Guidance for agencies on single sign-on, cloud identities and a digital identity risk management process is coming in the next year from the Office of Governmentwide Policy.
The Federal Identity, Credential and Access Management (FICAM) architecture hasn’t changed during the COVID-19 pandemic, mostly because the Office of Management and Budget already released a memo that should help agencies implement remote access.
But agencies still have questions about how to modernize their infrastructure and securely allow remote access as “a lot” of them migrate to the cloud, which the new guidance should address, said Ken Myers, chief federal ICAM architect within the General Services Administration.
“To this point all federal employees are required to have a [Personal Identity Verification] card, but sometimes for that to work that means you have to be on the agency network,” Myers said, during an ATARC event Thursday. “With remote work that may not always mean your access type changes, so within OMB Memo 19-17 it talks about setting up pilots to use alternative or different authenticators.”
That could mean implementing single sign-on and federating access using a one-time personal identification number (PIN) or a hardware token, Myers added.
OMB’s memo tells agencies to conduct a digital identity risk assessment to look at the impact of allowing access, determine the assurance level and then pick the right authenticator for the job — a process OGP, which sits within GSA, will flesh out in forthcoming guidance.
FICAM doesn’t always align with specific solutions agencies are using because it’s a governmentwide architecture, but OGP is open to collaborating with them on updates to its guidance, Myers said.
For instance, the Cybersecurity and Infrastructure Security Agency‘s Continuous Diagnostics and Mitigation (CDM) Program approves products and implementation architectures using FICAM as a reference. OGP, in turn, may refer to CDM as it updates privileged access management (PAM) guidance.
PAM refers to protecting accounts with elevated privileges like Windows domain administrators, Linux superusers and cloud-based global administrators, and it’s traditionally been handled separately from ICAM.
That could be changing.
“It is deprecated,” Myers said. “But we are looking at updating it because privileged access management is such an important topic today.”