Editors Note: This story has been updated to clarify the Postal Service’s role in in the Federal Credential Cloud Exchange.
A little while ago I talked with the director of the National Strategy for Trusted Identities in Cyberspace, Jeremy Grant, about the government’s efforts to eliminate passwords as part of a security strategy. One of the first steps in that effort was the creation of the Federal Credential Cloud Exchange, which would allow agencies and citizens to share credentials without having to become reauthorized for every digital transaction. The idea is to eliminate the need for multiple passwords, replaced with a single digital identity.
That effort is not due for completion until 2020. However, a major milestone was achieved last week with news of a solution from ForgeRock that integrates with Federal Credential Cloud Exchange. The new FederalConnect component allows federal agencies to accelerate rollout of digital citizen services. Any federal agency can begin using it right away.
I talked with ForgeRock Vice President Allan Foster about the new FederalConnect software because his company developed the first to help federal agencies connect with FCCX. I also asked him how NSTIC’s other efforts are going and which milestones we would see achieved in the near future as the government continues its war against passwords.
John Breeden II: Can you tell us a bit about the Federal Credential Cloud Exchange that FederalConnect fits into?
Allan Foster: The Federal Cloud Credential Exchange is a federation hub, under construction by the United States Postal Service, that allows individuals to access participating government agencies with commercially issued, verified, digital identities. People will no longer have to get a digital credential from each separate agency; instead, the FCCX acts as a middleman, which will make it simpler for individuals to use their own credentials from an approved external credential service. Essentially, the initiative eliminates the friction associated with accessing government digital services.
JBII: How will FederalConnect specifically allow federal agencies to accelerate the rollout of digital citizen services?
AF: For the FCCX to be successful, government agencies need to implement a software infrastructure that allows them to connect their applications to the FCCX hub. FederalConnect arms the agencies with a simple solution for federating agency applications and services to the hub. Essentially, FederalConnect provides packaged technology that allows agencies to connect to the hub in days or weeks, and avoid complex integration efforts.
JBII: And this is being done using ForgeRock technology?
AF: ForgeRock is powering digital identities for many governments globally, including the United States, Norway, Belgium and others. Any agency that is using ForgeRock today can leverage our federation solution to easily connect to the USPS hub. Any agency that lacks the technology to connect to the hub can use our simple FederalConnect solution for rapid integration. Since FederalConnect is purpose-built for easy integration with the USPS hub, agencies can participate simply, quickly and pain free.
JBII: How closely are you working with the Postal Service for this effort?
AF: ForgeRock is enabling agencies to integrate with the USPS initiative. We also work closely with SecureKey, the vendor building the FCCX hub for the USPS, to ensure easy integration with the FCCX service.
JBII: And is FederalConnect completely live now?
AF: Yes, FederalConnect is 100 percent available for government agencies to use today.
JBII: Will there be any other ForgeRock products that we can expect will support the government’s efforts to tighten security?
AF: Beyond the FederalConnect solution, ForgeRock offers a very robust set of capabilities to tighten security. These are particularly useful because any agency using our FederalConnect solution can also easily upgrade to take advantage of our more advanced security features. In particular, we offer three advanced features.
The first is contextual authentication. We use real-time data and insight to evaluate user risk and elevate security when things look suspicious. Contextual authentication is particularly useful because we can protect citizens from malicious attacks, even when their credentials have been compromised.
With multifactor authentication, we can combine two or more independent credentials for enhanced security. Options include what the user knows, their password, what the user has, their security token, and who the user is with biometric verification.
And we are totally open source. ForgeRock is the only end-to-end open source identity platform vendor in the market. Open source software is quite advantageous because it is much more secure than proprietary software. This is due to the fact that a global “set of eyes” evaluates open source code and constantly works on it to ensure that it is more hardened than proprietary software. Proprietary software, on the other hand, is tested by only a few people and is closed to the public, so you don’t know what’s being put into it.
With commercial open source, you get the best of both worlds: a global community focused on ensuring quality and a dedicated vendor hardening, testing and productizing the offering to make it super easy for the end-user to deploy and use.