Executive Office of the President, National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy (NSTIC) (Apr. 2011) (full-text) (originally named the National Strategy for Secure Online Transactions).
This document defines and promotes an Identity Ecosystem that supports trusted online environments. The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities. The Identity Ecosystem enables:
- Security, by making it more difficult for adversaries to compromise online transactions;
- Efficiency based on convenience for individuals who may choose to manage fewer passwords or accounts than they do today, and for the private sector, which stands to benefit from a reduction in paper-based and account management processes;
- Ease-of-use by automating identity solutions whenever possible and basing them on technology that is easy to operate with minimal training;
- Confidence that digital identities are adequately protected, thereby increasing the use of the Internet for various types of online transactions;
- Increased privacy for individuals, who rely on their data being handled responsibly and who are routinely informed about those who are collecting their data and the purposes for which it is being used;
- Greater choice, as identity credentials and devices are offered by providers using interoperable platforms; and
- Opportunities for innovation, as service providers develop or expand the services offered online, particularly those services that are inherently higher in risk.
Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction. For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data. At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant's identity. The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques. Finally, participation in the Identity Ecosystem is voluntary for both organizations and individuals.
Another pillar of the Identity Ecosystem is interoperability. The Identity Ecosystem leverages strong and interoperable technologies and processes to enable the appropriate level of trust across participants. Interoperability supports identity portability and enables service providers within the Identity Ecosystem to accept a variety of credential and identification media types. The Identity Ecosystem does not rely on the government to be the sole identity provider. Instead, interoperability enables a variety of public and private sector identity providers to participate in the Identity Ecosystem.
Interoperability and privacy protection combine to create a user-centric Identity Ecosystem. User-centricity will allow individuals to select the interoperable credential appropriate for the transaction. Through the creation and adoption of privacy-enhancing policies and standards, individuals will have the ability to transmit no more than the amount of information necessary for the transaction, unless they choose otherwise. In addition, such standards will inhibit the linking of an individual's transactions and credential use by service providers. Individuals will have more confidence that they can exchange information with the appropriate parties, securely transmit that information, and have the information protected in accordance with privacy best practices.
With the vision of the Identity Ecosystem in mind, the "National Strategy for Trusted Identities in Cyberspace" identifies the following goals:
The first two goals focus on designing and building the necessary governance, policy, standards, and infrastructure to enable secure delivery of online services. The third goal targets the necessary privacy protections and the education and awareness required to encourage adoption by individuals and businesses. The fourth establishes the mechanisms to promote continued development and improvement of the Identity Ecosystem over time.