Login.gov to be third-party assessed against NIST’s digital identity guidelines

Signs inside the 18F headquarters in Washington, D.C. (Tajha Chappellet-Lanier / FedScoop)


Written by

The General Services Administration wants to build trust in Login.gov‘s ability to verify users’ identities for any agency using the service, so it’s having the technology assessed by a third party.

Kantara Initiative will assess the conformity of Login.gov’s identity proofing and authentication with the National Institute of Standards and Technology‘s Special Publication (SP) 800-63-3, the government’s digital identity guidelines.

Login.gov already provides its services for 80 applications across 23 agencies, 12 of them Cabinet level, and increasing their confidence that people accessing their apps are who they say will only drive further use. NIST’s guidelines are widely used throughout government and industry.

“By going through this third-party assessment, login.gov will be performing a best practice for shared services that demonstrates trustworthiness and maturity,” a GSA spokesperson told FedScoop. “We anticipate this to be helpful for agency organizations to better trust login.gov to provide critical user identity assurance for any citizen-facing website that requires it.”

Global nonprofit Kantara has assessed industry and government services since 2010, and its model is based on past work for the private sector.

The Office of Management and Budget‘s M-19-17 memo mandated that agencies like GSA follow NIST’s digital identity guideline, so that’s what login.gov will be assessed on.

“They need to prove conformity against the requirements and controls that Kantara has taken from NIST 800-63-3, and that became the criteria,” said Ruth Puente, director of assurance operations at Kantara. “We have an Assurance Review Board (ARB) that is composed of experts in identity management fields.”

Kantara uses its Identity Assurance Framework (IAF) to grant approvals to credential service providers, like login.gov, and accreditation to its assessors. The ARB manages the IAF day to day.

Assessors will spend four to six weeks looking for evidence— reviewing documents, records, operations, staff, and systems — that login.gov conforms with SP 800-63-3’s individual requirements. Their findings will be relayed to the ARB, which will make recommendations to Kantara’s board of directors for a final decision to approve, do so with exceptions or disapprove. The entire process takes four months, minimum.

Kantara was first authorized as a federal trust framework provider to GSA’s Federal Identity, Credential, and Access Management Trust Framework Solutions program in 2011.

“It’s actually going to enable more services to integrate with login.gov,” said Colin Wallis, executive director of Kantara. “Because at the moment it’s, ‘Trust us, we know what we’re doing.'”

-In this Story-

authentication, General Services Administration (GSA), identity and access management (IAM), Kantara Initiative, login.gov, National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB), shared services