There have been many discussions about digital identities and online credentials in 2011. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is picking up steam and organizations are seeking to further secure IT networks as threats from hacking increase.

But questions and uncertainty abound. What are digital identities and how do they work? Will one credential work with another? How will they impact privacy and help address regulatory compliance?

In light of these and other pressing questions, Re:ID editors asked some of the leaders in the space to share their thoughts and vision for online ID.

Participating in the roundtable are: Jeremy Grant, senior executive adviser and manager of the National Program Office for NSTIC; Mollie Shields-Uehling, president and CEO at SAFE-BioPharma; Judith Spencer, former co-chair of the Federal Identity, Credential, and Access Management Subcommittee at the U.S. General Services Administration and now CertiPath’s policy management authority chair; and Scott Rea, board member and director of operating authority at the Research and Education Bridge Certification Authority (REBCA).

How do interoperable digital identities address regulatory compliance?

Jeremy Grant, NSTIC

I would begin by reiterating that membership in the identity ecosystem will be voluntary. No organization or individual will be asked to accept or carry any specific form of credential. The voluntary nature of the identity ecosystem will significantly simplify compliance.

Private sector partners and stakeholders, working together, will be able to establish trust frameworks and a policy foundation with which all participants will comply. The maintenance of a trusted status and the desire to continue to benefit from the advantages of identity ecosystem participation will drive entities to maintain compliance.

Significant steps have already been made to address important issues of regulatory compliance. The establishment of the Federal Public Key Infrastructure Trust Framework has begun connecting the public and private sector through the use of interoperable credentials, established standards and effective accreditation systems.

While government agencies are mandated to comply with policy, corporate entities who wish to participate must maintain the standards and policies outlined in the trust framework in order to continue participation. This is just one initiative in the greater Federal ICAM effort.

Judith Spencer, CertiPath

Interoperable digital identities are tools that can be used by implementers in meeting specific regulatory requirements. In and of themselves, interoperable digital identities don’t address regulatory compliance, which differs from industry to industry. Rather the operating rules of the associated trust framework meet certain levels of assurance and observe specific privacy principles that enable industry sectors to be selective in order to address regulatory compliance.

Mollie Shields-Uehling, SAFE-BioPharma

Biopharmaceuticals and health care are highly regulated sectors. The SAFE-BioPharma standard requires that the credential is tightly bound to the user’s vetted identity and provides strong authentication with every use.

The standard, which was developed with participation from the U.S. Food and Drug Administration and the European Medicines Agency, has widespread regulatory acceptance and is 21 CFR Part 11 compliant.

We have certified that our privacy policy is compliant with the U.S. Department of Commerce and European Union Safe Harbor requirements for protection of personal data. And SAFE-BioPharma digital signatures are consistent with FDA and EMA requirements for digital signatures. Use of SAFE-BioPharma signatures to digitally sign submissions made to the FDA’s Electronic Submissions Gateway has been ongoing since September 2006.

Scott Rea, REBCA

When it comes to regulatory compliance interoperable digital identities perform a vital role in the consistent securing of data through its life cycle. Where there are regulations for the use of identity and authentication standards or for the protection of information and other data, especially when that data is shared across organizational boundaries.

The Family Educational Rights and Privacy Act (FERPA) for example, is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

The use of interoperable digital identities can facilitate the secure sharing of student data between institutions and with the student themselves or those they grant a release of data. Interoperable digital identities ensure that FERPA requirements are being met through the application of consistent data security controls.