Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace, 34650-34653 [2011-14702]

Download as PDF 34650 Federal Register / Vol. 76, No. 114 / Tuesday, June 14, 2011 / Notices Dated: June 8, 2011. Andrew McGilvray, Executive Secretary. [FR Doc. 2011–14683 Filed 6–13–11; 8:45 am] BILLING CODE P DEPARTMENT OF COMMERCE National Institute of Standards and Technology Announcing a Meeting of the Information Security and Privacy Advisory Board National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. AGENCY: The Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, July 13, 2011, from 8 a.m. until 5 p.m., Thursday, July 14, 2011, from 8 a.m. until 5 p.m., and Friday, July 15, 2011 from 8 a.m.. until 12:30 p.m. All sessions will be open to the public. DATES: The meeting will be held on Wednesday, July 13, 2011, from 8 a.m. until 5 p.m., Thursday, July 14, 2011, from 8 a.m. until 5 p.m., and Friday, July 15, 2011 from 8 a.m. until 12:30 p.m. ADDRESSES: The meeting will take place in the Homewood Suites by Hilton DC, 1475 Massachusetts Avenue, NW., Washington, DC 20005. FOR FURTHER INFORMATION CONTACT: Ms. Annie Sokol, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899–8930, telephone: (301) 975–2006. SUPPLEMENTARY INFORMATION: Pursuant to the Federal Advisory Committee Act, 5 U.S.C. App., notice is hereby given that the Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, July 13, 2011, from 8 a.m. until 5 p.m., Thursday, July 14, 2011, from 8 a.m. until 5 p.m., and Friday, July 15, 2011 from 8 a.m. until 12:30 p.m. All sessions will be open to the public. The ISPAB was established by the Computer Security Act of 1987 (Pub. L. 100–235) and amended by the Federal Information Security Management Act of 2002 (Pub. L. 107– 347) to advise the Secretary of Commerce and the Director of NIST on security and privacy issues pertaining to federal computer systems. Details regarding the ISPAB’s activities are available at http://csrc.nist.gov/groups/ SMA/ispab/index.html The agenda is expected to include the following items: srobinson on DSK4SPTVN1PROD with NOTICES SUMMARY: VerDate Mar<15>2010 16:27 Jun 13, 2011 Jkt 223001 —Cloud Security and Privacy Panel discussion on addressing security and privacy for different types of cloud computing, —Presentation from National Strategy for Trusted Identities in Cyberspace (NSTIC) to present the status of the implementation plan, —Presentation on Doctrine of Cybersecurity relating to computer security research, —Presentation on from National Protection and Programs Directorate, DHS, on the white paper, ‘‘Enabling Distributed Security in Cyberspace’’, —Medical Device and relating security concerns, —Presentation on National Initiative for Cybersecurity Education (NICE) and Cybersecurity Awareness, —Presentations from Mississippi State Research on Wounded Warrior and Supervisory Control and Data Acquisition (SCADA), —Panel presentation/discussion on Health and Human Services (HHS) Infrastructure and Nationwide Health Information Network (NHIN), —Presentation on the Status of Cyber Legislation, —Panel discussion on Controlled Unclassified Information and National Archives and Records Administration (NARA), —Discussion on International Standards and Cybersecurity, —Panel discussion of Product Assurance Testing and Methods (National Information Assurance Partnership (NIAP) Common Criteria Testing (CCTL), —Presentation on Security and Privacy Tiger Team for the HIPAA, —Presentation on a study on Economic Incentives and Cyber, —Presentation on e-Service Strategy, —Panel discussion on Industrial Control System Security, and —Update of NIST Computer Security Division. Note that agenda items may change without notice because of possible unexpected schedule conflicts of presenters. The final agenda will be posted on the Web site indicated above. Public Participation: The ISPAB agenda will include a period of time, not to exceed thirty minutes, for oral comments from the public (Friday, July 15, 2011, at 8:30–9 a.m.). Each speaker will be limited to five minutes. Members of the public who are interested in speaking are asked to contact Ms. Annie Sokol at the telephone number indicated above. In addition, written statements are invited and may be submitted to the ISPAB at any time. Written statements should be directed to the ISPAB PO 00000 Frm 00012 Fmt 4703 Sfmt 4703 Secretariat, Information Technology Laboratory, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899–8930. Approximately 15 seats will be available for the public and media. Dated: June 8, 2011. Charles H. Romine, Acting Associate Director for Laboratory Programs. [FR Doc. 2011–14704 Filed 6–13–11; 8:45 am] BILLING CODE 3510–13–P DEPARTMENT OF COMMERCE Office of the Secretary, National Institute of Standards and Technology [Docket No. 110524296–1289–02] Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace U.S. Department of Commerce, Office of the Secretary, and National Institute of Standards and Technology. ACTION: Notice of inquiry. AGENCY: The Department of Commerce (Department) is conducting a comprehensive review of governance models for a governance body to administer the processes for policy and standards adoption for the Identity Ecosystem Framework in accordance with the National Strategy for Trusted Identities in Cyberspace (NSTIC or ‘‘Strategy’’). The Strategy refers to this governance body as the ‘‘steering group.’’ The Department seeks public comment from all stakeholders, including the commercial, academic and civil society sectors, and consumer and privacy advocates on potential models, in the form of recommendations and key assumptions in the formation and structure of the steering group. The Department seeks to learn and understand approaches for: (1) The structure and functions of a persistent and sustainable private sector-led steering group and (2) the initial establishment of the steering group. This Notice specifically seeks comment on the structures and processes for Identity Ecosystem governance. This Notice does not solicit comments or advice on the policies that will be chosen by the steering group or specific issues such as accreditation or trustmark schemes, which will be considered by the steering group at a later date. Responses to this Notice will serve only as input for a Departmental report of government recommendations for establishing the NSTIC steering group. SUMMARY: E:\FR\FM\14JNN1.SGM 14JNN1 Federal Register / Vol. 76, No. 114 / Tuesday, June 14, 2011 / Notices Comments are due on or before July 22, 2011. ADDRESSES: Written comments may be submitted by mail to the National Institute of Standards and Technology, c/o Annie Sokol, 100 Bureau Drive, Mailstop 8930, Gaithersburg, MD 20899. Electronic comments may be sent to NSTICnoi@nist.gov. Electronic submissions may be in any of the following formats: HTML, ASCII, Word, rtf, or PDF. Paper submissions should include a compact