OMB Floats New Federal ICAM Cybersecurity Policy

Published: April 12, 2018

CybersecurityPolicy and Legislation

The Office of Management and Budget (OMB) has released a draft policy aimed at strengthening agency cybersecurity through better identity management.

On April 6th, OMB Director Mick Mulvaney released a new draft policy to address improved identity, credential and access management (ICAM) – the combined policies, processes and tools that ensures access to IT and information assets are enabled and limited to the proper users for proper uses at the proper time. As part of the process OMB is seeking public comment over the next 30 days.

The new draft ICAM policy provides guidance to agencies on three main areas where they are to strengthen the security of information and information systems:

  • Implementation of effective ICAM governance – Agencies are to use the approaches and principles in the National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines (Special Publication (SP) 800-63) and continue to follow Homeland Security Presidential Directive 12 (HSPD-12) requirements pertaining to the identity verification and credentialing of federal employees and contractors.
  • Modernization of agency ICAM capabilities – Agencies are to implement and harmonize their ICAM capabilities and ensure ICAM solutions are not fragmented or duplicative through reducing overlaps and increasing modularity.
  • Agency adoption of ICAM shared solutions and services – Agencies are to begin moving to ICAM shared services and should plan to incorporate new services once they are available, including Credential Management Services, CDM program-provided COTS ICAM tools, Identity Assurance and Authentication Service for consumers, and Identity Assurance and Authentication Services for businesses and partners.

Mulvaney also outlined a number of department-specific responsibilities for various government-wide digital identity management improvement efforts assigned to the Department of Commerce, the Office of Personnel Management (OPM), the General Services Administration (GSA), and Department of Homeland Security (DHS) that range from developing guidance for identity technology and architecture to physical access controls and potential research and development needs to fill needed capability gaps.

Implications

The market implications for federal solutions providers could potentially be broad and varied depending on the rate at which OMB finalizes the policy and what if any resources agencies are given for implementation. Opportunities will likely drive some demand for ICAM tools and related solutions and services that can be acquired via the CDM program as well as technology management and information architecture consulting services to assist agencies in evolving their ICAM security posture.

There has been plenty of focus improving identity management in recent years, from reducing the frequency of privileged access to increasing the use of multi-factor authentication. This latest policy will continue to push agencies in the direction of improved solutions and greater economies through shared services.