Posted 9:41 AM

Will NSTIC stick it to us?

My colleague, Craig Burton recently blogged about the five pilot projects to be funded via the NSTIC (National Strategy for Trusted Identities in Cyberspace) initiative from the US National Institute of Standards and technology (NIST). While Craig covered the announcement very well, I'd like to take a closer look at the groups getting the grants.

I'm a member of the Identity Ecosystem Steering Group (IdESG) also set up by NIST to help create a trust framework for NSTIC. Many of the members of IdESG were surprised that the pilot projects were to  be started before we had defined a framework. Even more, they were thunderstruck that there was no requirement for IdESG to oversee or contribute to the pilots.

According to Jeremy Grant (in the press release for the pilot projects), senior executive advisor for identity management and head of the NSTIC National Program Office, which is led by NIST: “By clearly aligning with core NSTIC guiding principles and directly addressing known barriers to the adoption of the Identity Ecosystem, the pilot projects will both promote innovation in online identity management and inform the important work of the Identity Ecosystem Steering Group.”

Yes, they will "inform" the work of the IdESG. Which, of course, means absolutely nothing.

Now, according to the mission statement on the IdESG web site: "The Mission of the Steering Group shall be to govern and administer the Identity Ecosystem Framework". To mean, that means that the IdESG should be overseeing the implementation of the pilot projects to ensure that they embody the guiding principles of the Identity Ecosystem which the IdESG is creating. We'll probably discuss this more when the IdESG meets in October.

The second point I wish to make is that the five grantees for the pilot project could all be labeled "Beltway insiders". While they do involve partners from the commercial world, this is what they do all the time in selling "solutions" to government and quasi-government organizations. Add to that the group hired by NIST to be the secretariat for IdESG (Trusted Federal Systems, Inc., a "systems integrator serving the federal government") and we can identify part of the problem - government regulators are most comfortable talking to former government regulators. The five grantees are:

Criterion Systems - a "systems integrator that delivers innovative, technology-enabled business solutions for government agencies to leverage existing and new technology, protect infrastructure and share secure information."

Daon - "provides software and services to governments and organizations to assist them in managing the identities of their citizens, customers or employees. "

Resilient  Networks - "Resilient’s partners are using the Trust Network to deliver innovative solutions in a variety of industries including healthcare, media, information security, government and financial services."

University Corporation for Advanced Internet Development -  "Internet2 is an advanced technology community, owned and led by the U.S. research and education community"

American Association of Motor Vehicle Administrators -  the name says it all.

Only Resilient Networks could really qualify as a "vendor in the marketplace" rather than a grant chasing, GSA-scheduled quasi-government agency. And their customers are the quasi-government agencies!

There's a fair bit of disappointment with these choices, especially among the consumer representatives and the traditional identity community. The October meeting could be very interesting.