Electronic Government: Planned e-Authentication Gateway Faces Formidable Development Challenges

Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our report, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. As a result, the e-Authentication initiative is now focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs. In addition, the technical architecture for e-Authentication in the federal government has been revised to promote a "federated approach." In December 2003, OMB issued policy guidance to federal agencies on electronic authentication that establishes and describes four levels of identity assurance for electronic transactions requiring authentication, and directs agencies to conduct electronic authentication risk assessments on electronic transactions to ensure that there is a consistent approach across the government. OMB's policy is a key component in developing a framework for moving toward a governmentwide standardization of federal identity credentialing and electronic authentication that includes technical guidelines and specifications to support federal agencies in their implementation of electronic authentication systems, and to support the implementation of a governmentwide electronic authentication infrastructure that accomodates various credentials such as PINs, passwords, and PKI digital certificates.

Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our review, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. As a result, the e-Authentication initiative will no longer implement a centralized e-Authentication gateway and is now focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs, and the technical architecture for e-Authentication in the federal government has been revised to promote a "federated approach." As part of the e-Authentication initiative, GSA, in conjunction with OMB, NIST, the Federal Identity Credentialing Committee (FICC), and other federal agencies have developed a federal authentication policy franework that applies to all authentication services and processes. The policy documents currently issued include (1) OMB E-Authentication Guidance for Federal Agencies (December 2003), (2) NIST Electronic Authentication Guideline (June 2004), (3) GSA E-Authentication Interim Credential Assessment Framework (December 2003), (4) FICC Authentication and Identity Policy Framework for Federal Agencies (July 2004), (5) FICC Guidance Regarding Smart Cards Systems for Identification and Credentialing Employees (March 2004). These documents provide guidance to federal agencies in their implementation of electronic authentication systems and support the implementation of a governmentwide electronic authentication infrastructure intended to accomodate various credentials such as PINs, passwords, and PKI digital certificates.

Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our review, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. However, as part of the e-Authentication initiative, GSA has established a methodology for conducting risk assessments to determine authentication requirements for agency e-government initiatives. This methodology consists of an automated risk assessment tool (e-RA) and associated guidance documents such as the e-Authentication Risk and Requirements Assessment: e-RA Tool Activity Guide, which was updated in May 2004. The e-RA tool addresses the potential range of authentication requirements needed by e-government initiatives by mapping to the authentication assurance levels defined in the December 2003 OMB policy on electronic authentication--which establishes and describes four levels of identity assurance for electronic transactions requiring authentication, and directs agencies to conduct electronic authentication risk assessments on electronic transactions to ensure that there is a consistent approach across government.

The e-Authentication initiative will no longer implement a centralized e-Authentication gateway and is now focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs. As part of the new strategy, GSA, in conjunction with NIST and the Federal Identity Credentialing Committee, has developed a framework for moving toward a governmentwide standardization of federal identity credentialing and electronic authentication that includes a technical architecture with guidelines and interface specifications--such as the "E-Authentication Interface Specification for the SAML Artifact Profile, Version 1.0, June 28, 2004"--to promote interoperability with commercial products and support federal agencies in their implementation of electronic authentication systems that interconnect with trusted credential service providers. In addition, GSA has established and will continue to operate an interoperability lab to test commercial products for technical interoperability.