The Office of Management and Budget missed its own deadline to issue new identity management policy 75 days after the final IT modernization report came out in December.
OMB took 38 days extra. But it was well worth it, according to former federal executives and other identity management experts.
The draft Identity, Credential, and Access Management (ICAM) policy update hits many of the right notes, rescinds five outdated policies and clearly addresses where the future of identity management is heading in the federal government.
“I want to commend OMB for putting this out as a public draft and offering the public the opportunity to comment on and improve it. OMB Policy Memos don’t usually include an opportunity for review and comment, and it’s nice to see them taking this approach,” said Jeremy Grant, the managing director of Technology Business Strategy at Venable and the lead of the Better Identity Coalition. “Just from a ‘housecleaning’ perspective, this is an important memo. OMB has issued a number of different memorandum over the years covering different aspects of identity, some of which have grown a little long in the tooth. The idea of rescinding several old memos and replacing them with a new, overarching policy makes a lot of sense.”
The one area with which the draft policy hits a home run is finally bringing physical and logical security together.
“Agencies shall require use of the personal identity verification (PIV) credentials as the common means of authentication for federal employee and contractor access to federally-controlled facilities. Agencies shall ensure that use of the PIV credential for physical access to federal buildings are implemented in accordance with The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard and NIST SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS),” the draft policy states. “This publication provides additional information on the use of PIV credentials, the governmentwide standard identity credential, in physical access control systems.”
Additionally, it requires the Interagency Security Committee to develop a risk management standard for federal facilities and ensure it is aligned with governmentwide policy for PIV implementation.
“The standard defines the criteria and processes that those responsible for the security of a facility should use to determine its facility security level, and provides an integrated, single source of physical security countermeasures,” the draft policy states.
The General Services administration also will work with the National Institute of Standard and Technology, the Office of Personnel Management and the Homeland Security Department to develop and publish a physical access control system (PACS) security and privacy control overlay to help agencies identify core controls for PACS.
Randy Vanderhoof, the executive director of the Secure Technology Alliance, an industry association that has been involved with federal identity management issues for more than two decades, said he is pleased to see the draft policy call for improved integration of computer and front door access with the PIV card.
“The point raised about the role of DHS to step up its role in the Interagency Security Committee is important. One of shortcomings of this effort is agencies held back more aggressive procurement of approved PACs solutions because the ISC has not really provided much guidance for agencies about how to go about making those procurements work well. They have relied on agencies to manage that process themselves through the RFP process and through the hiring third parties to do security evaluations and make recommendations on designing their needs for PACS,” Vanderhoof said. “It would’ve been helpful for government resources to have offered some guidance and direction on how to do that. This document finally does that by identifying DHS as the one which is responsible for leading that effort under the ISC.”
For much of the past decade, the smart identity cards have been used as fancy flash passes when it came to physical security. Only in the last few years have agencies started to implement physical access security that requires the card to pass through gates.
Vanderhoof said one major issues for the integration of physical and logical security has been the bifurcation of how agencies bought the technology. Under GSA Schedule 70, agencies could purchase logical access control systems. But they had to use Schedule 84 for physical access control systems. He said the two schedules were not aligned properly, and that made it more difficult for security officers to know how to get effective help.
Vanderhoof said he hopes when the memo is final it will address many of these physical vs. logical security challenges.
Waiting for the OMB update
The much-anticipated draft memo, which has received no comments in 10 days, also addresses governance, capabilities and emphasizes shared services. OMB is accepting comments on the draft through May 6.
Among the five areas under governance, OMB wants agencies to create a single point to oversee and implement ICAM.
“Designate an integrated ICAM office, team, or other governance structure in support of its Enterprise Risk Management capability that includes personnel from the offices of the chief information officer, chief security officer, human resources, general counsel, senior agency official for privacy and component organizations that manage ICAM programs and capabilities,” the draft states. “These offices, as well as program managers and acquisition offices, should regularly coordinate to ensure that the agency’s ICAM policies, processes and technologies are being implemented, maintained and managed consistently. This includes coordinating the deployment of capabilities and functionality provided through the continuous diagnostics and mitigation (CDM) Program.”