disc (CD). CDs should be labeled with the name and organizational affiliation of the filer and the name of the word processing program used to create the document. Comments will be posted at http:// www.nist.gov/nstic. The Strategy is available at http://www.whitehouse.gov/ sites/default/files/rss_viewer/ NSTICstrategy_041511.pdf. The NIST Web site for NSTIC and its implementation is available at http:// www.nist.gov/nstic. FOR FURTHER INFORMATION CONTACT: For questions about this Notice contact: Annie Sokol, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Mailstop 8930, Gaithersburg, MD 20899, telephone (301) 975–2006; e-mail nsticnoi@nist.gov. Please direct media inquires to the Director of NIST’s Office of Public Affairs, gail.porter@nist.gov. SUPPLEMENTARY INFORMATION: Recognizing the vital importance of cyberspace to U.S. innovation, prosperity, education and political and cultural life, and the need for a trusted and resilient information and communications infrastructure, the Administration released the Cyberspace Policy Review in May 2009. Included in this review was a near-term action to ‘‘build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.’’ The completion of this action is the National Strategy for Trusted Identities in Cyberspace (NSTIC or ‘‘Strategy’’), released in April 2011. The Strategy called for the creation of a National Program Office to be hosted at the Department of Commerce, as part of its ongoing cybersecurity and identity management activities. The Department intends to leverage the expertise present across many bureaus at the Department and across the U.S. Government, as well as experts in industry, academia, governments at all levels, communities of interest (including privacy, civil liberties, and consumer advocates), and the general public, through a series of srobinson on DSK4SPTVN1PROD with NOTICES DATES: VerDate Mar<15>2010 16:27 Jun 13, 2011 Jkt 223001 inquiries and public workshops. This Notice of Inquiry is a continuation of the Administration’s effort, and its goal is to explore the establishment and structure of governance models. The Department may explore additional areas in the future. Background: This Notice reflects the initial steps of the Strategy’s implementation as they relate to the Department’s ongoing cyber security and identity management activities. Specifically, the Strategy calls for a ‘‘steering group’’ to administer the process for policy and standards development for the Identity Ecosystem Framework in accordance with the Strategy’s Guiding Principles. The Identity Ecosystem is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices. The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that govern the Identity Ecosystem. The Strategy’s four Guiding Principles specify that identity solutions must be: Privacy-enhancing and voluntary, secure and resilient, interoperable, and cost-effective and easy to use. The establishment of this steering group will be an essential component of achieving a successful implementation of the Strategy; a persistent and sustainable private sector-led steering group will maintain the rules of participating in the Identity Ecosystem, develop and establish accountability measures to promote broad adherence to these rules, and foster the evolution of the Identity Ecosystem to match the evolution of cyberspace itself. The government’s role in implementing the Strategy includes advocating for and protecting individuals; supporting the private sector’s development and adoption of the Identity Ecosystem; partnering with the private sector to ensure that the Identity Ecosystem is sufficiently interoperable, secure and privacy enhancing; and being an early adopter of both Identity Ecosystem technologies and policies. In this role, the government must partner with the private sector to convene a wide variety of stakeholders to facilitate consensus, with a goal of ensuring that the Strategy’s four Guiding Principles are achieved. The government has an interest in promoting the rapid development of a steering group capable PO 00000 Frm 00013 Fmt 4703 Sfmt 4703 34651 of, and equally committed to, upholding the Strategy’s Guiding Principles. The Strategy calls for the development of a steering group that will bring together representatives of all of the interested stakeholders to ensure that the Identity Ecosystem Framework upholds the Guiding Principles by providing a minimum baseline of privacy, security, and interoperability through standards and policies— without creating unnecessary barriers to market entry. To that end, the steering group will administer the process for the adoption of policy and technical standards, set milestones and measure progress against them, and ensure that accreditation authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework. With this outcome in mind, the government seeks comment on the establishment and structure of a steering group that can successfully complete the above stated goals and objectives and, ultimately, achieve the Strategy’s vision that ‘‘individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.’’ Contribution of this NOI to the NSTIC implementation: Comments submitted on this Notice will serve as input for a Departmental report that will include a summary of responses to comments on this Notice, as well as the government’s recommendations for the processes and structure necessary for the establishment and maintenance of a successful steering group. The report will focus on the steering group in two phases: (1) The structure and functions of the steering group and (2) the initial establishment of the steering group. This report may include recommendations for addressing governance structures and processes for a variety of issues, including: leadership, representation of Identity Ecosystem participants; accountability measures; liability issues; accreditation and certification processes; cross-sector and cross-industry issues; the balance of self-interested and self-regulatory roles of steering group participants; adherence to the Guiding Principles; interaction and involvement with standards development organizations and other technical bodies; use, development, and maintenance of a trustmark scheme; the relationship of the steering group to the Federal government; and interactions with international governments and fora. Request for Comment: This Notice of Inquiry seeks comment on the E:\FR\FM\14JNN1.SGM 14JNN1 34652 Federal Register / Vol. 76, No. 114 / Tuesday, June 14, 2011 / Notices requirements of, and possible models for, (1) the structure and functions of the steering group and (2) the initial establishment of the steering group. Responses can include information detailing the effective and ineffective aspects of other governance models and how they apply to governance needs of the Identity Ecosystem, as well as feedback specific to requirements of