The modernization of identity, credential, and access management (ICAM) has long been critical to improving Federal agency cybersecurity, and is only becoming more urgent due to President Biden’s cybersecurity executive order (EO) and associated policy directives requiring agencies to move to zero trust security architectures, government officials said on April 19 at a virtual event organized by FedInsider.
Dr. Gregory Edwards, the chief information security officer at the Federal Emergency Management Agency (FEMA), said the agency has been implementing ICAM solutions in an incremental fashion.
“Not one big-bang solution by this service or this product,” Edwards said, means that “you will have zero trust now, [and] you will have identity management everywhere.”
“In the business of FEMA we primarily have to provide public-facing services,” he explained. That means disaster survivors must access FEMA systems and services to let the agency know who they are. Once that information is collected, identifies have to be vetted, and Edwards said it’s a balancing act to not overly burden the process or the citizens participating in it.
David Temoshok, senior advisor for applied cybersecurity at the National Institute of Standards and Technology (NIST), noted that NIST has three levels of assurance in its risk management framework.
“The risk management framework provides for the controls, the requirements, and the mitigations to control risk at three different levels – low risk, moderate risk, and high risk – the digital identity guidelines parallel and provide for controls and requirements,” Temoshok said.
NIST does this for three principal processes for digital identity management, identity proofing, and enrollment into an identity system, he said. Additionally, NIST provides authentication processes for individuals that have been successfully identity proofed and have accounts or otherwise are allowed access to Federal online services.
The agency also provides for federation services, meaning it shares information about authentication status and identity attribution information across agencies and across identity domains, he said.