Ken Myers, the chief Federal ICAM Architect at the General Services Administration (GSA), explained today that the Federal Identity, Credential, and Access Management (FICAM) Architecture has similar goals to the Federal zero trust architecture (ZTA) strategy, with both of them emphasizing identity.
During an ATARC webinar today, Myers explained what he called the “FICAM focus,” which aligns with the three strategic goals of the Federal ZTA strategy: identity, multi-factor authentication, and user authorization.
“How does FICAM change with zero trust? It really doesn’t,” Myers said. “The three strategic goals are actually within the FICAM architecture. But actually, when we talk about how FICAM changes, it’s more on where are we putting our focus.”
In the past, Myers said the focus would have been more on issuing a Personal Identity Verification (PIV) card. However, he said today’s focus is more on “leveraging other types of phishing-resistant authenticators.”
In fact, Myers said GSA is currently working to develop guidance with the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency on a “phishing-resistant authenticator playbook.”
Along those lines, Myers said the Federal Chief Information Security Officer Council ICAM Subcommittee and the Federal Chief Information Officer Council Cloud and Infrastructure Community of Practice worked together this year to develop the Cloud Identity Playbook.
Meyers explained that identity is a critical enabler to zero trust and this playbook will help agencies to align strategies.
“One of the interesting mythbusters that the group discussed is the idea that an organization has to go all in on using cloud, and that’s not necessarily true. It’s not cloud or nothing,” Myers said. “And actually, most agencies that utilize a cloud service are probably using a FedRAMP identity-as-a-service, or an IDaaS, in a hybrid configuration.”
For more playbooks and guidance on FICAM within zero trust, Myers encouraged agencies to check out https://playbooks.idmanagement.gov/.