Comments on role of governance standards for NSTIC
As
previously announced, I will be working together with colleagues in OASIS and a range of other standards organizations to propose some initial ideas to get work moving for the US "NSTIC" program.
I prepared some slides for the Internet Identity Workshop that are intended to complement the contributions from other colleagues in discussions on NSTIC during the three day event. While others were loooking at the "standards landscape" in terms of existing or under-development work on identity and privacy standards, I limited myself to some general comments about the governance of the program itself - also using existing standards, from a range of organizations.
In my submission to NIST, I already highlighted some of the key challenges in establishing a governance structure for the program, and in particular for the proposed "Steering Committee' that would oversee the program, including:
- Leadership is needed to bootstrap the steering group: If left entirely to itself to establish a steering group, the “stakeholder community” – however defined – is likely to be caught up in potentially interminable discussions about size of group, representation, functioning and procedures, rather than getting down to work.
- Rather than attempting to represent every stakeholder, identify the range of stakeholder types which need to be taken into account and represented in the steering group: The function of the steering group members, individually and collectively, is to ensure that as many as possible stakeholder interest types, personal qualities and experiences are represented around the table. It should be neither the objective nor the function of any individual steering group member to seek to “represent” a specific stakeholder or group. The steering group should rather collectively seek to represent all stakeholder interests.
As in so many areas of work, there are existing standards for this sort of problem - how to identify and disambiguate the roles of stakeholders in such a program; how to establish a governance structure; how to identify the core drivers and tensions within the program - there are standards for all such issues and I highlight this in my slides. It is my view that NSTIC should concentrate its resources on what it is intended to deliver - not on bureaucratic overheads on expensive studies on governance models - standards are there to be used and OASIS, and others, are there to help see them used as intended and brought to bear for the benefit of the program.
In my next paper, I will present a first stakeholder analysis using the standards and methodologies associated with them - in order to show that even the most complex ecosystem can be carefully and constructively modelled. This is no academic exercise - it helps in the long-term governance of the program.