The GTRI NSTIC Trustmark Pilot began in 2013 under a grant from the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office (NPO) at the National Institute for Standards and Technology (NIST), as part of the 2013 NSTIC Pilots Cooperative Agreement Program. NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of online transactions across many sectors and communities. The vision of NSTIC is to create an “Identity Ecosystem” - an online environment where individuals and organizations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices. Under its NSTIC pilot, GTRI is working to develop and demonstrate a “trustmark framework” that facilitates cost-effective scaling of interoperable trust across multiple Communities of Interest (COIs) within the Identity Ecosystem and enhances privacy through transparency and third-party validation. A “trustmark” is a rigorously defined, machine-readable statement of compliance with a specific set of technical or business rules. Trustmarks have the potential to enable wide-scale trust and interoperability within the Identity Ecosystem by helping to foster transparency and widespread operational convergence on the specific requirements for each dimension of interoperability, including communication protocols and profiles, cryptographic algorithms, business-level user attributes for access control and audit purposes, and various levels of policy such as privacy policies and practices. Trustmarks can also reduce the complexity of the Identity Ecosystem’s trust landscape, and turn what would otherwise be a sparse, ad hoc collection of poorly interconnected “federated identity silos” into a more cohesive trust environment. In addition, trustmarks can enhance privacy within the Identity Ecosystem by helping COIs define clear, concise and rigorous privacy rules that participating agencies must follow. In conducting the pilot, GTRI is leveraging its experience with multiple identity initiatives and programs, including Federal Identity, Credentialing, and Access Management (FICAM), State Identity, Credentialing, and Access Management (SICAM), and Global Federated Identity and Privilege Management (GFIPM), plus GTRI’s operational experience with the National Identity Exchange Federation (NIEF). GTRI is teaming with the National Association of State Chief Information Officers (NASCIO) to implement the pilot.
Understanding trust necessitates an investigation of human cognition on both the part of the trustee and the truster. Our work in trust and credibility assessment involves a multi-disciplinary, computational social science approach. We utilize both laboratory-collected and online datasets to derive and represent the factors that affect decisions involving trust. Using statistical-based models we can then characterize and predict behavior based on observed variables.
In the coming decades we will live in a world surrounded by tens of billions of devices that will interoperate and collaborate in an effort to deliver personalized and autonomic services. Our reliance on these machine-to-machine systems to make decisions on our behalf has profound implications, and makes mechanisms for expressing and reasoning about trust essential. We are developing a live/virtual/constructive platform for the design and validation of trust technologies for fully connected, ubiquitous systems. Why is this work important? Both government and commercial users/providers are trending towards significantly increasing reliance on fully automated complex M2M interactions. Our current work in unmanned systems, cyber and complex spectrum operations require improved “trust” to achieve their full potential, across acquisition/business and operational communities. To fully realize the desired end state, we must understand the limits of what M2M missions are acceptable; how to visualize and understand trust; and acceptable mission design, execution and degradation parameters. It is also important to explore and validate the role and scope of M2M decision-making or human-in/on-the loop. Ultimately, generating trust in different dimensions will allow decision makers to confidently invest in and employ M2M, and understand M2M self-optimization.