On May 21, 2019, OMB issued a new cybersecurity memorandum, M-19-17 – Enabling Mission Delivery through Improved Identity, Credential, and Access Management, setting forth a modernized policy for the federal government’s approach to Identity, Credential, and Access Management (ICAM). This long-awaited memo represents a major overhaul of federal identity policy and strategically points agencies to the risk-based approach detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines. There’s a lot to unpack in this 13-page memo, and so much to love about it that we at Easy Dynamics can hardly contain ourselves! Here are ten things we love about the new guidance:
- Goodbye Levels of Assurance (LOA) -Shred your old copies of M-04-04, E-Authentication Guidance. It was rescinded by this memo, kills LOAs, and points agencies to distinct assurance levels for identity proofing, authenticators, and federation, defined in SP 800-63.
- 800-63 as the Foundation of Digital Identity – Agencies are required to update their identity strategies to ensure they are following 800-63. This revision is a major update to old guidance and materially impacts legacy solutions based in prior revisions.
- Digital Identity Risk Management – Requires agencies to incorporate Digital Identity Risk Management, including consideration of privacy risk, into existing Federal processes as outlined in 800-63. Agencies are also asked to share feedback with the Federal CIO Council, Federal Privacy Council, and NIST to drive improvement to 800-63. This feedback could take the form of a “digital identity acceptance statement” that explains the rationale for implementing at an xAL that differs from what your risk assessment yielded.
- Federation First – Acknowledges and that a smartcard only approach to federation is no longer tenable by driving the federal government toward a federation first approach in both government-to-government (G2G) and government-to-citizen (G2C) contexts. In several places the memo emphasizes leveraging federated solutions as a requirement rather than a mere suggestion. While Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, remains the government-wide standard for common identification as called for in Homeland Security Presidential Directive 12 (HSPD-12), the memo recognizes that the government must offer flexible solutions as technology evolves. Agencies have a fantastic opportunity to get creative and work with the Federal CIO Council, the Federal Privacy Council, and NIST to pilot additional solutions that meet the intent of HSPD-12. The memo also requires agencies to support cross-government identity federation and interoperability by identifying and resolving obstacles to accept PIV assertions from other agencies.
- Zero Trust – Paul Grassi, some guy whose name can be found on the cover of 800-63 and who also happens to be our SVP of Cybersecurity, really loves the paradigm shift here to zero trust solutions and the concept of using identity as the underpinning for managing cyber-risk. Trust that architecture requirements are abundant in this guidance requiring agencies to establish authoritative solutions for ICAM services, ensure that deployed ICAM capabilities are interchangeable, use commercially available products, and leverage open APIs and commercial standards to promote interoperability and manage the digital identity lifecycle of devices, non-person entities (NPEs) and automated technologies such as Robotic Process Automation tools and Artificial Intelligence.
- Bring Your Own Authenticator – Options baby! Agencies can give the public more options and allow them to bring non-Government furnished authenticators to their digital identity when they access digital services. This policy enables strong authentication to government services, reduces cost, and reduces the number of authenticators individuals use in their daily lives. This is win-win for agencies and citizens.
- Governance – Everyone is invited, well, required actually, to be part of an integrated agency-wide ICAM governance structure to “include personnel from the offices of the Chief Information Officer, Chief Financial Officer, Human Resources, General Counsel, Chief Information Security Officer, Senior Agency Official for Privacy (yay!), Chief Acquisition Officer, Senior Official(s) responsible for Physical Security, and component organizations that manage ICAM programs and capabilities, including ICAM capabilities deployed through the CDM Program.” Chief Operating Officers or equivalents are required to ensure coordination on ICAM among agency leaders and agencies are required to define and maintain a single comprehensive ICAM policy process and technology solution roadmap.
- Agencies as Attribute Sources – The federal government has had longstanding challenges in implementing remote identity proofing, in part due to the availability of authoritative data sources. This guidance chips away at that challenge, for both the public and private sectors, by directing agencies that are authoritative sources for attributes (e.g., SSN) utilized in identity proofing events as selected by OMB and permissible by law, to establish privacy-enhanced data validation APIs for public and private sector identity proofing services to consume. Imagine being able to remotely proof a user with a passport!
- Privacy Matters – Privacy always has a special place in my heart and clearly OMB feels the same way. The new guidance calls for agencies to limit the collection of Personally Identifiable Information (PII) and protect it commensurate with risk. With the push toward federation, it will be important to involve your agency’s privacy officials to ensure appropriate consent mechanisms and privacy protections are in place in using federally or commercially provided shared services. Whether or not you are a privacy professional it’s important to understand that a privacy risk assessment must be part of your agency’s digital identity risk assessment process.
- Roadmaps for new options – there are agency-specific responsibilities galore in here but keep an eye on the Department of Commerce (NIST) roadmap and guidance requirements and expect new options for derived credentials! For example NIST is required to 1) develop a roadmap within months for developing new and updating existing NIST guidance related to ICAM, 2) develop and issue guidance to promote the deployment of technology, and 3) develop guidance to facilitate deployment and use of derived credentials using authenticators that satisfy the security and privacy requirements on 800-63 while leveraging the PIV identity proofing process.
Finally, the government is adopting models that have proven successful in the private sector! Kudos OMB!