacy of economic incentives to private sector or individuals to spur adoption of strong, interoperable identity solutions. The Federal Government will consider incentive programs such as tax credits/breaks, cybersecurity insurance, grant programs, or loans for first adopters. The Federal Government should also analyze how it can better align identity solution requirements in existing grant programs against the Identity Ecosystem. The Federal Government will also conduct economic analyses to evaluate needed regulatory changes within critical infrastructure sectors. In particular, the Federal Government will evaluate risks, costs, and benefits before recommending changes to certain transaction types within regulated sectors, such as requiring higher levels of authentication for credit card transactions.2010-06-252010-06-27http://www.dhs.gov/xlibrary/assets/ns_tic.pdfOwenAmburOwen.Ambur@verizon.net