[Federal Register Volume 76, Number 114 (Tuesday, June 14, 2011)]
[Notices]
[Pages 34650-34653]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-14702]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Office of the Secretary, National Institute of Standards and 
Technology

[Docket No. 110524296-1289-02]


Models for a Governance Structure for the National Strategy for 
Trusted Identities in Cyberspace

AGENCY: U.S. Department of Commerce, Office of the Secretary, and 
National Institute of Standards and Technology.

ACTION: Notice of inquiry.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce (Department) is conducting a 
comprehensive review of governance models for a governance body to 
administer the processes for policy and standards adoption for the 
Identity Ecosystem Framework in accordance with the National Strategy 
for Trusted Identities in Cyberspace (NSTIC or ``Strategy''). The 
Strategy refers to this governance body as the ``steering group.'' The 
Department seeks public comment from all stakeholders, including the 
commercial, academic and civil society sectors, and consumer and 
privacy advocates on potential models, in the form of recommendations 
and key assumptions in the formation and structure of the steering 
group. The Department seeks to learn and understand approaches for: (1) 
The structure and functions of a persistent and sustainable private 
sector-led steering group and (2) the initial establishment of the 
steering group. This Notice specifically seeks comment on the 
structures and processes for Identity Ecosystem governance. This Notice 
does not solicit comments or advice on the policies that will be chosen 
by the steering group or specific issues such as accreditation or 
trustmark schemes, which will be considered by the steering group at a 
later date. Responses to this Notice will serve only as input for a 
Departmental report of government recommendations for establishing the 
NSTIC steering group.

[[Page 34651]]


DATES: Comments are due on or before July 22, 2011.

ADDRESSES: Written comments may be submitted by mail to the National 
Institute of Standards and Technology, c/o Annie Sokol, 100 Bureau 
Drive, Mailstop 8930, Gaithersburg, MD 20899. Electronic comments may 
be sent to [email protected]. Electronic submissions may be in any of 
the following formats: HTML, ASCII, Word, rtf, or PDF. Paper 
submissions should include a compact disc (CD). CDs should be labeled 
with the name and organizational affiliation of the filer and the name 
of the word processing program used to create the document. Comments 
will be posted at http://www.nist.gov/nstic. The Strategy is available 
at http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf. The NIST Web site for NSTIC and its 
implementation is available at http://www.nist.gov/nstic.

FOR FURTHER INFORMATION CONTACT: For questions about this Notice 
contact: Annie Sokol, Information Technology Laboratory, National 
Institute of Standards and Technology, U.S. Department of Commerce, 100 
Bureau Drive, Mailstop 8930, Gaithersburg, MD 20899, telephone (301) 
975-2006; e-mail [email protected]. Please direct media inquires to the 
Director of NIST's Office of Public Affairs, [email protected].