the Strategy and governance solutions for those requirements. The questions below are intended to assist in framing the issues and should not be construed as a limitation on comments that parties may submit. The Department invites comment on the full range of issues that may be raised by this Notice. Comments that contain references to studies, research and other empirical data that are not widely published should be accompanied by copies of the referenced materials with the submitted comments, keeping in mind that all submissions will be part of public record. The first section of this Notice addresses the steady-state structure of the steering group. The second section addresses the process of initiating a steering group that can evolve into that steady-state. The third and fourth sections address two fundamental aspects of governance both at initiation and steady-state: representation of stakeholders and international considerations. srobinson on DSK4SPTVN1PROD with NOTICES 1. Structure of the Steering Group There are many models of governance that perform some of the wide range of functions needed to formulate and administer the Identity Ecosystem Framework. While not all of these functions are unique to the steering group, few examples of governance cover the same breadth of the technical and economic landscape as the Identity Ecosystem Framework. The steering group, therefore, has a greater risk of either being too small to serve its purpose, or too large to govern effectively. There is a full spectrum of affected economic sectors, some of which are highly-regulated and some of which are unregulated. The steering group will need to simultaneously integrate the Identity Ecosystem Framework with regulatory requirements faced by firms in a variety of industry sectors. At the same time, the steering group needs to consider and represent the interest of the broader public in security and privacy. It is imperative to find a working structure that accomplishes all these needs. VerDate Mar<15>2010 16:27 Jun 13, 2011 Jkt 223001 Questions 1.1. Given the Guiding Principles outlined in the Strategy, what should be the structure of the steering group? What structures can support the technical, policy, legal, and operational aspects of the Identity Ecosystem without stifling innovation? 1.2. Are there broad, multi-sector examples of governance structures that match the scale of the steering group? If so, what makes them successful or unsuccessful? What challenges do they face? 1.3. Are there functions of the steering group listed in this Notice that should not be part of the steering group’s activities? Please explain why they are not essential components of Identity Ecosystem Governance. 1.4. Are there functions that the steering group must have that are not listed in this notice? How do your suggested governance structures allow for inclusion of these additional functions? 1.5. To what extent does the steering group need to support different sectors differently? 1.6. How can the steering group effectively set its own policies for all Identity Ecosystem participants without risking conflict with rules set in regulated industries? To what extent can the government mitigate risks associated with this complexity? 1.7. To what extent can each of the Guiding Principles of the Strategy— interoperability, security, privacy and ease of use—be supported without risking ‘‘pull through’’ 1 regulation from regulated participants in the Identity Ecosystem? 1.8. What are the most important characteristics (e.g., standards and technical capabilities, rulemaking authority, representational structure, etc.) of the steering group? 1.9. How should the government be involved in the steering group at steady state? What are the advantages and disadvantages of different levels of government involvement? 2. Steering Group Initiation In its role of supporting the private sector’s leadership of the Identity Ecosystem, the government’s aim is to accelerate establishment of a steering 1 NSTIC solutions will ideally be used across all industries, including both regulated and unregulated industries. ‘‘Pull through’’ refers to the concept that when implementing an NSTIC solution that touches some regulated industries, individuals or firms implementing those solutions would then find that they are subject to the specific regulations for those industries. This could create a confusing policy and legal landscape for a company looking to serve as an identity provider to all sectors. PO 00000 Frm 00014 Fmt 4703 Sfmt 4703 group that will uphold the Guiding Principles of the Strategy. The government thus seeks comment on the ways in which it can be a catalyst to the establishment of the steering group. There are many means by which the steering group could be formed, and such structures generally fall into three broad categories: (a) A new organization, organically formed by interested stakeholders. (b) An existing stakeholder organization that establishes the steering group as part of its activities. (c) Use of government authorities, such as the Federal Advisory Committee Act (FACA), to charge a new or existing advisory panel with formulating recommendations for the initial policy and technical framework for the Identity Ecosystem, allowing for a transition to a private sector body after establishing a sustainable Identity Ecosystem, or through the legislative process. Questions 2.1. How does the functioning of the steering group relate to the method by which it was initiated? Does the scope of authority depend on the method? What examples are there from each of the broad categories above or from other methods? What are the advantages or disadvantages of different methods? 2.2. While the steering group will ultimately be private sector-led regardless of how it is established, to what extent does government leadership of the group’s initial phase increase or decrease the likelihood of the Strategy’s success? 2.3. How can the government be most effective in accelerating the development and ultimate success of the Identity Ecosystem? 2.4. Do certain methods of establishing the steering group create greater risks to the Guiding Principles? What measures can best mitigate those risks? What role can the government play to help to ensure the Guiding Principles are upheld? 2.5. What types of arrangements would allow for both an initial government role and, if initially led by the government, a transition to private sector leadership in the steering group? If possible, please give examples of such arrangements and their positive and negative attributes. 