GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
Commerce Department Looks to Modernize IT by Sharing

The Commerce Department’s CIO, Steve Cooper, has called out three focus areas for technology priorities: shared services, infrastructure, and modernizing the department’s technology strategy. Implementation of shared services will have a palpable impact on contracting, since the federal agency is considering a broker model to deliver services and achieve cost savings. 

The Department of Commerce has established four working groups targeting opportunities to implement shared services within technology, finance, human resources, and acquisition. The aim of these groups is to identify capabilities within those lanes to have delivered by a set of shared service providers. The department will likely stand up a shared service broker, an internal organization that will be responsible for selecting and managing providers, service agreements, and performance. By focusing shared services for commodity technologies and capabilities, bureaus will be able to free up resources to deliver greater value to mission activities. 

According to a recent interview with Commerce's CIO, the acquisition approach has yet to be determined. One potential option will be to pursue shared services as a joint effort along with other functional areas. The other option would treat these services independently. While bureau leadership is in favor of more broadly adopting a shared service model, none of the bureau CIOs have volunteered to take on the responsibilities of being the provider. This presents an opportunity for vendors to fill the role. A request for information (RFI) is expected out by the end of the year, which will then lead to a request for proposals (RFP) for the selected services. Since the leadership consensus across Commerce’s CIOs is inclined toward testing out shared service models sooner rather than later, service providers should watch for upcoming opportunities. In the short term, an RFI and RFP are expected for video teleconferencing and audio conferencing. 

Additional direction for efforts related to shared services and cloud services implementation are covered in the department’s enterprise transformation roadmap. Other areas to monitor for opportunities at Commerce include technology infrastructure modernization, like secure wireless.

 

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

Emerging Federal Technology Markets – Areas to Watch

Can technological innovation drive federal IT investments, even in the midst of budget pressures? Absolutely. This is what we explore in our latest report on Emerging Federal Technology Markets.

Under long-term pressure to “do more with less,” federal agencies are leveraging current trends in federal IT – cloud, wireless networks, IPv6, and virtualization – to gradually adopt new technologies that enable cost savings and the more efficient use of IT resources. Some of my colleagues and I took a look at how these and other technologies are shaping federal IT investments today and in the future.

Federal Investments in Foundation Technologies will Drive Emerging Markets

Technological change and proliferation span the gamut when it comes to impacting federal agencies. Sensor technologies are being introduced to track facility energy consumption and enhance physical security, while software-defined infrastructure is being explored to eliminate bottlenecks that result from stovepiped systems and the growing volume of data. Machine learning technology is being tested to create “smart” networks that rely less on person-based administration. Tying it all together are predictive analytics, which agencies are using for a growing number of purposes, from forecasting network performance and enhancing cyber security to ferreting out waste, fraud, and abuse. The result is that today’s investments set the stage for tomorrow’s capabilities. (See graphic below.)


Key market factors shaping the federal IT landscape

Some of the major drivers and key findings from our research include:

  • The drive to leverage sensor technologies and the data analytics that these enable is a driving force behind agency network modernization efforts like the DoD’s Joint Information Environment. The pace of sensor-based innovation is tied to the success of these efforts.
  • Software-Defined Infrastructure (SDI) is more pervasive than generally believed, particularly at agencies with highly-evolved Infrastructure-as-a-Service offerings.
  • Federal interest in SDI is not hype; it is a genuine trend with a growing number of current and planned use examples across federal agencies.
  • The use of predictive analytics programs has expanded significantly across the federal government since FY 2010, making it a maturing, though niche, technology that is expected to have continued strong growth.
  • The inclusion of predictive analytics as an offering on GSA’s Alliant 2 and, potentially, NS2020 government-wide contracts should help it become regarded less as an exotic technology and more as a standardized commercial-off-the-shelf solution.

The modernization of agency IT environments is opening the doors to future investment in emerging technologies.  The convergence of agencies’ work on expanding wireless networks, deploying standardized, commodity hardware, and engineering Internet Protocol-based transport networks is enabling the introduction of new sensor technologies and software-based capabilities. The impact of emerging technology adoption will be to introduce greater efficiency and security to agency IT environments. 

To get our full perspective on Emerging Federal Technology Markets read the full report. 

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Justice to Streamline IT Buying through Service Broker

In the coming year, the Justice Department will join the ranks of agencies leveraging service broker arrangements for acquisition of IT infrastructure and services.

