The Great Conjunction: OMB Updates to ICAM ID Policy Aligns the Stars for a Zero-Trust Journey
After waiting nearly a year for the Office of Management and Budget (OMB) to release their new identity guidance for federal and government workers — it’s finally here. The new updated identity, credential and access management policy extends the government physical credentials of personal identity verification (PIV) and common access cards (CAC) into the digital world, and paves the way to a zero-trust journey.
We’ve been waiting to see how closely it aligns with previous NIST identity guidance (SP-800-63-3), and it doesn’t disappoint. But it actually does much more than that. What it shows us is that the OMB is paying attention to all the parts that make up a zero-trust security methodology, and that the OMB believes (correctly) that a strong identity, credential and access management (ICAM) system is at the heart of it. In keeping with the spirit of SP 800-63-3, it goes out of its way to highlight the necessity to adopt a risk-based approach to identity security, much like other parts of the cybersecurity equation.
To ensure secure and efficient operations, agencies of the Federal Government must be able to identify, credential, monitor, and manage subjects that access Federal resources, including information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services, as well as individuals' privacy.
— From the memo "Enabling Mission Delivery through Improved Identity, Credential, and Access Management"
This guidance is not happening in a vacuum. Beyond the specific calls-outs on how this relates to the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) Program there is a specific mention in Section 4 of the “de-perimeterized” world we are increasingly seeing in our workflows.
IV. Shifting the Operating Model beyond the Perimeter
The interwoven technical architecture of the Federal Government creates complexity in managing access to resources, safeguarding networks, and protecting information. While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access Federal resources made by users and information systems. To ignite adoption of this new mindset around ICAM capability deployment across the Federal Government, each agency must harmonize its enterprise-wide approach to governance, architecture, and acquisition.
Governance
1. Each agency shall designate an integrated agency-wide ICAM office, team, or other governance structure in support of its Enterprise Risk Management capability to effectively govern and enforce ICAM efforts.
The memo also recognizes the modular mobile world we live in and the acceptance of some use cases that can support a “Bring Your Own Authenticator (BYOA)” model.
“Agencies shall establish processes based on digital identity risk and associated assurance levels to allow an individual to bind, update, use, and disassociate non-Government furnished authenticators to their digital identity when accessing Federal digital services provided to public consumers.”
All of these mentions provide agencies with flexibility to look for a more modern way to identify and authorize users through new technology like Duo's multi-factor authentication, which is DHS and CDM approved and FedRAMP In-Process.
I am also encouraged by the fact that the review cadence is specifically called out in the document. This has to be a living and breathing thing that gets adapted and updated as our IT environments change.
One of the problems we have been living with is the fact that the Homeland Security Presidential Directive 12 (HSPD-12) is 15 years old. Any security policy left alone for that long will not age well. It was designed and implemented in a time before cloud, and in a time before mobile, and is in desperate need of an overhaul. While the new guidance still points to HSPD-12 as the “law of the land” in Section 3, these new updates to it give it enough flexibility to securely cover us as we move into our modern new world and beyond.
It’s also worth mentioning that NIST hosted a FIPS 201 session a few weeks back to discuss open standards (FIDO, OIDC, SAML, etc.) as potential building blocks for future work in the handling of federal identities, how they’re accessed and how they will be federated. This is a direct result of the OMB impending guidance (now realized), the release of SP 800-63-3 and the update that will be required for SP 800-157 (PIV-D).
To me, these things have always been related and play off each other to provide the true “zero-trust” cybersecurity framework for a government agency’s IT modernization journey.
Game on.
Try out our Phishing Simulator and measure your user risk for free today
Free Phishing Simulator