3. Representation of Stakeholders in the Steering Group Representation of all stakeholders is a difficult but essential task when stakeholders are as numerous and diverse as those in the Identity Ecosystem. The breadth of stakeholder representation and the voice they have E:\FR\FM\14JNN1.SGM 14JNN1 Federal Register / Vol. 76, No. 114 / Tuesday, June 14, 2011 / Notices in policy formulation must be fair and transparent. The steering group must be accountable to all participants in the Identity Ecosystem, including individuals. An essential task for the steering group will be to provide organizations or individuals who may not be direct participants in the Identity Ecosystem, such as privacy and civil liberties advocacy groups, with a meaningful way to have an impact on policy formulation. Given the diverse, multi-sector set of stakeholders in the Identity Ecosystem, representation in the steering group must be carefully balanced. Should the influence skew in any direction, stakeholders may quickly lose confidence in the ability of the steering group to fairly formulate solutions to the variety of issues that surround the creation and governance of the Identity Ecosystem. srobinson on DSK4SPTVN1PROD with NOTICES Question 3.1. What should the make-up of the steering group look like? What is the best way to engage organizations playing each role in the Identity Ecosystem, including individuals? 3.2. How should interested entities that do not directly participate in the Identity Ecosystem receive representation in the steering group? 3.3. What does balanced representation mean and how can it be achieved? What steps can be taken guard against disproportionate influence over policy formulation? 3.4. Should there be a fee for representatives in the steering group? Are there appropriate tiered systems for fees that will prevent ‘‘pricing out’’ organizations, including individuals? 3.5. Other than fees, are there other means to maintain a governance body in the long term? If possible, please give examples of existing structures and their positive and negative attributes. 3.6. Should all members have the same voting rights on all issues, or should voting rights be adjusted to favor those most impacted by a decision? 3.7. How can appropriately broad representation within the steering group be ensured? To what extent and in what ways must the Federal government, as well as State, local, tribal, territorial, and foreign governments be involved at the outset? 4. International Given the global nature of online commerce, the Identity Ecosystem cannot be isolated from internationally available online services and their identity solutions. Without compromising the Guiding Principles of the Strategy, the public and private VerDate Mar<15>2010 16:27 Jun 13, 2011 Jkt 223001 sectors will strive to enable international interoperability. In order for the United States to benefit from other nations’ best practices and achieve international interoperability, the U.S. public and private sectors must be active participants in international technical and policy fora. No single entity, including the Federal government, can effectively participate in every international standards effort. The private sector is already involved in many international standards initiatives; ultimately, then, the international integration of the Identity Ecosystem will depend in great part upon private sector leadership. Questions 4.1. How should the structure of the steering group address international perspectives, standards, policies, best practices, etc? 4.2. How should the steering group coordinate with other international entities (e.g., standards and policy development organizations, trade organizations, foreign governments)? 4.3. On what international entities should the steering group focus its attention and activities? 4.4. How should the steering group maximize the Identity Ecosystem’s interoperability internationally? 4.5. What is the Federal government’s role in promoting international cooperation within the Identity Ecosystem? Dated: June 7, 2011. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology. [FR Doc. 2011–14702 Filed 6–13–11; 8:45 am] BILLING CODE 3510–13–P DEPARTMENT OF COMMERCE National Institute of Standards and Technology National Conference on Weights and Measures 2011 Annual Meeting National Institute of Standards and Technology, Commerce. ACTION: Notice. AGENCY: The National Conference on Weights and Measures (NCWM) 2011 Annual Meeting will be held July 17 to 21, 2011. Publication of this notice on the NCWM’s behalf is undertaken as a public service. The meetings are open to the public but a paid registration is required. See registration information in the SUPPLEMENTARY INFORMATION section below. SUMMARY: PO 00000 Frm 00015 Fmt 4703 Sfmt 4703 34653 The meeting will be held on July 17 to 21, 2011. ADDRESSES: The meeting will be held at the Holiday Inn Downtown at the Park located at 200 South Pattee in Missoula, MT 59802. FOR FURTHER INFORMATION CONTACT: Carol Hockert, Chief, NIST, Weights and Measures Division, 100 Bureau Drive, Stop 2600, Gaithersburg, MD 20899– 2600 or by telephone (301) 975–5507 or by e-mail at Carol.Hockert@nist.gov. SUPPLEMENTARY INFORMATION: The NCWM is an organization of weights and measures officials of the states, counties, and cities, Federal agencies, and private sector representatives. These meetings bring together government officials and representatives of business, industry, trade associations, and consumer organizations on subjects related to the field of weights and measures technology, administration, test methods and enforcement. NIST attends the conference to promote uniformity among the states in laws, regulations, methods, and testing equipment that comprise the regulatory control of commercial weighing and measuring devices and other trade and commerce issues. To register for this meeting, please see the link ‘‘96 National Conference on Weights and Measures’’ at http://www.ncwm.net or http://www.nist.gov/owm which contains meeting agendas, registration forms and information on hotel reservations. The following are brief descriptions of some of the significant agenda items that will be considered along with other issues at this meeting. Comments will be taken on these and other issues during several public comment sessions. See NCWM Publication 16 (Pub 16) for information on all of the issues that will be considered at this meeting. At this stage, the items are proposals. The Committees will also hold work sessions where they will finalize their recommendations for possible adoption by NCWM on July 20 to 21, 2011. The Committees may withdraw or carry over items that need additional development. The Specifications and Tolerances Committee (S&T Committee) will consider proposed amendments to NIST Handbook 44, ‘‘Specifications, Tolerances, and other Technical Requirements for Weighing and Measuring Devices (NIST Handbook 44).’’ Those items address weighing and measuring devices used in commercial applications, that is, devices that are used to buy from or sell to the public or used for determining the quantity of product sold among businesses. DATES: E:\FR\FM\14JNN1.SGM 14JNN1