In recent years, Department of Justice (DOJ) has progressed efforts to consolidate contracts, reducing redundancy of acquisition efforts and improving enterprise capabilities. Some of these initiatives began as informal strategic sourcing efforts. The department has actively leveraged Enterprise License Agreements (ELAs) and Blanket Purchase Agreements (BPAs) to achieve cost savings. The majority of the department’s mobile device and wireless services were consolidated through several contract vehicles. By leveraging strategic sourcing and shared services for wireless and telecom needs, DOJ can lower equipment expenditures by moving to contracts with best negotiated prices.

Now, it seems that the Justice Department is taking the next step by pursuing service broker. Other federal agencies that have adopted a service broker model include Defense Department and the National Nuclear Security Administration (NNSA). These broker arrangements allow agencies to identify solutions for common requirements and simplify technology buying within organizations.

According to recent reports, DOJ expects to target infrastructure and commodity IT services initially. These technologies would include wide area network (WAN), data centers, storage, email, telecommunications, security, and Trusted Internet Connection (TIC) services. The “next tier” of services that would be addressed, according to Justice’s CIO Klimavicz, cover business enterprise services, such as voice and collaboration.

The decision to formally adopt service brokerage aligns with the department’s strategic plans and technology initiatives. For a number of years, DOJ has actively leveraged Enterprise Level Agreements and Blanket Purchase Agreements to achieve cost savings. In 2012, Justice established ten commodity area working groups focus on IT functions, like data centers, email, and mobility. These groups provide recommendations to the DOJ CIO Council to address commodity investment areas, to identify potential for consolidation and cost savings, as well as to manage milestone and performance metrics.

DOJ’s near term information resource planning highlights 5 goals including institutionalizing IT portfolio management, streamlining operations, enhancing IT security, delivering innovative solutions, and expanding information sharing. The shift to centralized delivery of IT capabilities, such as multi-component (enterprise) IT services, and use of enterprise platforms is expected to drive greater value than silo solutions. Ongoing assessments and continuous enhancement of existing IT assets and vendor relationships will improve the value of the IT portfolio by evaluating the risks of adopting new technologies too soon or sustaining legacy technology for too long.

Brokerage would facilitate increased use of shared services, enable enterprise capabilities, and consolidate departmental purchasing power to improve pricing through strategic sourcing. The Department of Justice’s vision for strategic sourcing has led to the establishment of a Vendor Management Office (VMO) targeting improvement of buying practices for IT infrastructure. The VMO will lead efforts to analyze procurement data, to identify best practices, and to centralize enterprise procurement vehicles.

As with other federal markets being impacted by strategic sourcing, vendors will need to be increasingly mindful of market positioning. IT spending will be increasingly directed through agencies strategic sourcing and preferred contract vehicles, but that shift inhibits spending as government organizations look to achieve economies of scale for commodity IT purchases. The establishment of Vendor Management Offices means contractors can expect increased oversight and greater need to partner smartly.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.

 

Cloud Spending on VA’s T4 Contract Vehicle

Over the last month I’ve been posting series of brief analyses of cloud spending on some of the federal government’s largest task order contract vehicles.  So far this series has focused on Government-Wide Acquisition Contracts like Alliant and on Blanket Purchase Agreements like GSA’s cloud BPAs.  This week I’ll narrow the focus to an agency-specific multiple award contract, the Department of Veterans Affairs’ Transformation Twenty-One Total Technology (T4) vehicle.  Since its inception in 2011, T4 has assumed an increasingly important role in VA’s acquisition of information technology support services.  In fact, with 23% of overall agency IT spending going through T4 annually, one could say that T4 has become the go-to procurement vehicle for VA customers.

Within this context cloud computing has assumed an increasingly central role in the VA’s IT environment, a development reflected in spending on cloud computing on T4.  Since fiscal 2010 the VA has awarded contracts for cloud computing with an overall value of $189 million.  This figure comes from data I keep for Federal Industry Analysis clients and it is not comprehensive.  A lot of work is going on behind the scenes that I haven’t been able to capture due to a lack of reporting by the VA.  Nevertheless, I believe the $189 million figure approximates a good portion of the awards made so far. 

Of this total, cloud contract awards made via VA T4 add up to $153 million, basically the lion’s share of the work.  VA customers have awarded an additional $29 million in cloud contracts via GSA’s Schedule IT 70, and just over $1 million apiece for sole source and set-aside awards, so you can see just how central T4 is to cloud procurement at VA.

