SOURCES SOUGHT
D -- Algorithmic Method for Determining Level of Assurance of Identity in Electronic Business Transactions
- Notice Date
- 1/21/2005
- Notice Type
- Sources Sought
- NAICS
- 541990
— All Other Professional, Scientific, and Technical Services
- Contracting Office
- Department of Health and Human Services, National Institutes of Health, National Library of Medicine, 8600 Rockville Pike, Bethesda, MD, 20894
- ZIP Code
- 20894
- Solicitation Number
- ---
- Response Due
- 3/31/2005
- Description
- The NIH Center for Information Technology, supporting the E-Authentication Partnership, is seeking to identify individuals and/or organizations capable of extending an initial algorithmic model for determining levels of assurance of identity (LOA) for electronic identity credentials used in e-commerce and e-government. An early model for developing such a method has been proposed by the E-Authentication Partnership, and there is an implicit assumption that this model may be extended into a reliable method for determining electronic identity credentials LOA. Background The U.S. Office of Management and Budget, following the lead of the Federal Public Key Infrastructure PKI Policy Authority, has established four (4) LOA: minimal assurance of identity; moderate assurance of identity, substantial assurance of identity and high assurance of identity. These levels are arbitrary in that no objective metrics are associated with them. They do, however, summarize the spectrum of assurance. The technical guidance designed to help government agencies determine which LOA a particular credential is issued at addresses the two general categories of identity proofing and credential management largely in terms of how well any particular implementation mitigates risk. The four LOA called out by the Federal government are not unreasonable, and certainly cover the vast majority of circumstances likely to be met in real world implementations of e-commerce and e-government. There is an alternative to positioning an arbitrary number of LOA, whether two, four, five or seventeen. That is to develop an algorithm that (more or less) accurately models the factors involved in identity proofing and credential management. The output of the algorithm is a number that represents Assurance of Identity for each instance of credential issuance for all degrees of identity proofing and credential management. The spectrum in identity proofing would run from no assertion of identity all the way to absolutely validated assertion of identity. All credentials, from self-selected UserID/password pairs through biometrically-protected, hardware tokenized digital certificates, fall along a spectrum of reliability. Both identity proofing and credential management are familiar activities, for which the requirements are well-understood. In general, auditing standards address requirements for both. It should therefore be possible to build an algorithm to generate ?objective? scores for all instances of identity proofing and all instances of credential management and to use those range of scores to develop a mathematical model that describes an ?objective? set of LOA with numeric ranges. Such an algorithmic approach requires more analytical work, done by professionals with specialist skills and knowledge, in order to deliver a useful, viable model. The current E-Authentication Partnership workgroup studying the problem has neither the resources nor the time necessary to build such a model. A full description of the ?algorithmic model? for determining LOA is available at the following URL: http://pki.od.nih.gov/NIH4pilot/AL_PolicyDoc_v1_0.doc. This Source Sought/Request for Information (RFI) requests information about similar statistical models, or comments on the feasibility of the algorithmic model. Assuming viability, we are interested in how to extend the model and further develop it so that it may be used as a standard reference methodology for determining LOA for all categories of electronic identity credentials and information about entities capable of performing these tasks. This Sources Sought/RFI is for information and planning purposes only and shall not be constructed as a solicitation or as an obligation on the part of the Government. The Government may or may not solicit a requirement on the basis of responses, nor can it pay for the preparation of any information submitted or for the Government?s use of such information. No reimbursement will be made for any costs associated with providing information in response to this announcement and any follow-up information requests. Should a solicitation materialize as a result of this Sources Sought/RFI, no basis for claims against the Government shall arise as a result of a response to this request for information or Government?s use of such information as either part of our evaluation process or in developing specifications for any subsequent requirement. Respondents will be notified of the results of the response to this Sources Sought/RFI. Any proprietary information should be so marked and it will be kept confidential. Responses should be identified with NIH-CIT-SOURCES SOUGHT/RFI-05-001, and are welcome until March 31, 2005. Please submit your response electronically to both Dr. Peter Alterman, Assistant CIO for E-Authentication, Center for Information Technology, National Institutes of Health, Department of Health and Human Services, at peter.alterman@nih.gov and Valerie M. Whipple, Contracting Officer, Office of Acquisitions Management, National Library of Medicine, at valerie.whipple@nih.gov.
- Place of Performance
- Address: 10401 Fernwood Road, Bethesda, MD
- Zip Code: 20892
- Country: U.S.
- Zip Code: 20892
- Record
- SN00738115-W 20050123/050121211835 (fbodaily.com)
- Source
-
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |