Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity Proofing of Citizens Accessing Government Systems #381

Closed
MaryUSMC opened this issue Jun 10, 2020 · 3 comments
Closed

Identity Proofing of Citizens Accessing Government Systems #381

MaryUSMC opened this issue Jun 10, 2020 · 3 comments

Comments

@MaryUSMC
Copy link

Description of Issue:

I did not see any use cases for citizens who access government systems. Examples could be:

  • accessing tax information

  • accessing SSA information

  • a parent filling out FAFSA student financial aid application

  • an external partner required to provide information to a regulator, yet that partner is not an employee, contractor, or representative of the government and the most suitable description would be consumer, customer, or regulated entity.

Details of Issue:

What are the requirements for non-government entities to access government systems if the workflow determines IAL2 level? Can we enforce security requirements multifactor? If so, how do we identity proof thousands of citizens in accordance with NIST 800-63-3 / FIPS 199?

References (Docs, Links, Files):

NIST 800-63-3 / FIPS 199

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:
@maxwellfunk
Copy link
Contributor

Government to Citizen transactions is outside of scope for the FICAM architecture playbook specifically; however, issue will remain open and defered to future playbooks such as Single Sign On/Federation.
@idmken idmken transferred this issue from GSA/ficam-arch Mar 3, 2021
@MaryUSMC
Copy link
Author

MaryUSMC commented Jan 9, 2023

What about Government to business, like in the case of a regulator?
@maxwellfunk
Copy link
Contributor

@MaryUSMC while NIST has not certified any IAL2 providers directly, login.gov has tried to implement their accompanying conformance criteria (SP 800-63-3 conformance criteria). Login.gov is conducting several steps of verification to include email, phone number, and identity document data verification, and they have begun to pilot in person proofing at some USPS locations in the greater Washington DC area.

https://login.gov/help/verify-your-identity/how-to-verify-your-identity/

login.gov also has the ability to act as a federation service providing credential management services to users (e.g., id/password + OPT codes) and subsequently authenticating individuals within your scope and then passing federation assertions to relying party applications.

Although NIST is not accrediting any organizations to their standards, there is the Kantara Initiative which is a non-profit that conducts their own assessment and accreditation using 800-63 as their baseline. They have been working with some partners to conduct these assessments for some time, so you will notice that some of their terminology aligns to older revisions of 800-63 (e.g. LOA vs IAL/AAL/FAL).

https://kantarainitiative.org/trust-status-list/ (you may note that login.gov is still in the applicant phase)
@claytonjbarnette claytonjbarnette transferred this issue from GSA/ficam-playbooks Jul 24, 2023
@id2win id2win closed this as not planned Won't fix, can't repro, duplicate, stale Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@maxwellfunk @MaryUSMC @id2win