Agencies

[Federal Register Volume 76, Number 114 (Tuesday, June 14, 2011)]
[Notices]
[Pages 34650-34653]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-14702]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Office of the Secretary, National Institute of Standards and 
Technology

[Docket No. 110524296-1289-02]


Models for a Governance Structure for the National Strategy for 
Trusted Identities in Cyberspace

AGENCY: U.S. Department of Commerce, Office of the Secretary, and 
National Institute of Standards and Technology.

ACTION: Notice of inquiry.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce (Department) is conducting a 
comprehensive review of governance models for a governance body to 
administer the processes for policy and standards adoption for the 
Identity Ecosystem Framework in accordance with the National Strategy 
for Trusted Identities in Cyberspace (NSTIC or ``Strategy''). The 
Strategy refers to this governance body as the ``steering group.'' The 
Department seeks public comment from all stakeholders, including the 
commercial, academic and civil society sectors, and consumer and 
privacy advocates on potential models, in the form of recommendations 
and key assumptions in the formation and structure of the steering 
group. The Department seeks to learn and understand approaches for: (1) 
The structure and functions of a persistent and sustainable private 
sector-led steering group and (2) the initial establishment of the 
steering group. This Notice specifically seeks comment on the 
structures and processes for Identity Ecosystem governance. This Notice 
does not solicit comments or advice on the policies that will be chosen 
by the steering group or specific issues such as accreditation or 
trustmark schemes, which will be considered by the steering group at a 
later date. Responses to this Notice will serve only as input for a 
Departmental report of government recommendations for establishing the 
NSTIC steering group.

[[Page 34651]]


DATES: Comments are due on or before July 22, 2011.

