FedRAMP authorizes identity verification service
Connecting state and local government leaders
ID.me, an identity verification platform provider, has achieved a Federal Risk and Authorization Management Program moderate authorization to operate for its Identity Gateway, a shared service for citizen- and employee-facing authentication.
ID.me, an identity verification platform provider, has achieved a Federal Risk and Authorization Management Program moderate authorization to operate for its Identity Gateway, a shared service for citizen- and employee-facing authentication.
The service achieved a FedRAMP-ready status in October 2017 with sponsorship from the Department of Veterans Affairs and is now available on the FedRAMP Marketplace. Identity Gateway is based on the National Institute of Standards and Technology’s 600-63 digital identity guidelines.
“It’s just another piece of evidence to demonstrate how much we’re taking security seriously,” Pete Eskew, general manager of public-sector business at ID.me, said of the FedRAMP authorization. “We’re investing in our tool, we’re investing in our processes, we’re investing in our partners to make sure that we can comply with all the federal and state requirements that our customers ask of us.”
Although the company doesn’t work directly with government data, it wants to make sure that it adheres to government security requirements to reduce concerns about its software-as-a-service product. The FedRAMP authorization doesn’t change ID.me’s capabilities in the short term, Eskew said, but it could enable the company to more securely build on to its core identity verification service -- for instance, by bolting on payment abilities.
“Identity verification is really the first part of unlocking so many different applications for the citizen to work with their government in a trusted and secure manner,” he said.
Eskew said the company is monitoring the progress of StateRAMP, a nonprofit organization that will offer cloud security verification services to state and local governments. StateRAMP already offers reciprocity to FedRAMP-authorized companies, meaning those with FedRAMP certification automatically have StateRAMP certification.
The IRS recently tapped ID.me for identity verification for recipients of the 2021 Advance Child Tax Credit (CTC) Payments. The work is similar to what the company has been doing for states such as California since October with regard to unemployment insurance.
“We simply identity-proof the individual and then pass that identity over to the federal government in the IRS’s case or to the state government for unemployment insurance,” Eskew said. “Then they can have this trusted environment to contract with each other.”
As of June 21, Americans who want to check their eligibility for or unenroll from the CTC program will be verified by ID.me. New users must upload government documents, take a video selfie and fill out a form with personal information. After that, they will be able to access the IRS CTC Update Portal, where they can manage payments and update bank account information.
With an ID.me verification, users can log in to any government or private-sector website that offers ID.me’s green button.
The COVID-19 pandemic helped accelerate adoption of ID.me’s services, Eskew said, especially the need to ensure that recipients of financial assistance are who they say they are.
“It’s the largest cybersecurity threat our nation has ever experienced,” he said of the attacks that siphon off benefits intended for legitimate recipients. “It’s north of $400 billion that this country has spent” on fraudulent claims.
With government offices closed for much of 2020, people in need of services had to go online. As a result, ID.me now has more than 47 million users -- adding about 1 million every 10 days -- in the public and private sectors, and it works with 27 states. Florida was the first to sign on in July 2020.
“Current and future partners can be assured that ID.me has met the federal government’s security standards for access control, system monitoring, encryption and network security,” Eskew said in a press statement.