The Office of Management Budget will eventually release a new consolidated policy on identity management, which will build off a series of recently-updated guidelines from the National Institute of Standards and Technology and the Trump administration’s own effort to cut back on agency reporting requirements.
The future policy is an attempt to simplify the many existing guidelines agencies and contractors already have on identity management efforts, said Joe Stuntz, a policy lead for OMB’s cyber and national security unit.
“As part of this burden reduction effort, we are looking at the existing identity memos [and] the fact that agencies have to go to five or six different places,” he said during a panel discussion at the Security Industry Association’s Gov Summit in Washington June 29. “We are looking at how to do a little bit of centralization around that, how to make sure agencies know where to look [and] aren’t going to five different places [and] getting conflicting guidance.”
OMB will look to the Circular A-130 update and the Federal Identity, Credential and Access Management (FICAM) roadmap, among others, as it writes the new consolidated policy.
The forthcoming OMB policy will also build off new digital identity guidelines, NIST special publication 800-63, which it released June 22.
“It’s trying to separate the identity proofing from the authentication,” Stuntz said of the NIST update. “We have lots of use cases in the federal government where you may need a strong level of authentication but maybe not so much an identity proofing.”
NIST last updated these documents in 2013. The new guidance removes levels of assurance (LOAs) and replaces them with:
Identity assurance level,
Authentication assurance level, and
Federation assurance level.
“These changes simplify and clarify guidance, better align with commercial markets, promote international interoperability and focus on outcomes (where possible) to promote innovation and deployment flexibility,” NIST wrote in a June 22 blog post.
Stuntz wouldn’t estimate a release date for the new policy, but he said OMB would accept public comments on the new policy.
The new NIST guidance and OMB’s coming directive will focus more on outcomes and less on specific technology solutions, he added.
“For the federal agencies … we’re still focused on the [personal identity verification] PIV credential,” he said. “But for contractors and vendors and people who play in this space, we are trying to make it possible to meet our security outcomes without proscribing a single solution. There’s lots of technology out there; I won’t give a specific one. We are trying to make sure we are not limiting innovation through our policy. My rule of thumb is policy at worst should be out of the way, and at best should be incentivizing the best stuff. This NIST guidance really sets the stage to promote innovation and show what we should be doing. The PIV card has been a standard and will be continuing to be going forward … but we also need to know what’s out there and what we could be doing better.”
Agencies are now seeing the progress the government has made in securing its systems and data in the wake of the Office of Personnel Management’s massive data breach and the cyber sprint that followed.
The fiscal 2016 Federal Information Security Management Act (FISMA) report to Congress showed governmentwide improvements around information security continuous monitoring capabilities, the use of multi-factor authentication for network access and the implementation of anti-phishing and malware defense capabilities.
Stuntz said OMB wants to develop policies that can help agencies scale the kind of progress they saw with two-factor authentication during the cyber sprint.
“We finally, in my perspective, have focus on the strong access,” he said. “It has been mainly focused on the logical side. How do we expand that scope, not just for authentication but … the privileged management? There’s a lot of things that should be included in this, and we haven’t quite gotten there yet. But we need to.”
The coming policy isn’t a huge surprise. Identity management experts told Federal News Radio last summer that OMB was reviewing several current policies on the topic.
This comes as OMB continues to push broad, governmentwide efforts designed to help agencies modernize their legacy IT systems and take an enterprise approach toward protecting federal networks with the administration’s cybersecurity executive order.
“We are looking at modernization not of just technology but of business processes,” Stuntz said. “When we talk about modernization of technology, it is not intended just to be the thing that you are buying or the system, but you are modernizing the business process around it.”