How does this break down by project?  Here are the top ten programs by total award value.

  1. Cloud Computing for Mobile Device Management and Mobile Application Environment - $49M
  2. Mobile Infrastructure-as-a-Service - $34M
  3. Cloud Computing Services - $28M
  4. Migration and Cloud Hosting Services for the My HealtheVet Application - $14.5M
  5. Veterans Relationship Management CRM Expansion Hosted Cloud Services - $13M
  6. Mobile Applications Collaborative Environment and Device Manager - $9M
  7. Cloud Hosting of Mobile Applications Collaborative Environment and Device Management - $9M
  8. VA for Vets Program Cloud Computing Support - $8M
  9. Voice-as-a-Service Project Support - $7M
  10. Turnkey Cloud Computing Environment to Support the MI 7 New Model of Care HRA - $5M

As we can see from this list there are two areas in particular where the VA has been investing in cloud computing – mobile communications services/capabilities and health IT.  These are of course related as the infrastructure and capabilities for mobile communications will enable access to and use of health IT applications on mobile devices.  In this sense, the VA has been using T4 for precisely the purpose that it was developed – to speed the acquisition of core technologies central to fulfilling the agency’s mission.   It’s worth keeping an eye on T4 as it progresses through its lifecycle because if the VA continues to demonstrate successful use of T4 to accomplish its technology goals, it will serve as an example for other agencies seeking to establish MACs they can use to achieve their own specific goals.

DoD Cloud Innovation: Research on Cloudlets

The Department of Defense’s efforts to utilize commercial cloud solutions over the last few years have received a decent amount of attention in the trade press and on the conference circuit.  The reporting tends to evaluate the DoD’s use (or non-use, as the case may be) of the cloud from the perspective of a standard commercial business use-case, meaning DoD customers are expected to either identify applications to migrate, solicit the work, and migrate the app to a commercial hosting solution, or to purchase a capability as a service from a commercial provider.  It is against these standard approaches to cloud computing that the DoD’s efforts have been judged.  Cloud innovation at the DoD, however, is often more diverse and exploratory than industry is led to believe.  This and next week’s posts will examine two examples of innovative cloud use in the DoD in an effort to show that there can be business opportunities for vendors beyond the threshold of “ordinary” use-case expectations.

Mobile Cloudlets

The first area of innovation is in mobile cloudlets.  What’s a mobile cloudlet?  Good question.  Cloudlets are an approach to cloud computing in connection-challenged environments that is being pioneered by researchers at the Carnegie Mellon University’s Software Engineering Institute.  As explained by Grace Lewis, a Senior Member of the Technical Staff at the SEI, “cloudlets … are lightweight servers running one or more virtual machines [that] allow soldiers in the field to offload resource-consumptive and battery-draining computations from their handheld devices to nearby cloudlets. This architecture decreases latency by using a single-hop network and potentially lowers battery consumption by using WiFi instead of broadband wireless.”  This approach, which takes advantage of both cloud computing and mobile technology, provides mission capabilities more effectively to military personnel, and, potentially, law enforcement and first responders, in difficult environments where connectivity may be lacking.

Research on cloudlets in the DoD is currently focused in a couple of different areas.  The first of these is funding for work at the SEI, which I won’t go into here because of the limited addressability of these dollars.  The second area is research being performed at the Army Research Laboratory (ARL) related to Mobile Ad-Hoc Networks, or MANETs.  Specifically, in FY 2015, the ARL has requested $6.1 million for the Information Protection for Mobile Ad-Hoc Networks project.  The goal of this project as it relates to cloudlets is to “develop security protocols and processes for using tactical cloudlets as a shared resource among Warfighters and coalition forces.”  In addition, the ARL has also requested $1 million for the Mobile Network Modeling Institute to examine the “impact of clouds and local tactical cloudlets on network behaviors.”  The final effort worth noting is the Heterogeneous Computing and Computational Sciences project.  For this work, the ARL has requested $1.67 million to “create new models to describe offered load and computational capacity within cloudlet-based services in Army-centric mobile and ad hoc networked technologies.”

There is of course no guarantee that any of this money ever materializes into a contract.  What’s important to remember in this context is the direction of the DoD’s efforts and the potential impact this could have on future business opportunities.  As the DoD’s use of cloudlet-based approaches evolves, it can translate into benefits for those who have positioned themselves to offer solutions that can operate in a cloudlet.  This means potential opportunity down the road for software development and mobile application vendors.  The winds are blowing toward cloudlets in connectivity-challenged environments, suggesting that those who tack into this wind will find interested customers in the DoD.

