Strengthening Cybersecurity Through Improved Identity and Access Management
Identity, and Access Management strategies
The US Government is the largest employer in the United States with over 2.7 million employees using thousands of secure applications. Companies can gain valuable insight by learning about and participating in new Federal identity management policies and strategies. Improving cybersecurity through identity management modernization will help mitigate next generation threats for federal agencies and US companies.
The White House Office of Management and Budget (OMB) is proposing a new policy to improve Federal agencies’ implementation of Identity, Credential, and Access Management (ICAM) – the security disciplines that enable the right individual to access the right resource, at the right time, for the right reason.
Federal agencies must be able to identify, credential, monitor, and manage user access to information and information systems across their enterprise in order to ensure secure and efficient operations. In particular, how agencies conduct identity proofing,establish digital identities, and adopt sound processes for authentication and access control will significantly impact the security of their digital services. Additionally, as information about individuals becomes more widely available through social media or through breaches of personally identifiable information (PII), it is increasingly important that all agencies adopt identity validation solutions that enhance privacy and mitigate negative impacts to delivery of digital services and maintenance of online trust. It is also essential that agencies’ Identity, Credential, and Access Management (ICAM) strategies and solutions are informed by risk perspectives and driven by targeted outcomes.
Implementation of Effective Identity Management Governance
Establishing effective ICAM governance is an important part of the federal government’s continual efforts to promote robust cybersecurity. To ensure effective governance, agencies shall leverage the approaches and principles of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63, Digital Identity Guidelines. 2 Agencies shall also continue to follow Homeland Security Presidential Directive 12 (HSPD-12) requirements pertaining to the identity verification and credentialing of federal employees and contractors. To reach these goals, agencies shall:
- Define and implement ICAM policies, processes, and technology solutions that encompass the agency’s entire enterprise, align with the government-wide Federal ICAM Enterprise Architecture, and meet Federal policies, standards, and guidelines;
- Designate an integrated ICAM office, team, or other governance structure in support of its Enterprise Risk Management capability that includes personnel from the offices of the Chief Information Officer, Chief Security Officer, Human Resources, General Counsel, Senior Agency Official for Privacy, and component organizations that manage ICAM programs and capabilities. These offices, as well as program managers and acquisition offices, should regularly coordinate to ensure that the agency’s ICAM policies, processes, and technologies are being implemented, maintained and managed consistently. This includes coordinating the deployment of capabilities and functionality provided through the Continuous Diagnostics and Mitigation (CDM) Program;
- Outline enterprise-level performance expectations for cybersecurity and privacy risk management throughout each user’s lifecycle, including changes in the user’s access privileges;
- Develop a mechanism to streamline and automate enterprise-level performance reporting. This mechanism should align with existing and planned reporting and analytics structures and tools, such as the CDM dashboards and FISMA reporting;
- Incorporate Digital Identity Risk Management into existing processes as outlined in NIST SP 800-63, including the selection of Identity Assurance Levels (IALs), Authentication Assurance Levels (AALs), and Federation Assurance Levels (FALs) commensurate with the risk to their digital service offerings.
Modernization of Identity Management Capabilities
It is imperative that agencies implement and harmonize their ICAM capabilities, while ensuring that ICAM solutions are not fragmented or duplicative. To achieve this objective, agencies shall take the following steps to modernize their ICAM architecture:
Reduce Solution Overlap: Agencies shall establish authoritative solutions for their ICAM services, promoting the most effective solutions at an enterprise level.
Promote Innovation through Modularity: Agencies shall ensure that deployed ICAM capabilities are interchangeable and developed based on open Application Programming Interfaces (APIs) and/or commercial standards to promote interoperability and enable componentized development.
To read more about this policy please visit the Office of the Federal Chief Information Officer policy announcement. Comments on this policy may be submitted by creating an issue on the GitHub page for this draft policy.