In April 2018, the Office of Management and Budget issued a draft memo on updating federal identity credential and access management policy. More than a year later, on May 21, OMB issued the final policy. The updated policy reveals how the state of play around ICAM and identity governance has continued to evolve, as have the cybersecurity threats that agencies face.
A key element of the policy is the need to execute effective ICAM governance, including the need to “define and maintain a single comprehensive ICAM policy, process, and technology solution roadmap, consistent with agency authorities and operational mission needs,” the memo notes. Those items, the memo states, should include “the agency's entire enterprise, align with the Government-wide Federal Identity, Credential, and Access Management (FICAM) Architecture and CDM requirements, incorporate applicable Federal policies, standards, playbooks, and guidelines, and include roles and responsibilities for all users.”
The issue clearly is salient across the government. According to a 2018 Digital Trust survey sponsored by Unisys, about two-thirds (64 percent) of federal government IT leaders view identity management solutions as a “very important” way to address the growing cybersecurity threat to their agencies.
At its most basic level, ICAM represents the “tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources,” the General Services Administration notes.
As agencies shift their cybersecurity strategies from perimeter defense to protecting high-value assets, it will become more important than ever for their security teams to know who is on their network and which users have access to what data, at a granular level.
Thankfully, that is what Federal CIO Suzette Kent is focused on as well.
Agencies Must Get a Handle on Who Has Access to Data
The federal government is thinking through how it can adopt a zero-trust security framework as it evolves its identity governance technology.
Under a zero-trust security protocol, users who don’t need (or aren’t authorized for) access to certain data or applications can’t open them. The model assumes a “never trust and always verify” approach when users are retrieving services or data, and it requires continuous authorization no matter where a user makes a request.
In April, ACT-IAC, at the request of the federal CIO Council, issued a white paper on the state of zero-trust, spelling out best practices and challenges for deploying it in the government.
Before the final memo on ICAM was released, Kent told Federal News Network that the policy from OMB might not need to specifically include zero-trust (it does not):
“The zero trust approach is a framework and identity is a component in that. We may put more discipline and detail into identity so we can drive more depth in our algorithms of access at some point in time, and that would go back into the identity policy. But zero trust in itself will not be a component of the policy. What could be a component of the policy is the identity information and the characteristics that would become a part of what is used in our longer term access and monitoring protocols.”
Education Department CISO Steven Hernandez, who was a member of the white paper’s project leadership team, notes that identity is a core element of a zero-trust model.
“It’s so important when we talk about valuable data, we decided in the working group it’s not so much who is on the network is so important, but what access to the data do they have? That’s the real question,” Hernandez told Federal News Network.
At bottom, as agencies focus on protecting high-value assets — data and information on federal IT systems whose unauthorized disclosure would harm the government — IT leaders need to have a high level of certainty about who is accessing such data, and whether they are authorized to do so, according to Hernandez.
“If it’s public website and public information, I don’t care who is accessing that, anybody can,” he said. “So drawing those distinctions and having a mature approach to identity management is what allows us to start to enable most, if not all, of the capabilities in the zero trust mindset.”
Whether or not the government formally adopts a zero-trust security framework, it is clear that identity governance is going to be a core element of federal cybersecurity efforts for years to come.