 

Agencies Continue to Struggle with Gaps in Basic Mobile Security Practices

A recent report on practices and vulnerabilities, finds room for improvement across the government’s mobile security practices.

Mid January 2014, the Mobile Work Exchange published The 2014 Mobilemeter Tracker.  The report highlights findings from the Secure Mobilemeter, a self-assessment tool for evaluating mobile practices and procedures. End-user and agency data collected through the Secure Mobilemeter during September, October, and November 2013 included responses from 155 individuals and 30 agencies, including the Department of Justice, Homeland Security, Navy, General Services Administration, and Department of Agriculture. 90% of individual government respondents indicated using at least one mobile device for work (e.g. tablet, smartphone, or laptop). Nearly 70% use a government-furnished device, 15% use a personal device, and 16% use both.

 

The report found that while most government employees leverage mobile computing in some capacity, best practices are not followed consistently. Based on the scale devised for the report, 41% of government employees need to improve mobile device security practices. For example, 25% of respondents indicated a failure to secure mobile devices with passwords and 31% accessed public Wi-Fi with a work-related device. Other gaps in basic security include 14% fail to lock their computers when away from their desk. Similarly, 22% of employees do not always store files in a secure location.

Although the Federal Digital Government Strategy has contributed to progress in a number of areas, over 25% of government employees have not received mobile security training. Further, 57% of agencies were found to have gaps in mobile policies and security systems. Agency level vulnerabilities include practices around registering mobile devices with the IT department, utilizing a remote wipe function, tracking phones, and leveraging multi-factor authentication or data encryption.

As government agencies increasing rely on networked systems and mobile computing capabilities, lagging policies and organizational culture pose greater and greater risks to government systems and data. Agencies and vendors must keep pace with new security requirements that emerge from operational shifts driven by advancements in mobile technologies. The push for government organizations to achieve greater operational efficiencies through technology adoption raises the stakes for vendors competing for contracting opportunities, who are tasked with helping agencies close capability gaps and compliance with evolving standards.

-----------------------------

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

 

Defense and Security Mobility Landscape Reflects Changes and Challenges

Federal agencies in the defense and security mission areas are grappling with how to effectively harness the capabilities of mobile and wireless technologies in a secure and cost-effective way. The remarks and panel discussions at a recent industry event reveal that agencies are in different points in their development, but all are facing challenges.

At the recent Defense and Security Mobile Technologies Symposium held by AFCEA-DC representatives from across the Department of Defense, Department of Homeland Security, the intelligence community and other federal agencies gave their individual perspectives on their mobility plans, activities, and challenges.

A few general take-aways from the event:

  • Changing technologies – Federal agencies, especially DoD, are still struggling with the rapid change of technology and the security challenges of mobility. This is especially true for BYOD. But agencies recognize that they can’t keep spending on specialized devices at the same rates as in the past.  

  • Declining budgets – Surprise! NO ONE said their budget would be up for mobility in the coming year(s). A few agency speakers said their budgets will be flat at best. Most said things like “we need to find efficiencies in our IT and shift the savings to other (non-IT) areas.”
      
  • Shifting view of MDM – The consensus among agencies is to move in the direction of device-agnosticism so that they can accommodate and secure whatever devices connect to their networks. This has direct implications for Mobile Device Management (MDM) policies and approaches, leading some to say that MDM that focuses on the device is the wrong approach. Similarly, there’s continued stress on implementing security at the data level, rather than primarily focusing on security at the network and device level. While these themes are consistent with what we’ve been hearing over the last several years it is clear that they are still working to make them a reality. It’s going to take longer than most anticipate.
      
  • CAC’s the way – DoD mobility credentialing will be inextricably linked to CACs since they are effective and ubiquitous. The Pentagon is looking for ways to allow users to access a network via multiple concurrent devices through derived credentials via Common Access Card (CAC). There are a lot of policy and technical issues to work through inside the Department and with solutions-providers, as is noted in a recent news story on the topic. While technical issues exist, governance policy is also a major hurdle.
      
