Security

NSA, NIST Release Cybersecurity Guidance for the Federal Government

The agencies tackled the federal identity, credential and access management framework and misconceptions about end users.

Dave Nyczepir

Dave Nyczepir is a Senior Editor for Manifest.

Two agencies released guidance in late March to help the rest of government. The first seeks to mature federal identity, credential and access management for mitigating cyberattacks, and the second combats the misconception that end users don’t understand security.

A information sheet explains how the federal zero-trust strategy, specifically its user pillar, builds upon the federal identity, credential and access management (FICAM) enterprise approach to designing, planning and executing a common segment architecture.

Meanwhile, National Institute of Standards and Technology research has found that cyber specialists’ heavy dependence on technology means they often neglect the human element of effective security.

More than 80 percent of network compromises in 2020 occurred due to lost or stolen credentials, according to a Verizon Data Breach Investigations Report,, and incidents are on the rise. While the FICAM framework was established in 2009 as an agency roadmap, the federal zero-trust strategy requires stronger mechanisms for authenticating and authorizing user network access, and agencies must also ensure users accept those mechanisms.

“We need an attitude shift in cybersecurity,” said Julie Haney, computer scientist at NIST, in a statement. “We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners.

Click the banner below to receive featured cybersecurity content by becoming an Insider.

How Zero Trust Changes FICAM

With respect to the identity management pillar of FICAM, NSA recommends agencies prepare for zero trust by ensuring all users are registered and their information is accurate.

For the credential management pillar, the guidance advises agencies to enforce multifactor authentication and inventory all credentials for each user.

Under the access management pillar, agencies should inventory user entitlements and access policies to remove any that are outdated, according to the information sheet.

NSA further provides steps for achieving basic, intermediate and advanced zero-trust maturity under each pillar.

The last FICAM pillar addressed in the guidance is identity federation. Zero trust necessitates partner agreements for the use interoperable solutions when information sensitivity or maturity differences across agencies could create excessive risk.

Expanding and refining the FICAM roadmap through a zero-trust model “will provide an organization with tools and processes for resisting, detecting and responding to ever-increasing threats that exploit weaknesses or gaps in their ICAM programs,” according to the sheet.

EXPLORE: What agencies should know about establishing zero trust in a hybrid work environment.

Six Cyber Pitfalls for Security Professionals

Haney identifies six cybersecurity pitfalls that agencies’ security professionals must address to improve users’ perceptions of the new security tools being implemented, so they will use them rather than circumvent them.

Here’s how to avoid the pitfalls:

Don’t assume users are clueless; they often just suffer from security fatigue.
Avoid technical jargon in security communications; use plain language.
Recognize that poor usability can unintentionally create insider threats.
Avoid rigid security that complicates daily work and leads employees to look for risky workarounds.
Seek compliance through positive reinforcement; negative actions, like locking user accounts, breeds resentment.
Don’t neglect direct user feedback on effectiveness.

“There has been a lot of research into this issue, but the research is not getting into the hands of people who can do something about it,” Haney said in a statement. “Working at NIST, where we have a connection to all sorts of IT experts, I saw the possibility of bridging that gap.”

yacobchuk/Getty Images