ADDRESSES: Written comments may be submitted by mail to the National 
Institute of Standards and Technology, c/o Annie Sokol, 100 Bureau 
Drive, Mailstop 8930, Gaithersburg, MD 20899. Electronic comments may 
be sent to NSTICnoi@nist.gov. Electronic submissions may be in any of 
the following formats: HTML, ASCII, Word, rtf, or PDF. Paper 
submissions should include a compact disc (CD). CDs should be labeled 
with the name and organizational affiliation of the filer and the name 
of the word processing program used to create the document. Comments 
will be posted at http://www.nist.gov/nstic. The Strategy is available 
at http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf. The NIST Web site for NSTIC and its 
implementation is available at http://www.nist.gov/nstic.

FOR FURTHER INFORMATION CONTACT: For questions about this Notice 
contact: Annie Sokol, Information Technology Laboratory, National 
Institute of Standards and Technology, U.S. Department of Commerce, 100 
Bureau Drive, Mailstop 8930, Gaithersburg, MD 20899, telephone (301) 
975-2006; e-mail nsticnoi@nist.gov. Please direct media inquires to the 
Director of NIST's Office of Public Affairs, gail.porter@nist.gov.

SUPPLEMENTARY INFORMATION: Recognizing the vital importance of 
cyberspace to U.S. innovation, prosperity, education and political and 
cultural life, and the need for a trusted and resilient information and 
communications infrastructure, the Administration released the 
Cyberspace Policy Review in May 2009. Included in this review was a 
near-term action to ``build a cybersecurity-based identity management 
vision and strategy that addresses privacy and civil liberties 
interests, leveraging privacy-enhancing technologies for the Nation.'' 
The completion of this action is the National Strategy for Trusted 
Identities in Cyberspace (NSTIC or ``Strategy''), released in April 
2011. The Strategy called for the creation of a National Program Office 
to be hosted at the Department of Commerce, as part of its ongoing 
cybersecurity and identity management activities. The Department 
intends to leverage the expertise present across many bureaus at the 
Department and across the U.S. Government, as well as experts in 
industry, academia, governments at all levels, communities of interest 
(including privacy, civil liberties, and consumer advocates), and the 
general public, through a series of inquiries and public workshops. 
This Notice of Inquiry is a continuation of the Administration's 
effort, and its goal is to explore the establishment and structure of 
governance models. The Department may explore additional areas in the 
future.
    Background: This Notice reflects the initial steps of the 
Strategy's implementation as they relate to the Department's ongoing 
cyber security and identity management activities. Specifically, the 
Strategy calls for a ``steering group'' to administer the process for 
policy and standards development for the Identity Ecosystem Framework 
in accordance with the Strategy's Guiding Principles. The Identity 
Ecosystem is an online environment where individuals and organizations 
will be able to trust each other because they follow agreed upon 
standards to obtain and authenticate their digital identities and the 
digital identities of devices. The Identity Ecosystem Framework is the 
overarching set of interoperability standards, risk models, privacy and 
liability policies, requirements, and accountability mechanisms that 
govern the Identity Ecosystem.
    The Strategy's four Guiding Principles specify that identity 
solutions must be: Privacy-enhancing and voluntary, secure and 
resilient, interoperable, and cost-effective and easy to use. The 
establishment of this steering group will be an essential component of 
achieving a successful implementation of the Strategy; a persistent and 
sustainable private sector-led steering group will maintain the rules 
of participating in the Identity Ecosystem, develop and establish 
accountability measures to promote broad adherence to these rules, and 
foster the evolution of the Identity Ecosystem to match the evolution 
of cyberspace itself.
    The government's role in implementing the Strategy includes 
advocating for and protecting individuals; supporting the private 
sector's development and adoption of the Identity Ecosystem; partnering 
with the private sector to ensure that the Identity Ecosystem is 
sufficiently interoperable, secure and privacy enhancing; and being an 
early adopter of both Identity Ecosystem technologies and policies. In 
this role, the government must partner with the private sector to 
convene a wide variety of stakeholders to facilitate consensus, with a 
goal of ensuring that the Strategy's four Guiding Principles are 
achieved. The government has an interest in promoting the rapid 
development of a steering group capable of, and equally committed to, 
upholding the Strategy's Guiding Principles.
    The Strategy calls for the development of a steering group that 
will bring together representatives of all of the interested 
stakeholders to ensure that the Identity Ecosystem Framework upholds 
the Guiding Principles by providing a minimum baseline of privacy, 
security, and interoperability through standards and policies--without 
creating unnecessary barriers to market entry. To that end, the 
steering group will administer the process for the adoption of policy 
and technical standards, set milestones and measure progress against 
them, and ensure that accreditation authorities validate participants' 
adherence to the requirements of the Identity Ecosystem Framework.
    With this outcome in mind, the government seeks comment on the 
establishment and structure of a steering group that can successfully 
complete the above stated goals and objectives and, ultimately, achieve 
the Strategy's vision that ``individuals and organizations utilize 
secure, efficient, easy-to-use, and interoperable identity solutions to 
access online services in a manner that promotes confidence, privacy, 
choice, and innovation.''
    Contribution of this NOI to the NSTIC implementation: Comments 
submitted on this Notice will serve as input for a Departmental report 
that will include a summary of responses to comments on this Notice, as 
well as the government's recommendations for the processes and 
structure necessary for the establishment and maintenance of a 
successful steering group. The report will focus on the steering group 
in two phases: (1) The structure and functions of the steering group 
and (2) the initial establishment of the steering group. This report 
may include recommendations for addressing governance structures and 
processes for a variety of issues, including: leadership, 
representation of Identity Ecosystem participants; accountability 
measures; liability issues; accreditation and certification processes; 
cross-sector and cross-industry issues; the balance of self-interested 
and self-regulatory roles of steering group participants; adherence to 
the Guiding Principles; interaction and involvement with standards 
development organizations and other technical bodies; use, development, 
and maintenance of a trustmark scheme; the relationship of the steering 
group to the Federal government; and interactions with international 
governments and fora.
    Request for Comment: This Notice of Inquiry seeks comment on the