  • More choices, more challenges – The rapid growth of Android and Apple devices is driven by end-user demand for more functional capabilities, but it also continues to present management issues. iOS devices present some challenges within the DoD because Apple doesn’t change their products simply because the government wants them to. Their branding is based on careful attention to their individual customer experience and that is not something they are willing to risk lightly.

Clearly, the federal mobility landscape will be in a state of flux for the foreseeable future, presenting opportunities for creative solutions providers to offer policy and governance support as well as technical offerings.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

State and Local Regional Top Opportunities for FY 2014

Deltek’s recently published State and Local Regional Top Opportunities for FY 2014 Report shines light on state and local contracting from a regional standpoint, spanning all verticals (health care, social services, justice and public safety, homeland security, transportation and general government). Using the GovWinIQ opportunities database, the free report analyzes the quantity and value of projects in each region across all vertical areas, and also takes a closer look at how the verticals are represented in each of the four regions. The top opportunities highlighted in the report were selected for their representation of major technologies within the six vertical areas and their illustration of state and local contracting as a whole. 

GovWinIQ Active Opportunities and Leads

Key takeaways from our regional analysis of state and local contracting opportunities include:

  • The South has the highest number of projects per region (662) as well as the highest total value of projects per region ($15.2 billion), mainly due to the inclusion of Texas, Virginia and Florida. Southern states, especially Florida, often utilize regional projects and initiatives and later implement them statewide.
  • The Midwest has the highest average value per project ($23.3 million), but the lowest number of total projects (423). Midwest states are innovators for cooperative contracts (WSCA) and many generic term contracts.
  • The Northeast has an interim number of projects (514) as well as interim average value per project ($22.2 million). Northeast states are often early adopters and innovators for federally mandated initiatives.

From a vertical and regional standpoint, key takeaways include:

Justice and Public Safety (JPS) and Homeland Security (HS) Verticals

  • The Northeast has the highest concentration of JPS contracting opportunities
  • In the Midwest, most JPS initiatives occur at the local level (Ohio, Ill., Wis.)
  • FirstNet will be a huge driver for state broadband initiatives nationwide

Health Care (HC) and Social Services (SS) Verticals

  • Eighty-three percent of active HC/SS opportunities are for statewide systems
  • Consortiums are increasingly popular nationwide for social services IT systems, including WIC MIS, SNAP/TANF EBT, and UI systems
  • Most local-level HC/SS opportunities are for electronic health/medical records or vital records

General Government (GenGov) Vertical

  • The South has the most active opportunities in the GenGov vertical (35.4 percent), followed by the West (24.6 percent), Northeast (21.6 percent), and Midwest (18.3 percent)
  • Data center consolidation/modernization, disaster recovery services, server virtualization, and cloud services are expected to be popular technologies/services procured over the next few years
  • California, Illinois and Texas have the most active GenGov opportunities, while active GenGov opportunities out of Pennsylvania, Virginia and California have the highest total value

Deltek is hosting a free webinar on the State and Local Regional Top Opportunities for FY 2014 Report on November 7, 2013, at 2 p.m. EST. The webinar will delve into all three state and local verticals, providing insight into some specific projects and overall trends for fiscal year 2014. To register for the webinar, please click here!

 

 

Balancing Security and Capability Remains Challenge for Mobile Adoption

The Mobile Work Exchange held its fall 2013 town hall meeting on September 12, 2013. The conference explored strategies for deploying a more mobile workforce, offering insight from over 20 speakers from both government and industry leadership.
 
In his opening address, the Bureau of Alcohol, Tobacco, Firearms, and Explosives’ Rick Holgate noted shifts in technology adoption over the last five to ten years. Holgate, the Assistant Director for Science & Technology and Chief Information Officer, cited findings from two surveys saying, “One thing I think we would all agree on is that the federal workforce is extremely optimistic about the productivity that mobility represents and the potential productivity gains.” Indeed, the impact of mobility spans various areas like productivity, transportation, and real estate. Potential savings estimates range from $12 to $14 billion per year in efficiencies. These untapped areas for efficiency mainly fall into two areas in areas related to increasing workforce productivity and consolidating real estate.
 
Along with increased mobile capabilities over the past 5 to 10 years, the work environment has evolved. These advances in mobility have introduced new challenges, particularly related to security and privacy. Referencing the Mobile Security Framework, Holgate applauded “agencies that have somewhat different security perspectives and baselines and ways of thinking about security” collaborating to establish a government-wide baseline for mobile security. Traditionally, guidance documents from the National Institute for Standards and Technology (NIST) have identified security controls but left it up to individual agencies to determine how to apply them. This baseline guidance allows agencies to make progress with mobile adoption efforts, particularly around shared mobile device management solutions.
 
