How an agency partnership and federal Medicaid funds created a shared authentication service in Virginia.
A technology project that started with a focus on Medicaid will soon produce Virginia’s first enterprise shared service for e-government applications. Called the Commonwealth Authentication Service (CAS), the new system will offer a way for any Virginia agency to manage the identities of people who do business with state government online.
CAS got its start about two and a half years ago, as Virginia’s Department of Motor Vehicles (DMV) started making plans to buy a set of Oracle Corp. identity management tools.
“That’s quite a powerful suite to have for just one agency,” said David Burhop, the DMV’s deputy commissioner and CIO. As fortune would have it, though, another state department also needed those capabilities.
Virginia’s Department of Health and Human Resources (HHR) was gearing up to comply with the new federal health insurance law, which meant implementing new technology to manage its Medicaid programs and determine eligibility. That system required an identity management component — a system to ensure that when John Doe applied online for benefits, the government could trust that he actually was John Doe.
And officials at HHR didn’t just want their new eligibility system to work for Medicaid; they wanted to use it for a broad spectrum of programs dealing with health care, hunger, disabilities, child care and other issues.
Sharing the same back-end technology would let HHR’s agencies also share information, said William Hazel, Virginia’s secretary of health and human resources. “If someone’s applying for benefits in multiple programs, you don’t have to put the same data in multiple times.” Additionally, if they spent less time entering data, employees could operate more efficiently, he said. “That allows us to use our workforce to be more problem-solving for individuals and families and help hook them up with solutions for their particular needs.”
As the department began planning for its new identity management system, the DMV — the state’s identity management expert — became a natural partner.
HHR bought the enterprise service bus, rules engine and data management tools that the DMV had been planning to purchase, Hazel said. “We essentially gave them to our DMV and said, ‘OK, you develop it.’” So a team led by staff at the DMV got to work on CAS.
Money to purchase the tools and create CAS came largely from a pool of federal funds designed to help states develop the Medicaid Information Technology Architecture. In 2011, the U.S. Office of Management and Budget decided that when states used this funding to develop systems for their Medicaid programs, other state organizations could use those systems as well, as long as they paid a share of the operating costs. That opened the door for Virginia to stretch the benefits of CAS — and the costs of its ongoing operation — across multiple state organizations.
“It doesn’t make sense to the commonwealth to say only health agencies can use it,” said Aaron Mathes, Virginia’s deputy secretary of technology. “We want other agencies to be able to authenticate against the database and use the algorithms that we develop.”
Hazel agreed: “The goal is to create a tool for the commonwealth without having to have a separate tool in every agency.”
Although Virginia developed its Commonwealth Authentication Service (CAS) mainly to support citizen applications, state agencies also can use it to manage identities of employees from other jurisdictions who do business with the state.
An example is the Office of Comprehensive Services (OCS), a branch of Virginia’s Department of Social Services that supervises local governments in implementing services to at-risk youth. These services receive combined state and local funding.
Local governments use several online applications to report expenditures to the state for reimbursement. OCS needs assurance that the individual who logs on to submit such a report is authorized to do so, said OCS Executive Director Susan Cumbia Clare.
The current authentication system isn’t very sophisticated, Clare said. ”We’ve had issues with folks sharing logins or passwords. We [can’t] ensure that [those] who are logging in are actually the individuals who are authorized.” Better controls on who can submit and certify financial information will reduce the opportunity for fraud, she said.
The authentication service could also help OCS ensure that client information is only accessed by authorized individuals, Clare added.
Within CAS, authenticating local government employees will be the same as authenticating private citizens, said David Burhop, CIO of the Virginia DMV, which is leading CAS’ development. ”CAS isn’t written specifically for any one application or function. It’s an authentication engine that integrates with any agency application that can consume Web services and securely pass the required data back and forth.”
While CAS will determine whether a local government employee who presents herself online actually is who she says she is, it won’t determine whether that employee can view or use particular data, Burhop said. ”Access will still be the responsibility of the organization using CAS.”
