Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/17/2014
12:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

NSTIC Awards Three Pilot Project Grants to Improve Online Security and Privacy

The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) today announced nearly $3 million in grants that will support projects for online identity protection to improve privacy, security and convenience. The three recipients of the National Strategy for Trusted Identities in Cyberspace (NSTIC) grants will pilot solutions that make it easier to use mobile devices instead of passwords for online authentication, minimize loss from fraud and improve access to state services.

This is the third round of grants awarded through NSTIC, which was launched by the Obama administration in 2011 and is managed by NIST. The initiative supports collaboration between the private sector, advocacy groups and public-sector agencies to encourage the adoption of secure, efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation.

“The Commerce Department is committed to protecting a free and open Internet, while also working with the private sector to ensure consumers’ security and privacy,” said U.S. Deputy Secretary of Commerce Bruce Andrews. “The grants announced will help spur development of new initiatives that aim to protect people and businesses from online identity theft and fraud.”

The NSTIC pilots have made progress both in advancing the strategy and fostering collaborations that would not otherwise have happened. One consortium of firms that are normally rivals wrote in its proposal, “Even if individual vendors in the identity space could develop a framework, it would be very difficult to get buy-in from other vendors who are competitors. With the recognition and funding from NSTIC, the pilot activities gain the vendor neutrality, visibility and credibility needed to get the various identity vendors to work together to develop a common framework that they can adopt.” 

“The pilots take the vision and principles embodied in NSTIC and translate them into real solutions,” said NIST's Jeremy Grant, senior executive advisor for identity management and head of the NSTIC National Program Office. “At a time when concerns about data breaches and identity theft are growing, these new NSTIC pilots can play an important role in fostering a marketplace of online identity solutions.”

The pilots will also inform the work of the Identity Ecosystem Steering Group (IDESG), a private sector-led organization created to help coordinate development of standards that enable more secure, user-friendly ways to give individuals and organizations confidence in their online interactions.

The grantees announced today are:

GSMA
GSMA has partnered with America’s four major mobile network operators to pilot a common approach—interoperable across all four operators—that will enable consumers and businesses to use mobile devices for secure, privacy-enhancing identity and access management. GSMA’s global Mobile Connect Initiative is the foundation for the pilot; the initiative will be augmented in the United States to align with NSTIC. By allowing any organization to easily accept identity solutions from any of the four operators, the solution would reduce a significant barrier to online service providers accepting mobile-based credentials. GSMA also will tackle user interface, user experience, security and privacy challenges, with a focus on creating an easy-to-use solution for consumers. 

Confyrm
The Confyrm pilot will demonstrate ways to minimize loss when criminals create fake accounts or take over online accounts. A key barrier to federated identity (in which the identity provider of your choice “vouches” for you at other sites) is the concern that accounts used in identity solutions may not be legitimate, or in the control of their rightful owner. Account compromises and the subsequent misuse of identity result in destruction of personal information, damage to individual reputations, and financial loss. Confyrm will demonstrate how a “shared signals” model can mitigate the impact of account takeovers and fake accounts through early fraud detection and notification, with special emphasis on consumer privacy. Aligning with the NSTIC guiding principles, this solution enables individuals and organizations to experience improved trust and confidence in identities online. Pilot partners include a major Internet email provider, a major mobile operator and multiple e-commerce sites.

MorphoTrust USA
MorphoTrust, in partnership with the North Carolina Departments of Transportation (DOT) and Health and Human Services (DHHS), will demonstrate how existing state-issued credentials such as driver’s licenses can be extended into the online world to enable new types of online citizen services. The pilot will leverage North Carolina’s state driver’s license solution to create a digital credential for those applying for the North Carolina (DHHS) Food and Nutrition Services (FNS) Program online. This solution will eliminate the need for people to appear in person to apply for FNS benefits, reducing costs to the state while providing applicants with faster, easier access to benefits.

As a non-regulatory agency of the U.S. Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. To learn more about NIST, visit www.nist.gov.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.