OMB issues draft of new ICAM policies
The Office of Management and Budget on April 6 released a draft of new guidance for governmentwide identity, credential and access management (ICAM) and is seeking public comment for the next 30 days.
"Agencies must be able to identify, credential, monitor, and manage user access … across their enterprise in order to ensure secure and efficient operations," the draft memo states. "In particular, how agencies conduct identity proofing, establish digital identities, and adopt sound processes for authentication and access control will significantly impact the security of their digital services."
The National Institute of Standards and Technology's Special Publication 800-63 underpins much of the guidance. The draft memo instructs agencies to use the General Services Administration's Public Key Infrastructure (PKI) Shared Service Provider Program and to take full advantage of the Continuous Diagnostics and Mitigation Program's ICAM capabilities. Reducing "solution overlap" and encouraging "innovation through modularity" are two of the stated goals for ICAM modernization efforts.
Agencies would also be required to incorporate digital identity risk management into existing processes, to "automate enterprise-level performance reporting," and to establish an ICAM office or team that draws on personnel from the offices of the CIO, human resources, general counsel, chief security officer and other key agency stakeholders.
The memo would task NIST and the Department of Commerce with a wide range of responsibilities, including updates to guidelines for personal identity verification cards and derived PIV credentials. Also on the to-do list: "implementation guidance for identity federation protocol(s)" to facilitate identity proofing with government's private-sector partners.
The draft guidance instructs GSA to maintain the PKI program and "government-wide FICAM Architecture and associated guidance," to manage an approved products list for compliant ICAM solutions and to "[d]etermine the feasibility of expanding the USAccess program to include Derived PIV Credentials as a service offering." GSA also would be required to establish a technical review board to ensure that Login.gov or an alternate solution can provide the needed "consumer identity assurance and authentication" capabilities.
The Department of Homeland Security would be tasked with ensuring the new ICAM policies reflect risk management best practices and with leading research and development efforts to "to identify ICAM mission needs with related technology capability gaps." And the memo instructs the Office of Personnel Management to update the eligibility and vetting requirements that determine who can be issued PIV credentials.
The memo also reflects OMB's ongoing efforts to streamline and consolidate policy guidance. It would rescind and replace five older memoranda on e-authentication, external credentials and other ICAM matters.
It also gives a nod to the growing privacy concerns around online user data, noting that "as information about individuals becomes more widely available through social media or through breaches of personally identifiable information (PII), it is increasingly important that all agencies adopt identity validation solutions that enhance privacy and mitigate negative impacts to delivery of digital services and maintenance of online trust."