United States GSA, seeks information on ID-proofing solutions complying with NIST digital identity standardS

GSA (General Service Administration) in the United States is seeking information on ID proofing solutions complying with NIST digital identity standards.

(GSA) has posted a market survey for ID-proofing solutions to set up future purchases. As part of the expansion of Login.Gov to further departments and the use of biometric verification to access those services,? GSA is inquiring about IDV? services that align with the NIST SP 800-63 digital identity standard.

The data collected during the ID proofing market survey process will be utilized to establish a specific item number, commonly referred to as a SIN, that serves as a means of categorizing the constituent services for government clients.

The category will aim to standardize the following components of digital identity:

1. Identity Authentication
2. Proofing
3. Federation and management

What GSA’s Identity Proofing Market Survey for Login.Gov’s Biometric Verification Services is All About?

The agency has been struggling to implement identity verification for its Login.Gov service, which meets the 800-63 standard’s Identity Assurance Level 2 (IAL2).

NIST IAL2 standard enforces biometric verification and involves designated role players to enhance security. It plays a critical role in ensuring robust identity verification measures are in place. This standard is pivotal for safeguarding digital identities.

The survey which has been posted on the GSA website aims to ask the following questions for the ID proofing services and consultancies.?

1. “What certifications, if any, should be required for this SIN (e.g., Kantara, FedRAMP, OIX (future)?
2. “Aside from NIST SP 800-63, what other compliance references would you recommend (NIST documentation, Office of Management and Budget memoranda, etc.)?
3. “What are the common risks and issues encountered when implementing component or full credential services?
4. “What integration risks and issues are overlooked by customers when evaluating component or full-credential services?
5. “Are there any third-party entities aside from the Kantara Initiative that we should consider for certifying NIST 800-63 compliance?”
6. "What recommendations do you have for demonstrating experience, considering this SIN addresses a new capability?"
7. "What are the common risks and issues encountered when implementing component or full credential services?"
8. "What integration risks and issues are overlooked by customers when evaluating component or full credential services?"
9. "What performance or Service Level Agreements (SLAs) are important when evaluating and selecting component or full credential services?"
10. "Which ancillary services should be used in conjunction with hardware and software solutions to properly fulfill identity proofing, authentication, and federation requests?"
11. "What technical limitations do you foresee in providing identity proofing, authentication, and federation for public-facing digital services?"
12. "Which emerging technologies hold the most potential for improving identity proofing, authentication, and federation over the next 5-7 years?"

GSA Expanding the Scope of Login.Gov Services

On October 18, GSA announced its plans to introduce updated methods for identity verification, which began the following year and aligned with the National Institute of Standards and Technology's IAL2 guidelines as outlined in 800-63-3.

These features offer virtual and in-person identity verification methods to securely access essential government benefits and services using advanced technology while prioritizing data security.

GSA recently mandated all Cabinet-level agencies to use Login.Gov for equitable digital service access, enhanced security, and fraud reduction. Operated by the U.S. Government, Login.Gov guarantees private interactions, safeguarding personal data from unauthorized use or sale as mandated by law.

In the past year, Login.Gov introduced 24/7 multilingual phone and email support. Furthermore, it partnered with the U.S. Postal Service, offering in-person identity verification at 18,000+ Post Office locations nationwide, accessible to over 99% of the U.S. population within 10 miles of their homes.

Login. Gov will introduce three IAL2 identity verification options:

1. In-person verification at local Post Offices, accessible to over 99% of the U.S. population within 10 miles of participating locations.
2. Digital verification without automated facial matching, through live video chat with an identity verification professional.
3. Digital verification with facial matching technology to self-verify, eliminating the need for an identity verification professional or Post Office employee.

GSA, in collaboration with agencies, will assess Login. gov's effectiveness, detect algorithmic bias and explore additional IAL2 identity verification pathways, like compensating controls.

These pathways complement Login.gov's existing process, which involves validating a government-issued ID and phone number or address, addressing the unique security needs of high-risk agency use cases.

This commitment to IAL2 pathways, aligned with GSA's values, stems from close collaboration with NIST and agencies over several months, prioritizing public privacy and security.

The GSA market survey will allow the agency to gather further information on what could be a robust biometric identity verification mechanism to allow the citizens and government departments better access to service and service delivery processes.

However, GSA’s call for views from the ID-proofing market leads to an important question.

Is this the United States' moment to step into the digital identity era?