The Information Sharing Environment (ISE) is populated with a broad spectrum of agencies at all levels of government representing a diverse array of concerns that includes law enforcement, first responders, healthcare, and other services. Many of these agencies need to share information with an equally broad and diverse set of other agencies, including those within their own community (e.g., federal law enforcement agencies sharing data with state and local law enforcement agencies) as well as those in other communities (e.g., first responder agencies sharing data with healthcare agencies and law enforcement agencies). Each of these information-sharing arrangements requires some type of information sharing and access agreement (ISAA) to exist between the participants. Due to the variety of information sharing rules, policies, regulations, and required verbiage that exist across the various communities there is a huge amount of variability among these ISAAs. As a result, it is impossible to develop a boilerplate, “one size fits all” template for all ISAAs in the ISE.

As we move forward with the objective to implement a robust nationwide ISE, one of the greatest challenges we face is enabling a wide variety of ISAAs among information sharing partners. Through a 2013 grant from the National Institute of Standards and Technology (NIST) under the National Strategy for Trusted Identities in Cyberspace (NSTIC) and with support from the Program Manager for the Information Sharing Environment (PM-ISE), the non-profit Georgia Tech Research Institute (GTRI) has developed and is piloting one potential solution to this challenge, in the form of a trustmark framework.

This approach is based on the theory that even though the specific wording of trust relationships may vary widely across the ISE, most of these relationships are built on a common set of low-level requirements or components – individual testable pieces related to security, privacy, identity assurance, bona fides, and other topics – that organizations require each other to meet. The approach involves identifying common trust components and defining and expressing them in standard machine-readable format to be reused within a variety of communities for a variety of use cases. Each machine-readable component is called a trustmark definition. For each ISAA requirement an agency can obtain a trustmark to demonstrate compliance with the rules stipulated by that component. Typically, an agency would obtain a trustmark through a third-party audit or assessment by another agency. By obtaining the required trustmarks, an agency can demonstrate to its information-sharing partners that it meets their requirements. An agency can also publish trust requirements in the form of a trust interoperability profile. Each profile represents a set of requirements for information sharing within a specific community or use case. Because each profile is built from a common set of trust components, it is possible to quickly and automatically compare two profiles and identify the similarities and differences between them.

These concepts – collectively termed the trustmark framework – have been documented in a normative technical document called the Trustmark Framework Technical Specification (TFTS).[1]

Within this framework, the process of analyzing trust requirements from common policy-level source documents and decomposing those requirements into generic, reusable trustmark definitions has begun. Sources analyzed to date include NIST Special Publication 800-63-2, the Electronic Authentication Guideline,[2] NIST Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations,[3] and the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Provider Adoption Process (TFPAP).[4]

As part of an NSTIC-funded project, GTRI has begun to pilot the framework within the U.S. law enforcement and justice community – specifically, within the National Identity Exchange Federation (NIEF).[5] Early feedback indicates that the framework provides a viable solution to the challenge of managing complex trust relationships among agencies. In the near future, there are plans to extend the scope of this pilot to include trusted information sharing between additional communities.

The NSTIC-funded trustmark pilot is scheduled to end in April 2016. To continue to foster the growth and maturation of the trustmark framework concept beyond the pilot, a new Trustmark Initiative[6] that will serve as a coordination point for all activities related to the trustmark framework across a wide variety of communities is being launched. The Trustmark Initiative is expected to begin in early 2016. This initiative includes the following activities:

Continued refinement and maturation of the Trustmark Framework Technical Specification

Continued refinement and publication of trustmark definitions and trust interoperability profiles, including harmonization of these artifacts and coordination of artifact development efforts across communities where appropriate

Development and rollout of information and tools to facilitate the growth of a trustmark assessment ecosystem, in which any number of trustmark providers can participate as third-party assessors and issuers of trustmarks

Development and rollout of information and tools to facilitate the operational use of trustmarks and the binding of trustmarks to operational system endpoints, thereby enabling agile, software-based trust decision-making by agencies within the ISE

Over a 2-5 year timetable, the vision is to operationalize the trustmark framework on a wide scale across the nationwide ISE, enabling not only a greater diversity of trust relationships, but also increasing the speed of agreement among ISE participants, through the reuse and automation of the trustmark framework.

As an immediate next step, partnering with PM-ISE, GTRI is undertaking a new round of policy analysis to develop additional trustmark definitions. For this new round of analysis, the team will continue to decompose NIST Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, as well as the X.509 Certificate Policy for the Federal Bridge Certification Authority[7] and the FBI Criminal Justice Information Services (CJIS) Security Policy.[8]

Michael Kennedy, PM-ISE’s Deputy Program Manager for Technology, stated that, “The trustmark framework represents a breakthrough in the scalable management of trust relationships for the entire ISE community, and serves as a critical building block upon which the ISE can demonstrate scalability and mature. This has the potential to be the trust foundation upon which true responsible information sharing can be achieved.”

John Wandelt, a GTRI Research Fellow and the Principal Investigator for the GTRI trustmark pilot project, added, “Through our work on the trustmark concept, we hope to create a robust trust ecosystem in which trust relationships are both more rigorous and more agile than they are today. If we succeed, the net result will be greater flow of trusted information and greater effectiveness for all agencies that participate in the ISE.”

For more information about this specific trustmark concept or the pilot project, please visit the Trustmark Pilot website at https://trustmark.gtri.gatech.edu.

[1] See https://trustmark.gtri.gatech.edu/specifications/trustmark-framework/1.0/tfts-1.0.pdf.

[2] See http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.

[3] See http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

[4] See http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPA....

[5] See https://nief.gfipm.net/

[6] The initiative will be available at https://trustmarkinitiative.org once it is launched.

[7] See http://www.idmanagement.gov/sites/default/files/documents/fbca_cp_rfc3647.pdf.

[8] See https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center.

News Source: 

Program Manager, Information Sharing Environment, Blog Post, 8 December 2015