The best security in the world means nothing if you don’t know and manage who is allowed access. But in the evolving digital world, physical credentials like federal employees’ personal identity verification or common access cards just aren’t enough.
This reality spurred the Office of Management and Budget to release a long-awaited update to the identity, credential and access management, or ICAM, policy. A new memo, “Enabling Mission Delivery Through Improved Identity, Credential and Access Management,” issued Wednesday outlines a future in which agencies lean on each other to authorize users—and other entities, like bots—and move toward managing identity as a continuous, digital signature rather than a point-in-time authorization.
“To ensure secure and efficient operations, agencies of the federal government must be able to identify, credential, monitor and manage subjects that access federal resources, including information, information systems, facilities and secured areas across their respective enterprises,” according to a memo from acting OMB Director Russell Vought.
The central shift in policy is in direct response to something happening across federal networks: the dissolving perimeter. As more apps, systems and workloads move to the cloud—and more employees, contractors and citizens connect remotely and from several devices—having a single point of access and authentication has become outdated.
“While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems,” the policy states.
This new reality is seen in updates to other federal policies, as well, such as the pending Trusted Internet Connection 3.0.
The personal identity verification, or PIV, remains the primary identity management tool for federal government, though OMB wants agencies to evolve with the times.
New forms of authentication include using derived credentials that live on a user’s device, rather than carrying a physical PIV card. The policy also calls on NIST, the Federal CIO Council and Federal Privacy Council to work with agencies on pilot programs to test other forms of identity authentication and control.
The credentials should also be used as a digital signature and encryption key when transferring data between agencies or with contractors and partners, according to the policy.
“In line with the federal government’s updated approach to modernization, it is essential that agencies’ ICAM strategies and solutions shift from the obsolete levels of assurance model towards a new model informed by risk management perspectives, the federal resource accessed and outcomes aligned to agency missions,” the memo reads.
As a general reference, OMB points agencies toward the National Institute of Standards and Technology’s Special Publication 800-63 series on Digital Identity Risk Management, which is currently on its third iteration. The policy urges agencies to keep up to date on the latest revisions to the 800-63 series, as well as other relevant NIST publications and guidance from the Office of Personnel Management and Homeland Security Department.
The policy also opens the aperture for what requires an identity, including people, devices or automated bots running on a system.
“For the purposes of this policy, ‘identity’ refers to the unique representation of a subject … that is engaged in a transaction involving at least one federal subject or a federal resource,” the document states.
The new ICAM framework calls for more interoperability between agencies, whether for physical or logical access. Of course, individual agencies and offices will have to take into account their own security needs. However, establishing a cross-agency baseline for PIV credentials can speed up access to facilities, networks, databases, etc., where appropriate.
The document notes that sharing valid credentials “is equally applicable for logical and physical access.”
The shared services shift is furthered under a section on “Architecture” for ICAM frameworks, which requires agencies to “ensure that deployed ICAM capabilities are interchangeable, use commercially available products and leverage open application programming interfaces—APIs—and commercial standards to enable componentized development and promote interoperability across all levels of government.”
To meet these new requirements, the policy requires departments to establish an “agencywide ICAM office, team or other governance structure” to manage credentialing and access policies. Those teams should include the chief information officer, chief financial officer, human resources, general counsel, chief information security officer, senior agency official for privacy, chief acquisition officer, senior official responsible for physical security and any other offices or programs focused on ICAM issues, per the policy.
The policy also has specific directives and deadlines for several relevant agencies, including OMB, OPM, Homeland Security, the General Services Administration and the Commerce Department—NIST’s parent agency.