A new memo released Tuesday, May 22, by the Office of Management and Budget (OMB) updates the Federal identity, credentials, and access management (ICAM) policy, encouraging the use of more flexible solutions, supporting pilots for new authenticators, and requiring agencies to create an ICAM team.
The memo, which is the first new OMB memo on ICAM since 2011, squarely establishes the importance of existing policies, such as the National Institute of Standards and Technology’s (NIST’s) SP-800-63 digital identity guidelines framework and Homeland Security Presidential Directive 12 (HSPD-12). However, the memo acknowledges that advances in technology require a new approach to ICAM.
“While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access Federal resources made by users and information systems,” the memo states.
To implement this new approach to ICAM, agencies are required to designate “an integrated agency-wide ICAM office, team, or other governance structure” to support those efforts. These teams are meant to work across siloes by including members from the CIO and CISO’s office, the CFO’s office, human resources, general counsel, privacy officials, acquisition, physical security, and component organizations that manage ICAM programs.
Agencies also will need to create a comprehensive ICAM policy and technology solution roadmap that aligns with the Federal ICAM Architecture and the Continuous Diagnostics and Mitigation (CDM) program. The memo mandates performance expectations that support government-wide efforts, such as the cross-agency priority (CAP) goals in the President’s Management Agenda.
As part of the new approach, the memo encourages agencies to work with the Federal CIO Council, the Federal Privacy Council, and NIST to run pilots with authenticators that “meet the intent of HSPD-12,” which will provide lessons learned and help improve guidance, especially in the areas of mobility and cloud identity.
“As technology evolves, the Government must offer flexible solutions to meet changing technology needs and shift the focus from managing the lifecycle of credentials to the lifecycle of identities,” the memo says.
“The ICAM memo is a product that incorporates feedback received from agencies and industry to address blockers to technology adoption, and enable the Government to harness innovation to drive improvements in digital service delivery, user experience, security, and privacy. Robust capabilities for Identity and Access management increase in importance as we extend uses of data, implementation of automated technologies and the perimeter of our technology environments continue to change,” said Federal CIO Suzette Kent in a statement to MeriTalk.
On CDM, the memo highlights synergies and calls on agencies to use CDM to “accelerate their procurement and deployment of tools related to the ICAM capabilities.”
The new policy shifts agencies away from the “obsolete” Levels of Assurance model, which was discontinued in NIST SP 800-63 in favor of a new model on assurance.
The memo calls out emerging technologies like robotic process automation (RPA) and artificial intelligence (AI), requiring agencies to “[ensure] the digital identity is distinguishable, auditable, and consistently managed across the agency.” Credentials have been an issue for RPA projects in government, as they often need to use personnel credentials.
OMB also put an emphasis on cross-government identity verification, encouraging agencies to leverage existing valid PIV credentials over issuing new ones, and establishing agreements for cross-government identity federation.
On ICAM acquisition, the memo calls on agencies to rationalize their tools, and “promote flexible and scalable solutions that can work across the agency and change as mission needs evolve.” The memo promotes commercial capabilities and open APIs for ICAM tools as well, using best in class or Tier 2 vehicles.
In the next six months, NIST will issue a roadmap for any new guidance or updates. The memo calls for guidance that addresses automated technology, cloud, mobile, and devices. NIST will also work with the General Services Administration (GSA) to establish standards for accrediting products that meet SP 800-63 requirements.
GSA will develop a roadmap of the solutions and shared services that can help agencies meet this policy, including a catalog of existing solutions. GSA will also maintain the Federal ICAM Architecture, determine the feasibility of accrediting ICAM products on GSA acquisition vehicles, and ensure all GSA solutions meet relevant policy.
Early reaction to the policy from industry was positive, praising the move away from perimeter-based security.
“The OMB memo reflects the agency’s recognition that the federal government, just as the private sector, is moving towards an increasingly perimeter-less IT environment. To meet this shift, the OMB correctly prescribes that a strong ICAM system makes up the heart of the zero-trust security methodology, and has further laid the foundation for agencies to accelerate adoption of this approach,” said Sean Frazier, Federal advisory CISO at Duo Security.
“Through this Federal ICAM policy, the Government is enacting a common vision for identity as an enabler of mission delivery, trust, and safety of the Nation,” the memo states.