SUPPLEMENTARY INFORMATION: Recognizing the vital importance of 
cyberspace to U.S. innovation, prosperity, education and political and 
cultural life, and the need for a trusted and resilient information and 
communications infrastructure, the Administration released the 
Cyberspace Policy Review in May 2009. Included in this review was a 
near-term action to ``build a cybersecurity-based identity management 
vision and strategy that addresses privacy and civil liberties 
interests, leveraging privacy-enhancing technologies for the Nation.'' 
The completion of this action is the National Strategy for Trusted 
Identities in Cyberspace (NSTIC or ``Strategy''), released in April 
2011. The Strategy called for the creation of a National Program Office 
to be hosted at the Department of Commerce, as part of its ongoing 
cybersecurity and identity management activities. The Department 
intends to leverage the expertise present across many bureaus at the 
Department and across the U.S. Government, as well as experts in 
industry, academia, governments at all levels, communities of interest 
(including privacy, civil liberties, and consumer advocates), and the 
general public, through a series of inquiries and public workshops. 
This Notice of Inquiry is a continuation of the Administration's 
effort, and its goal is to explore the establishment and structure of 
governance models. The Department may explore additional areas in the 
future.
    Background: This Notice reflects the initial steps of the 
Strategy's implementation as they relate to the Department's ongoing 
cyber security and identity management activities. Specifically, the 
Strategy calls for a ``steering group'' to administer the process for 
policy and standards development for the Identity Ecosystem Framework 
in accordance with the Strategy's Guiding Principles. The Identity 
Ecosystem is an online environment where individuals and organizations 
will be able to trust each other because they follow agreed upon 
standards to obtain and authenticate their digital identities and the 
digital identities of devices. The Identity Ecosystem Framework is the 
overarching set of interoperability standards, risk models, privacy and 
liability policies, requirements, and accountability mechanisms that 
govern the Identity Ecosystem.
    The Strategy's four Guiding Principles specify that identity 
solutions must be: Privacy-enhancing and voluntary, secure and 
resilient, interoperable, and cost-effective and easy to use. The 
establishment of this steering group will be an essential component of 
achieving a successful implementation of the Strategy; a persistent and 
sustainable private sector-led steering group will maintain the rules 
of participating in the Identity Ecosystem, develop and establish 
accountability measures to promote broad adherence to these rules, and 
foster the evolution of the Identity Ecosystem to match the evolution 
of cyberspace itself.
    The government's role in implementing the Strategy includes 
advocating for and protecting individuals; supporting the private 
sector's development and adoption of the Identity Ecosystem; partnering 
with the private sector to ensure that the Identity Ecosystem is 
sufficiently interoperable, secure and privacy enhancing; and being an 
early adopter of both Identity Ecosystem technologies and policies. In 
this role, the government must partner with the private sector to 
convene a wide variety of stakeholders to facilitate consensus, with a 
goal of ensuring that the Strategy's four Guiding Principles are 
achieved. The government has an interest in promoting the rapid 
development of a steering group capable of, and equally committed to, 
upholding the Strategy's Guiding Principles.
    The Strategy calls for the development of a steering group that 
will bring together representatives of all of the interested 
stakeholders to ensure that the Identity Ecosystem Framework upholds 
the Guiding Principles by providing a minimum baseline of privacy, 
security, and interoperability through standards and policies--without 
creating unnecessary barriers to market entry. To that end, the 
steering group will administer the process for the adoption of policy 
and technical standards, set milestones and measure progress against 
them, and ensure that accreditation authorities validate participants' 
adherence to the requirements of the Identity Ecosystem Framework.
    With this outcome in mind, the government seeks comment on the 
establishment and structure of a steering group that can successfully 
complete the above stated goals and objectives and, ultimately, achieve 
the Strategy's vision that ``individuals and organizations utilize 
secure, efficient, easy-to-use, and interoperable identity solutions to 
access online services in a manner that promotes confidence, privacy, 
choice, and innovation.''
    Contribution of this NOI to the NSTIC implementation: Comments 
submitted on this Notice will serve as input for a Departmental report 
that will include a summary of responses to comments on this Notice, as 
well as the government's recommendations for the processes and 
structure necessary for the establishment and maintenance of a 
successful steering group. The report will focus on the steering group 
in two phases: (1) The structure and functions of the steering group 
and (2) the initial establishment of the steering group. This report 
may include recommendations for addressing governance structures and 
processes for a variety of issues, including: leadership, 
representation of Identity Ecosystem participants; accountability 
measures; liability issues; accreditation and certification processes; 
cross-sector and cross-industry issues; the balance of self-interested 
and self-regulatory roles of steering group participants; adherence to 
the Guiding Principles; interaction and involvement with standards 
development organizations and other technical bodies; use, development, 
and maintenance of a trustmark scheme; the relationship of the steering 
group to the Federal government; and interactions with international 
governments and fora.
    Request for Comment: This Notice of Inquiry seeks comment on the

[[Page 34652]]

requirements of, and possible models for, (1) the structure and 
functions of the steering group and (2) the initial establishment of 
the steering group. Responses can include information detailing the 
effective and ineffective aspects of other governance models and how 
they apply to governance needs of the Identity Ecosystem, as well as 
feedback specific to requirements of the Strategy and governance 
solutions for those requirements. The questions below are intended to 
assist in framing the issues and should not be construed as a 
limitation on comments that parties may submit. The Department invites 
comment on the full range of issues that may be raised by this Notice. 
Comments that contain references to studies, research and other 
empirical data that are not widely published should be accompanied by 
copies of the referenced materials with the submitted comments, keeping 
in mind that all submissions will be part of public record.
    The first section of this Notice addresses the steady-state 
structure of the steering group. The second section addresses the 
process of initiating a steering group that can evolve into that 
steady-state. The third and fourth sections address two fundamental 
aspects of governance both at initiation and steady-state: 
representation of stakeholders and international considerations.