In developing CAS, the DMV is using three levels of identity authentication assurance. Which level the system applies depends on the transaction a citizen needs to conduct.
A person who goes online simply to set up an account (Level 1) just has to provide information about him- or herself, including a name. “It could be Mickey Mouse; it could be anybody,” Burhop said. “They don’t do any verification there.”
But when a transaction requires two-way communication, CAS will verify the individual’s identity. It will obtain this Level 2 assurance by testing the person’s knowledge about information held by the DMV — asking him, for example, dynamic questions such as the make and model of his first car registered in Virginia. “We use that now for DMV, and it works quite well,” Burhop said.
Level 3 comes into play when a person transacts business on behalf of someone else — in a guardianship relationship, for example. At that level, CAS will use some form of two-factor authentication, such as a one-time password or a public key interface certificate.
Of course, not everyone holds a driver’s license: Probably 25 to 30 percent of Virginia residents aren’t in the DMV’s database, Burhop said. Non-drivers can obtain a state ID card from the DMV for $10. Residents who can’t or don’t want to buy that card can still apply for benefits or conduct other business with the state, Burhop said. But they’ll have to do it in person.
CAS is scheduled to start operating in October, when large numbers of Virginia residents become newly eligible to apply for Medicaid benefits under provisions of the Affordable Care Act. At that point, the Virginia Information Technologies Agency (VITA) will take over responsibility for CAS, providing it as a shared service.
In the long run, any Virginia state agency will be able to use CAS, in exchange for a fee. “VITA will develop a cost recovery model of some sort that will help defray the ongoing maintenance and operation cost of that service,” Nixon said. State officials are still working out how the service will be governed and how it will evolve.
Although other agencies have been asking about CAS, VITA isn’t soliciting new participants yet, Nixon said. “We’ve been holding them off somewhat, because we don’t want to distract from the initial and intended use by HHR, particularly since they’re paying for it.” Mechanisms to support other users on CAS will probably be in place by the first quarter of 2014, he said.
One potential mechanism is awaiting approval, though.* It’s an enhanced memorandum of understanding (E-MOU) that allows different agencies within Virginia to share data as needed for the operation of CAS. HHR developed the E-MOU, based on the federal Data Use and Reciprocal Support Agreement, first to allow data sharing among HHR, the DMV and VITA. The state’s attorney general has yet to approve the E-MOU, but once approved, any other agency can use CAS, Burhop said. “All they have to do is agree to it and sign it.”
Although VITA will operate CAS, the DMV will continue to maintain the data used to verify identities. Among other things, that puts new pressure on the department to keep its data current. “We will have to have real-time updates for anyone who comes in and gets an ID card or a driver’s license, especially those people specifically coming in so they can set up an account with the Commonwealth Authentication Service system,” Burhop said.
The advent of CAS could also earn the DMV a reputation as an agency concerned with more than drivers’ licenses and vehicle registrations. “It’s obvious that our mission is shifting to include not only public safety, but also identity management,” Burhop said.
As Virginia prepares to enjoy the benefits that CAS will provide, Nixon points out that these benefits are available in part because of the state’s centralized IT structure, including a single network to support all the executive agencies. “If we didn’t have that, and HHR was paying for that service by themselves and standing it up, it would be your typical siloed agency application that’s very difficult to share with anyone else.”
But with VITA operating the system on Virginia’s enterprise network, CAS can work as a cloudlike service available to all state agencies. “They will be able to avail themselves of that capability without having to make any kind of capital investment,” Nixon said. And HHR — the system’s original user — can enjoy its benefits without bearing the full cost for maintenance and operations, he said. “That will be shared with others. So everybody wins under that arrangement.”
*Editor’s note: the story was corrected to indicate that the E-MOU is still awaiting approval from the attorney general. The quote was corrected to attribute it to David Burhop.