After publicly endorsing the Obama Administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC) for its recognition of real problems in identity management, privacy and security in our society today, the Smart Card Alliance submitted comments to the National Institute of Standards and Technology (NIST) regarding the establishment of NSTIC governance. Although its scope is limited to cyberspace, the Framework it outlines would also establish essential foundational elements that can help to strengthen identity, privacy and security in healthcare, social security administration, immigration reform and other programs in the physical world, the Smart Card Alliance said.
“As an industry group committed to security and trust of identities in cyberspace and the physical world, we endorse NSTIC and want to see it succeed,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “In our comments, we have outlined all of the factors that we view will be essential to its success, including: the overall governance structure of the steering group; managing quality participation by as many interested parties as possible; being accessible to all; being fair and democratic; and having adequate, sustainable funding.”
The entire comment to NIST on the Notice of Inquiry (NOI), “Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace (NSTIC),” Docket No. 110524296-1289-02 can be read on the Smart Card Alliance website. The comments include discussion of general principles that the Alliance believes NIST should follow in establishing NSTIC governance, followed by specific answers to the questions in the NOI.
General Principles for NSTIC Governance
The comments to NIST were compiled by the Smart Card Alliance Identity Council, a cross-industry group of manufacturers, systems integrators and end users, focused on identity management and secure identity authentication. They outline the following general principles as those that should guide the NSTIC governance model:
- Governance should be driven by the private sector, not government. Government is a key stakeholder in the identity ecosystem and should participate as a stakeholder, rather than as the administrator.
- Funding is needed both during organization formation and in steady state. The government should consider providing seed funding during the formation phase. The steering group will need to define the business and funding models for maintaining the organization in steady state as one of its initial tasks.
- Organization members should work in peer relationships, with all members having an equal vote regardless of the size of the organization.
- Steering group processes should be deliberate, transparent and open to all members and to the public.
- Development of the organization should be in phases, with the Smart Grid initiative a useful model of how to accomplish the phased development.
- All stakeholders must be able to have a voice in the steering group, and the organization must make a conscious effort to include smaller organizations, consumers, privacy groups and end users.
- The steering group must be tasked to develop a sustainable funding model for the organization, with no special category of members or funding level required for representation on the steering group.
- The organization must be sensitive to international requirements and implement a structure that engages with the international community.
- Government involvement should be as a stakeholder and be structured to minimize the legal impact to the organization.
- The organization focus should be to build on existing infrastructure and standards, developing action plans to address weaknesses.
For information on NSTIC, the Smart Card Alliance, and smart cards, visit www.smartcardalliance.org.