[[Page 34652]]

requirements of, and possible models for, (1) the structure and 
functions of the steering group and (2) the initial establishment of 
the steering group. Responses can include information detailing the 
effective and ineffective aspects of other governance models and how 
they apply to governance needs of the Identity Ecosystem, as well as 
feedback specific to requirements of the Strategy and governance 
solutions for those requirements. The questions below are intended to 
assist in framing the issues and should not be construed as a 
limitation on comments that parties may submit. The Department invites 
comment on the full range of issues that may be raised by this Notice. 
Comments that contain references to studies, research and other 
empirical data that are not widely published should be accompanied by 
copies of the referenced materials with the submitted comments, keeping 
in mind that all submissions will be part of public record.
    The first section of this Notice addresses the steady-state 
structure of the steering group. The second section addresses the 
process of initiating a steering group that can evolve into that 
steady-state. The third and fourth sections address two fundamental 
aspects of governance both at initiation and steady-state: 
representation of stakeholders and international considerations.

1. Structure of the Steering Group

    There are many models of governance that perform some of the wide 
range of functions needed to formulate and administer the Identity 
Ecosystem Framework. While not all of these functions are unique to the 
steering group, few examples of governance cover the same breadth of 
the technical and economic landscape as the Identity Ecosystem 
Framework. The steering group, therefore, has a greater risk of either 
being too small to serve its purpose, or too large to govern 
effectively. There is a full spectrum of affected economic sectors, 
some of which are highly-regulated and some of which are unregulated. 
The steering group will need to simultaneously integrate the Identity 
Ecosystem Framework with regulatory requirements faced by firms in a 
variety of industry sectors. At the same time, the steering group needs 
to consider and represent the interest of the broader public in 
security and privacy. It is imperative to find a working structure that 
accomplishes all these needs.

Questions

    1.1. Given the Guiding Principles outlined in the Strategy, what 
should be the structure of the steering group? What structures can 
support the technical, policy, legal, and operational aspects of the 
Identity Ecosystem without stifling innovation?
    1.2. Are there broad, multi-sector examples of governance 
structures that match the scale of the steering group? If so, what 
makes them successful or unsuccessful? What challenges do they face?
    1.3. Are there functions of the steering group listed in this 
Notice that should not be part of the steering group's activities? 
Please explain why they are not essential components of Identity 
Ecosystem Governance.
    1.4. Are there functions that the steering group must have that are 
not listed in this notice? How do your suggested governance structures 
allow for inclusion of these additional functions?
    1.5. To what extent does the steering group need to support 
different sectors differently?
    1.6. How can the steering group effectively set its own policies 
for all Identity Ecosystem participants without risking conflict with 
rules set in regulated industries? To what extent can the government 
mitigate risks associated with this complexity?
    1.7. To what extent can each of the Guiding Principles of the 
Strategy--interoperability, security, privacy and ease of use--be 
supported without risking ``pull through'' \1\ regulation from 
regulated participants in the Identity Ecosystem?
---------------------------------------------------------------------------

    \1\ NSTIC solutions will ideally be used across all industries, 
including both regulated and unregulated industries. ``Pull 
through'' refers to the concept that when implementing an NSTIC 
solution that touches some regulated industries, individuals or 
firms implementing those solutions would then find that they are 
subject to the specific regulations for those industries. This could 
create a confusing policy and legal landscape for a company looking 
to serve as an identity provider to all sectors.
---------------------------------------------------------------------------

    1.8. What are the most important characteristics (e.g., standards 
and technical capabilities, rulemaking authority, representational 
structure, etc.) of the steering group?
    1.9. How should the government be involved in the steering group at 
steady state? What are the advantages and disadvantages of different 
levels of government involvement?