The theme of security challenges continued throughout the day. In his luncheon keynote, the Air Force’s Major Linus Barloon described various issues he’s encountered related to information security. Challenges persist around identifying ways to improve prevention of security incidents, spill containment, and re-establishing security. Current technology has evolved to where previous approaches, like wiping machines and reintroducing them to computing environments, are no longer considered as effective.
 
Based on his experience, Barloon suggested that getting devices in the hands of users is only a quarter of the problem around mobility. Noting the numerous contract vehicles and acquisition mechanisms, Barloon observed, “It’s very easy to get that device into your users’ hands.” Once that’s achieved, however, questions arise about governance, extending to legal, ethical, and acceptable uses for devices. With the shift to mobile environments, issues emerge around translating and applying risk management frameworks to mobile devices, determining how to apply risk principles to these devices, and also defining how these devices will factor into continuous monitoring. It’s a balancing act, as Barloon described it. One the one hand, agencies aim to limit risk. On the other, they’re looking to increase operational capability.
 
In his closing, Holgate suggested the development of the next generation for the Digital Government Strategy is likely to assess agencies in terms of maturity of mobile adoption. This next step would also look to determine how to bring lagging organizations up to speed. Another area for development, Holgate noted, is in establishing metrics for program impact, especially in areas like workforce productivity and quality of citizen services.
 
The next Mobile Work Exchange session is scheduled for April 10, 2014. More information is available through the event site.
 
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ@FIAGovWin.. Follow me on twitter 

NIST Guidance Tackles Mobile Authentication

The Commerce Department’s National Institute of Standards and Technology (NIST) recently updated its guidance to government agencies for electronic authentication (e-authentication) for federal IT systems and services providers.
 
NIST’s Electronic Authentication Guidance (Special Publication 800-63-2) covers remote authentication of users (e.g. employees, contractors, and private individuals) leveraging open networks to interact with government information systems. As a supplement to the Office of Management and Budget’s (OMB) guidance, E-Authentication Guidance for Federal Agencies, the NIST work builds on levels of assurance that are defined by the consequences of authentication errors and credential misuse. The OMB guidance from 2003 provides federal agencies with criteria for determining the level of assurance needed for applications and transactions. These four levels of assurance address identity proofing, registration, tokens, management processes, authentication protocols and related issues.
 
 
The guidance from OMB also provides a five step process for agencies to fulfill their e-authentication requirements. The guidelines from NIST target third step in this process, which involves selecting “technology based on e-authentication technical guidance.” Outlining specific technical requirements for each of the assurance levels, the NIST document addresses:
·          Registration and identity proofing;
·          Token (e.g. cryptographic key, password) for authentication;
·          Token and credential management mechanisms;
·          Protocols to support authentication mechanisms;
·          Assertion mechanisms used in communicating remote authentication.
 
The lowest level achieved in any of the technical areas listed above determines the overall authentication assurance level. Agencies may use additional risk management measures to adjust the level of assurance. In particular, privacy requirements and legal concerns may contribute to a context in which an agency may deem additional authentication measures appropriate.

Previously, NIST released updated guidance that reflected authentication token technologies and restructure the e-authentication architectural model for increased clarity. Among other changes, that revision also added technical requirements for credential service providers, protocols used in transporting authentication data, and assertions related to implementation within the e-authentication model.
 
The most recent edition provides a more limited update with most of the changes focused on processes for registration and issuance of professional credentials. Two general categories of threats for the registration process are impersonation and compromise of the infrastructure. Since infrastructure threats are addressed by normal security controls, the NIST guidance emphasizes mitigating the threat of impersonation. Two approaches are presented for deterring impersonation: either make it more difficult to accomplish or increase the likelihood of detection. The technical guidance provides several strategies for making impersonation more difficult and describes general requirements for each of the four assurance levels.
 
Despite budget limitations, agencies continue to look for ways to make information more accessible and empower an increasingly mobile workforce. System risk assessments and technical requirements associated with specific assurance levels will shape the solutions they implement mobile strategies. While assurance requirements will vary across the government, this technical guidance provides a structure for describing agency security requirements and provides vendors with a framework for articulating how solutions will fulfill those needs.
 
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ@FIAGovWin.. Follow me on twitter