Federal agencies across the board are looking to improve cybersecurity by finding ways to validate users accessing citizen services online. But there are also significant savings to be found for the cost-minded agencies (read: all agencies).
Understanding the potential cost benefits of trusted identities was a primary focus for the National Institute for Standards and Technology and the General Services Administration as they worked to develop Connect.gov — a portal for establishing a central credentialed sign-on for agency services using third-party verifiers.
Nadeau said many agencies balk when they see the upfront costs associated with implementing identity authentication measures. But an analysis of the return on investment shows it can be well worth their while.
"We're making it a focus this year to do more research and identify what really are the economic benefits for an agency to adopt these solutions," Nadeau said, pointing to a study on adopting a proprietary authentication system at the IRS.
According to that study, the IRS could save between $260 million and $305 million a year.
By using the solutions provided through Connect.gov, agencies don't have to dedicate resources to verifying each individual identity or staffing support centers.
"This is the kind of thing we really have to promote," she said.
Additionally, having a stronger authentication system could have helped prevent security breaches like the one that occurred earlier this year, when hackers used publicly available information to get past knowledge-based questions securing IRS's Get Transcript application.
While there is no perfect solution, Michael Garcia, acting director for NIST's National Strategy for Trusted Identities in Cyberspace (NSTIC), said the use of third-party authentication through Connect.gov would provide a high enough level of assurance to secure data of that sensitivity.
"When we are entrusted as government with personal data of individuals, we have an obligation to protect it and to take the appropriate steps to do so," he said. "Connect.gov is an approach we believe squarely puts those that are experts — their core competency is to provide proofing and authentication services — in charge of doing so… The solutions that are certified will meet that risk threshold."