Breaking Down the White House ICAM Memo: Key Steps for Federal Agencies

White House flag at half mast

By: Bryan Murphy, Director, Consulting Services & Incident Response, CyberArk

Digital transformation is happening everywhere – and with increasing urgency in the Federal government.  Advances in cloud technology have allowed the acceleration of these initiatives; yet with those innovations come critical cybersecurity challenges, especially as it relates to identity management and data privacy.

The Federal government houses some of the most sensitive information anywhere, including Social Security numbers, medical records and national security data – a virtual goldmine for attackers and other bad actors.  The government reports tens of thousands of cyber incidents each year – numbers that are expected to grow with attacks that are only get more sophisticated.  As government agencies modernize their digital infrastructures, new processes must be put in place to address the reality of today’s landscape.

This summer, the White House released a new policy memorandum for Identity, Credential, and Access Management (ICAM), addressing its importance in digital government operations and outlining new procedures agencies must adhere to.

There are two critically important parts:

  • Agencies of the Federal Government must be able to identify, credential, monitor, and manage subjects that access Federal resources. This includes the ability to revoke access privileges when no longer authorized in order to mitigate insider threats associated with compromised or potentially compromised credentials. It also includes the digital identity lifecycle of devices, non-person entities (NPEs), and automated technologies such as Robotic Process Automation (RPA) tools and Artificial Intelligence (AI).
  • Each agency shall define and maintain a single comprehensive ICAM policy, process, and technology solution roadmap. These items should encompass government-wide Federal Identity, Credential, and Access Management (FICAM) Architecture and CDM requirements, incorporate applicable Federal policies, standards, playbooks, and guidelines, and include roles and responsibilities for all users.

This guidance makes clear that federal agencies must now shift toward a dynamic, risk-based approach to securing federal information and infrastructure, one that requires a measurable, fully-documented risk management and technology adoption process. To ensure compliance with the new ICAM policy, agencies need to start with the following baseline essentials:

  • Understand the Breadth of “Identity”
    More than just a single user, identity encapsulates every device and application a user accesses through credentials, which present one of the greatest risk factors. An admin may be one single user, but if their credentials get compromised, an attacker can see everything they have access to – making it critical to have the right mechanisms in place to authenticate and track all of the identities within your infrastructure. Safeguards like step-up authentication and managerial approval processes help mitigate risk from privileged credential-based attacks before allowing access to critical assets and resources.
  • Manage Risk Though Privilege
    Since privileged and administrative accounts have been exploited in nearly every major attack affecting federal government agencies, the first priority needs to be securing privileged access. Security frameworks such as the Council on Cyber Security Top 20 Critical Security Controls, NIST, and others, have always maintained the importance of protecting, managing and monitoring privileged and administrative accounts and provide excellent resources for agencies on how to most effectively do so.
  • Address Common Attacks
    Attackers often harvest credentials and move laterally across the infrastructure, for example using Pass-the-Hash techniques in which an attacker steals account credentials from one device and uses them to authenticate across other network entry points in order to steal elevated permissions, or by leveraging unmanaged SSH keys in order to login with root access. Understanding where your agency is most vulnerable and take actions to fortify these weaknesses while prioritizing the most important credentials. Implement automated controls to respond when it’s necessary to respond.
  • Measure Continuously
    Regularly audit infrastructure to discover potentially hidden and unprotected privileged access, including cloud and DevOps environments – which Federal agencies are increasingly using. Ensure continuous reassessment and improvement in privileged access hygiene to address a changing threat environment and identify and pre-define the key indicators of malicious activity.

While the adoption of transformative technologies like cloud environments does expand an agency’s attack surface, the solution is not to eschew modern technology but rather to account for the risks that these technologies introduce and make them part of the solution. The White House’s new guidelines provide a comprehensive focus for agencies to do just that – make the most of opportunities afforded by digital transformation, while instituting a risk-based approach that protects agencies’ most important resources simultaneously.

By zeroing in on the critical area of privileged access, addressing common types of attacks, and measuring outcomes continuously, federal agencies will be well-equipped to adopt this new risk-based approach to security now required, but without sacrificing technological advancements that are integral to modern organizations.