Public-sector CIOs can no longer rely only on traditional methods of creating user identities. Today's interactions between federal, state and local agencies and their contractor and supplier partners are becoming increasingly complex and time-critical. Important information assets are at stake, as well as the success of external collaboration efforts.

In the past, the typical approach to enabling users - from employees to contractors - access to necessary resources has been done through the creation of separate accounts for each user on each individual application. This approach becomes costly and time consuming as applications proliferate internally, and is no longer supportable when engaging with stakeholders outside of an organization's four walls.

Within an enterprise identity management framework, many agencies have attempted to consolidate their internal accounts - typically using Microsoft's Active Directory, or a similar system - to simplify user access. This strategy has eased the administrative burden for internal staff but also has failed to address the key issue for the most rapidly growing use case: providing access to external users.

Access for partners, citizens, contractors and other agencies remains cumbersome and risky. In response to growing demand for third-party collaboration and information access, agencies are creating accounts to grant external user access - even though these users are likely to have digital identities set up by their own employers - and the proliferation of accounts for external users is leaving agencies exposed to potential security breaches.

What happens if the business partner no longer employs these users? What if they've changed roles and shouldn't have access to a particular system? From an IT perspective, there are too many users from too many constituencies whose movements and permissions must be monitored and maintained. To secure business collaboration in a federated community of agencies, suppliers and partners, it's critical that enterprises trust the identity claims of other entities. For this reason, many CIOs increasingly rely on federated identity credentials for identity assurance.

A federated credential is a unique identifier approach that allows the authentication of users no matter where they travel -- physically or virtually -- throughout the federated community. Updates from the constituents about user status, role and authorizations are provided in a federated model where organizations - typically employers - "vouch" for the authenticity of the individual's identity because the constituent's employer is best positioned to maintain that employee's critical data in user account.

This data becomes the gold standard used by organizations participating in the federated system. The approach minimizes the complexity of activities each party's IT department must perform, while at the same time delivering credentials that promote cross-enterprise interaction without compromising security and sacrificing visibility into key business processes.

Federated Building Blocks
The highly sensitive nature of the information that governments and their contractors safeguard means agencies must have assurances that the information is made available only to authorized personnel. This raises the bar on the strength and robustness of identity and access management mechanisms being deployed - setting the stage for federated identity management.

In response to these and other concerns, the federal government has established a number of relevant regulations and standards over the past decade to promote efficient, secure cross-enterprise communication and information sharing:

• Homeland Security Presidential Directive 12 (HSPD-12) mandates that federal agencies integrate physical and logical access to improve the ability to authenticate individuals. The objective is to enhance security against potential terrorist threats while reducing identity fraud. For example, employees can be issued badges with their name, photograph, biometric and digital credential. The badge can be examined by a security guard for initial authentication, swiped to allow entry to authorized locations in facilities and plugged into a computer USB port to provide logical access to authorized applications.