1. Structure of the Steering Group

    There are many models of governance that perform some of the wide 
range of functions needed to formulate and administer the Identity 
Ecosystem Framework. While not all of these functions are unique to the 
steering group, few examples of governance cover the same breadth of 
the technical and economic landscape as the Identity Ecosystem 
Framework. The steering group, therefore, has a greater risk of either 
being too small to serve its purpose, or too large to govern 
effectively. There is a full spectrum of affected economic sectors, 
some of which are highly-regulated and some of which are unregulated. 
The steering group will need to simultaneously integrate the Identity 
Ecosystem Framework with regulatory requirements faced by firms in a 
variety of industry sectors. At the same time, the steering group needs 
to consider and represent the interest of the broader public in 
security and privacy. It is imperative to find a working structure that 
accomplishes all these needs.

Questions

    1.1. Given the Guiding Principles outlined in the Strategy, what 
should be the structure of the steering group? What structures can 
support the technical, policy, legal, and operational aspects of the 
Identity Ecosystem without stifling innovation?
    1.2. Are there broad, multi-sector examples of governance 
structures that match the scale of the steering group? If so, what 
makes them successful or unsuccessful? What challenges do they face?
    1.3. Are there functions of the steering group listed in this 
Notice that should not be part of the steering group's activities? 
Please explain why they are not essential components of Identity 
Ecosystem Governance.
    1.4. Are there functions that the steering group must have that are 
not listed in this notice? How do your suggested governance structures 
allow for inclusion of these additional functions?
    1.5. To what extent does the steering group need to support 
different sectors differently?
    1.6. How can the steering group effectively set its own policies 
for all Identity Ecosystem participants without risking conflict with 
rules set in regulated industries? To what extent can the government 
mitigate risks associated with this complexity?
    1.7. To what extent can each of the Guiding Principles of the 
Strategy--interoperability, security, privacy and ease of use--be 
supported without risking ``pull through'' \1\ regulation from 
regulated participants in the Identity Ecosystem?
---------------------------------------------------------------------------

    \1\ NSTIC solutions will ideally be used across all industries, 
including both regulated and unregulated industries. ``Pull 
through'' refers to the concept that when implementing an NSTIC 
solution that touches some regulated industries, individuals or 
firms implementing those solutions would then find that they are 
subject to the specific regulations for those industries. This could 
create a confusing policy and legal landscape for a company looking 
to serve as an identity provider to all sectors.
---------------------------------------------------------------------------

    1.8. What are the most important characteristics (e.g., standards 
and technical capabilities, rulemaking authority, representational 
structure, etc.) of the steering group?
    1.9. How should the government be involved in the steering group at 
steady state? What are the advantages and disadvantages of different 
levels of government involvement?

2. Steering Group Initiation

    In its role of supporting the private sector's leadership of the 
Identity Ecosystem, the government's aim is to accelerate establishment 
of a steering group that will uphold the Guiding Principles of the 
Strategy. The government thus seeks comment on the ways in which it can 
be a catalyst to the establishment of the steering group.
    There are many means by which the steering group could be formed, 
and such structures generally fall into three broad categories:
    (a) A new organization, organically formed by interested 
stakeholders.
    (b) An existing stakeholder organization that establishes the 
steering group as part of its activities.
    (c) Use of government authorities, such as the Federal Advisory 
Committee Act (FACA), to charge a new or existing advisory panel with 
formulating recommendations for the initial policy and technical 
framework for the Identity Ecosystem, allowing for a transition to a 
private sector body after establishing a sustainable Identity 
Ecosystem, or through the legislative process.

