White House updates identity, credential and access management policy

The Trump administration has updated the government’s policy for identity, credential and access management, with an emphasis on making individual agencies more responsible for how people are authenticated to use their networks.

New technologies have simultaneously improved federal operations and exposed more personally identifiable information on social media and through breaches, prompting the new ICAM policy. Specifically, the White House memo revises how agencies should conduct identity proofing, establish digital identities and adopt processes for authentication and access control.

While Personal Identity Verification (PIV) credentials remain the standard for accessing federal information systems and facilities, over time agencies must shift to managing identities themselves, according to the Office of Personnel Management. Agencies are expected to pilot new authenticators and ensure they have the ability to revoke access and destroy credentials when an employee leaves or a relationship with a contractor ends.

The memo directs agencies to accept PIV credentials from other agencies through electronic verification, instead of issuing new ones. PIV credentials should also be used for digital signatures and information encryption.

“While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems,” reads the memo.

Long term, agencies are moving away from their focus on a perimeter in favor of zero-trust networks that continuously authorize all devices, users and flows.

Agencies must designate an ICAM office, team or structure that includes personnel from multiple offices including their chief information officers’ for oversight of governmentwide requirements. They must also develop an ICAM policy, process and tech solution roadmap.

Any ICAM capability deployed should be interchangeable, use commercially available products and leverage application programming interfaces to promote interoperability, according to the memo.

Best in Class and Tier 2 contract vehicles, shared services, and the Continuous Diagnostics and Mitigation program can all be used to procure ICAM capabilities.

The memo also aims to limit how often users have to disclose privacy data to access government services.

The General Services Administration has three months to publish and maintain a catalog of ICAM solutions and shared services agencies can use, while the Department of Homeland Security is tasked with leading research and development coordination between agencies and industry to fill tech gaps.