Industry Looks Towards ICAM Policy Updates

Phone mobile security protection

With growing interest in cloud, mobility, and zero-trust technology, industry leaders in the identity credential access and management (ICAM) space are seeing a divergence between the existing policy of Common Access Card (CAC) and personal identity verification (PIV) cards, and new technology.

Dean Scontras, vice president of public sector at Duo Security, told MeriTalk that in the ICAM space, the divide between identity cards and authentication through new methods is growing. As the VP at a company best known for its multi-factor authentication, you can guess which camp Scontras falls in.

“We can coexist for the time being, but I think most people envision a future where you’re authenticating with a biometric, or some other kind of authenticator,” he said.

Indeed, Scontras’ vision is shared by many in Federal IT. Dana Deasy, CIO at the Department of Defense, said that “the mobile device is the device that is going to become the predominance of how we work, interact, and communicate across the department moving forward” during the Defense Information Systems Agency (DISA) Forecast to Industry event in November.

However, the process is easier said than done. Even Deasy has noted the difficulty in moving to the new technology. While his predecessor, Terry Halvorsen, created a two-year plan in 2016 to replace the CAC card, Deasy acknowledged in September that the CAC card “will remain the department’s primary authenticator for the foreseeable future.”

Even Scontras acknowledged that “it is unrealistic to think that they’re going to scrap [the Federal] PKI (Public Key Infrastructure program) any time soon,” but saw an opening for current products, like Duo, as a bridge between the existing technology and new solutions, with an eye towards new solutions and zero-trust architectures in the future.

One policy that has seen recent changes is Trusted Internet Connections, with a new draft released in December. While the TIC 3.0 includes the new Use Cases that allow for the adoption of new technology, Scontras noted that he had not yet seen a large impact.

Scontras also spoke to the company’s work in getting FedRAMP approval. Having received their sponsorship from the Department of Energy last fall, he shared that they tentatively expect to receive approval in the summer. He praised the process and the experience with the program management office, and noted that Duo has pushed to get through the process quickly.

Recent