Questions

    2.1. How does the functioning of the steering group relate to the 
method by which it was initiated? Does the scope of authority depend on 
the method? What examples are there from each of the broad categories 
above or from other methods? What are the advantages or disadvantages 
of different methods?
    2.2. While the steering group will ultimately be private sector-led 
regardless of how it is established, to what extent does government 
leadership of the group's initial phase increase or decrease the 
likelihood of the Strategy's success?
    2.3. How can the government be most effective in accelerating the 
development and ultimate success of the Identity Ecosystem?
    2.4. Do certain methods of establishing the steering group create 
greater risks to the Guiding Principles? What measures can best 
mitigate those risks? What role can the government play to help to 
ensure the Guiding Principles are upheld?
    2.5. What types of arrangements would allow for both an initial 
government role and, if initially led by the government, a transition 
to private sector leadership in the steering group? If possible, please 
give examples of such arrangements and their positive and negative 
attributes.

3. Representation of Stakeholders in the Steering Group

    Representation of all stakeholders is a difficult but essential 
task when stakeholders are as numerous and diverse as those in the 
Identity Ecosystem. The breadth of stakeholder representation and the 
voice they have

[[Page 34653]]

in policy formulation must be fair and transparent. The steering group 
must be accountable to all participants in the Identity Ecosystem, 
including individuals. An essential task for the steering group will be 
to provide organizations or individuals who may not be direct 
participants in the Identity Ecosystem, such as privacy and civil 
liberties advocacy groups, with a meaningful way to have an impact on 
policy formulation.
    Given the diverse, multi-sector set of stakeholders in the Identity 
Ecosystem, representation in the steering group must be carefully 
balanced. Should the influence skew in any direction, stakeholders may 
quickly lose confidence in the ability of the steering group to fairly 
formulate solutions to the variety of issues that surround the creation 
and governance of the Identity Ecosystem.

Question

    3.1. What should the make-up of the steering group look like? What 
is the best way to engage organizations playing each role in the 
Identity Ecosystem, including individuals?
    3.2. How should interested entities that do not directly 
participate in the Identity Ecosystem receive representation in the 
steering group?
    3.3. What does balanced representation mean and how can it be 
achieved? What steps can be taken guard against disproportionate 
influence over policy formulation?
    3.4. Should there be a fee for representatives in the steering 
group? Are there appropriate tiered systems for fees that will prevent 
``pricing out'' organizations, including individuals?
    3.5. Other than fees, are there other means to maintain a 
governance body in the long term? If possible, please give examples of 
existing structures and their positive and negative attributes.
    3.6. Should all members have the same voting rights on all issues, 
or should voting rights be adjusted to favor those most impacted by a 
decision?
    3.7. How can appropriately broad representation within the steering 
group be ensured? To what extent and in what ways must the Federal 
government, as well as State, local, tribal, territorial, and foreign 
governments be involved at the outset?

4. International

    Given the global nature of online commerce, the Identity Ecosystem 
cannot be isolated from internationally available online services and 
their identity solutions. Without compromising the Guiding Principles 
of the Strategy, the public and private sectors will strive to enable 
international interoperability. In order for the United States to 
benefit from other nations' best practices and achieve international 
interoperability, the U.S. public and private sectors must be active 
participants in international technical and policy fora.
    No single entity, including the Federal government, can effectively 
participate in every international standards effort. The private sector 
is already involved in many international standards initiatives; 
ultimately, then, the international integration of the Identity 
Ecosystem will depend in great part upon private sector leadership.

Questions

    4.1. How should the structure of the steering group address 
international perspectives, standards, policies, best practices, etc?
    4.2. How should the steering group coordinate with other 
international entities (e.g., standards and policy development 
organizations, trade organizations, foreign governments)?
    4.3. On what international entities should the steering group focus 
its attention and activities?
    4.4. How should the steering group maximize the Identity 
Ecosystem's interoperability internationally?
    4.5. What is the Federal government's role in promoting 
international cooperation within the Identity Ecosystem?

    Dated: June 7, 2011.
Patrick Gallagher,
Under Secretary of Commerce for Standards and Technology.
[FR Doc. 2011-14702 Filed 6-13-11; 8:45 am]
BILLING CODE 3510-13-P