OMB also is pushing for sharing of services and the use of application programming interfaces (APIs).
And the third area of shared services, agencies should use the credential management services supplied by GSA, rely on CDM to further identity management capabilities and take advantage of shared identity assurance and authentication services, which enhance online trust and safety for citizens.
Joseph Stuntz, the vice president of cybersecurity at One World Identity (OWI) and a former policy lead for OMB’s cyber and national security unit, said all of these actions are needed, but the draft policy doesn’t go far enough.
“The release of this new guidance hopefully leads to a series of agency policy and process updates that create flexibility for departments and agencies to be able to adopt the most modern secure identity technology in order to support broader IT modernization efforts and save resources being spent on legacy solutions,” he said. “Hopefully, this is the start to move federal identity forward in an even more substantial way by looking at HSPD-12. When it was written, it addressed a serious issue and it still addresses many similar issues today. But, by combining physical access, logical access and suitability, it led to an inflexible solution that does not address many current use cases like cloud and mobile. I think OMB and the White House have a chance to capture the momentum created by the update of this policy to lay out plans and next steps to address all three of these important areas in ways that promote innovation instead of restrict it.”
Door opens for third-party credentials
Stuntz brings up the one question in many private sector circles of whether OMB would begin to move agencies away from PIV and toward newer technologies.
But the draft memo didn’t move away from PIV, instead it reiterated its importance. At the same time, however, OMB opened the door even wider to the use of derived credentials as well as those provided by third parties, including, but not limited to GSA’s Login.gov platform.
Venable’s Grant said one of those potential approaches to address the challenge of high assurance systems is the use of Fast Identity Online (FIDO) Alliance web authentication standard in browsers.
Grant said the inclusion of the FIDO standards “will open up some much easier way for agencies to deliver strong authentication.”
He said the fact that OMB also told NIST to make changes to NIST SP 800-157 — the Guidelines for Derived PIV Credentials — to support some of these newer, innovative approaches to authentication in mobile devices also is a good sign.
The Secure Technology Alliance’s Vanderhoof said moving away from the PIV card would’ve been just too difficult for agencies.
“In the past, policies were focused on government-to-government or federal employee’ usage of federal information systems only, but this is the first memo that I’ve seen where they’ve actually called out the role of business-to-government and consumer-to-government identity and authentication,” he said. “That has always been the next phase of this effort, and this is the first time I’ve seen a document that actually calls out that federal agencies should be looking at other shared service providers to provide those identities. At the same time, OMB also calls out that GSA is responsible to make sure whatever those shared services that agencies use are tested and approved for the meeting of specifications and standards from NIST. Right now there aren’t any so they are putting a path toward that end.”
Grant added that the one place where OMB needs to further clarify the guidance is the role of Login.gov and whether it will support federation with third-party credentials.
“Keep in mind that the sole reason government previously focused on Connect.gov was that it is hard for agencies to integrate with multiple third party identity providers — at its core, Connect.gov was a service to make support for federation easier. So when Connect.gov was killed, that was a pretty strong signal to agencies that federation was dead,” he said. “In this new memo, however, federation requirements are back — and that’s a good thing, in my view. But it’s unclear how all the pieces come together. On that note, the memo places a heavy emphasis on use of ‘shared identity assurance and authentication services’ — and notes that ‘agencies should leverage private or public sector shared services.’ But it stops short when it comes to actually directing any agencies outside of GSA to stand up shared services. This may be a missed opportunity. Other agencies are sitting on stores of authoritative attributes that could be used here to assist government with identity vetting for online services. Citizens should be able to ask a government agency that issued them a physical credential to stand behind it in the online world, by validating the information from the credential.”