Federal guidelines on implementing identity and access controls beyond traditional credential validation methods are giving agencies greater flexibility to improve security as well as user experience, says an IT expert in a new podcast.
Those guidelines — part of the Federal Identity, Credential and Access Management (FICAM) policy — also help pave the path to modernizing how employees and citizens access government resources, says Ashley Stevenson, vice president of product and solution marketing at ForgeRock.
While agencies have largely used personal identity verification (PIV) or common access card (CAC) authenticators, the 2019 FICAM memo gives IT leaders greater flexibility to diversify their authentication options, he says.
“If you look at the [FICAM] memo in the first couple of pages, the word modernization is really in there,” says Stevenson in the podcast, which was produced by FedScoop and underwritten by ForgeRock. He also discusses:
What agency leaders are accountable to uphold under FICAM
IT leaders will need to “shift from static security models to more dynamic security models that are working in real-time around identity risk assessment,” he says.
“They’re required to maintain security, but also ensuring accessibility and interoperability to provide the right experience to the right people at the right time,” he explains. That includes employees, contractors and partners … but also, for all the different citizens who are interacting with their public facing services,” says Stevenson.
How agencies benefit from a more comprehensive ICAM approach to security
“Probably the biggest single benefit is an increase in flexibility for agencies,” says Stevenson. “So now, they can have more choice in the types of authenticators they use, the types of identity standards that they can implement.”
“Strong authentication based on a strong credential is just the first step. Authorization and being able to understand what someone’s allowed to do, not only based on how much we trust their authentication, but what are they entitled to do and not do. And that can change from time to time based on how they’re acting and other things that are happening,” he explains.
Critical features to look for
Stevenson highlights a number of features agencies should keep in mind as they look to adopt or expand on a centralized IAM solution, including:
- Look for something that provides and uses open standards to facilitate easier integration and avoid vendor lock-in.
- Look for a mature identity system that uses modern API’s in order to strategically implement an “identity fabric”
- Look for strong support for legacy and modern systems in a single solution, to avoid trying to fragment different vendors and solutions.
- Look for cloud flexibility to deploy across a hybrid-cloud environment.
Ashley Stevenson was formerly chief architect for ICAM at the Department of Homeland Security. He has more than 15 years of experience in enterprise-scale solutions focused on identity, information security, cloud infrastructure and multi-tenant IT service management.
Listen to the podcast for the full conversation on FICAM benefits for federal agencies. You can hear more coverage of “IT Modernization in Government” on our FedScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by FedScoop and underwritten by ForgeRock.