2. Steering Group Initiation

    In its role of supporting the private sector's leadership of the 
Identity Ecosystem, the government's aim is to accelerate establishment 
of a steering group that will uphold the Guiding Principles of the 
Strategy. The government thus seeks comment on the ways in which it can 
be a catalyst to the establishment of the steering group.
    There are many means by which the steering group could be formed, 
and such structures generally fall into three broad categories:
    (a) A new organization, organically formed by interested 
stakeholders.
    (b) An existing stakeholder organization that establishes the 
steering group as part of its activities.
    (c) Use of government authorities, such as the Federal Advisory 
Committee Act (FACA), to charge a new or existing advisory panel with 
formulating recommendations for the initial policy and technical 
framework for the Identity Ecosystem, allowing for a transition to a 
private sector body after establishing a sustainable Identity 
Ecosystem, or through the legislative process.

Questions

    2.1. How does the functioning of the steering group relate to the 
method by which it was initiated? Does the scope of authority depend on 
the method? What examples are there from each of the broad categories 
above or from other methods? What are the advantages or disadvantages 
of different methods?
    2.2. While the steering group will ultimately be private sector-led 
regardless of how it is established, to what extent does government 
leadership of the group's initial phase increase or decrease the 
likelihood of the Strategy's success?
    2.3. How can the government be most effective in accelerating the 
development and ultimate success of the Identity Ecosystem?
    2.4. Do certain methods of establishing the steering group create 
greater risks to the Guiding Principles? What measures can best 
mitigate those risks? What role can the government play to help to 
ensure the Guiding Principles are upheld?
    2.5. What types of arrangements would allow for both an initial 
government role and, if initially led by the government, a transition 
to private sector leadership in the steering group? If possible, please 
give examples of such arrangements and their positive and negative 
attributes.

3. Representation of Stakeholders in the Steering Group

    Representation of all stakeholders is a difficult but essential 
task when stakeholders are as numerous and diverse as those in the 
Identity Ecosystem. The breadth of stakeholder representation and the 
voice they have

[[Page 34653]]

in policy formulation must be fair and transparent. The steering group 
must be accountable to all participants in the Identity Ecosystem, 
including individuals. An essential task for the steering group will be 
to provide organizations or individuals who may not be direct 
participants in the Identity Ecosystem, such as privacy and civil 
liberties advocacy groups, with a meaningful way to have an impact on 
policy formulation.
    Given the diverse, multi-sector set of stakeholders in the Identity 
Ecosystem, representation in the steering group must be carefully 
balanced. Should the influence skew in any direction, stakeholders may 
quickly lose confidence in the ability of the steering group to fairly 
formulate solutions to the variety of issues that surround the creation 
and governance of the Identity Ecosystem.

Question

    3.1. What should the make-up of the steering group look like? What 
is the best way to engage organizations playing each role in the 
Identity Ecosystem, including individuals?
    3.2. How should interested entities that do not directly 
participate in the Identity Ecosystem receive representation in the 
steering group?
    3.3. What does balanced representation mean and how can it be 
achieved? What steps can be taken guard against disproportionate 
influence over policy formulation?
    3.4. Should there be a fee for representatives in the steering 
group? Are there appropriate tiered systems for fees that will prevent 
``pricing out'' organizations, including individuals?
    3.5. Other than fees, are there other means to maintain a 
governance body in the long term? If possible, please give examples of 
existing structures and their positive and negative attributes.
    3.6. Should all members have the same voting rights on all issues, 
or should voting rights be adjusted to favor those most impacted by a 
decision?
    3.7. How can appropriately broad representation within the steering 
group be ensured? To what extent and in what ways must the Federal 
government, as well as State, local, tribal, territorial, and foreign 
governments be involved at the outset?

4. International

    Given the global nature of online commerce, the Identity Ecosystem 
cannot be isolated from internationally available online services and 
their identity solutions. Without compromising the Guiding Principles 
of the Strategy, the public and private sectors will strive to enable 
international interoperability. In order for the United States to 
benefit from other nations' best practices and achieve international 
interoperability, the U.S. public and private sectors must be active 
participants in international technical and policy fora.
    No single entity, including the Federal government, can effectively 
participate in every international standards effort. The private sector 
is already involved in many international standards initiatives; 
ultimately, then, the international integration of the Identity 
Ecosystem will depend in great part upon private sector leadership.

Questions

    4.1. How should the structure of the steering group address 
international perspectives, standards, policies, best practices, etc?
    4.2. How should the steering group coordinate with other 
international entities (e.g., standards and policy development 
organizations, trade organizations, foreign governments)?
    4.3. On what international entities should the steering group focus 
its attention and activities?
    4.4. How should the steering group maximize the Identity 
Ecosystem's interoperability internationally?
    4.5. What is the Federal government's role in promoting 
international cooperation within the Identity Ecosystem?

    Dated: June 7, 2011.
Patrick Gallagher,
Under Secretary of Commerce for Standards and Technology.
[FR Doc. 2011-14702 Filed 6-13-11; 8:45 am]
BILLING CODE 3510-13-P