Of all the changes Circular A-130 brought forth, maybe the most significant is catching federal policy up with reality.
The fact the Office of Management and Budget hadn’t done a full update of A-130 in 16 years gave some agencies the ability to slow-roll unfunded mandates, because they said those requirements weren’t in the overarching policy document.
Identity management is a great of example of where this happened.
Judy Spencer, the policy management authority chairwoman of the Certipath bridge and a former General Services Administration official who oversaw many of the identity management initiatives across government, said the A-130 update creates that one place for leaders to point to and move government and industry toward a more complete use of identity management. CertiPath is a trusted authority for interoperable identities for collaboration in the aerospace and defense industry.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
“When we were first issuing personal identity verification cards (PIV), and we had Homeland Security Presidential Directive-12 and Federal Information Processing Standard-201 from the National Institute of Standards and Technology, everyone was on board, but when we said they had to use them, they said there was no requirement for PIV card use,” Spencer said. “For a long time, agencies said we issued them and will use them as flash passes, because there is nothing that says we have to use them. Many fought against door readers and access control as well. And you understand it, they have a finite IT budget and don’t want to spend on something that doesn’t have a mandate behind it.”
OMB eventually issued that policy in M-11-11 requiring agencies to use the cards, but that was seven years after HSPD-12.
“Now with A-130, you have the policy you can fall back on because it has caught up with identity management and use of good strong credentials,” she said.
A-130 specifically called out identity assurance and digital signatures in Appendix I.
“Citizens, businesses, and other partners that interact with the federal government need to have and be able to present electronic identity credentials to identify and authenticate themselves remotely and securely when accessing federal information resources,” the policy stated. “An agency needs to be able to know, to a degree of certainty commensurate with the risk determination, that the presented electronic identity credential truly represents the individual presenting the credential before a transaction is authorized. To transform processes for citizens, businesses, and other partners accessing federal services online, OMB expects agencies to use a standards-based federated identity management approach that enables security, privacy, ease-of-use, and interoperability among electronic authentication systems.”
Additionally, A-130 emphasized the value and strength of using public key infrastructure (PKI) to implement digital signatures.
“For employees and contractors, agencies must require the use of the digital signature capability of Personal Identity Verification (PIV) credentials,” the policy stated. “For individuals that fall outside the scope of PIV applicability, agencies should leverage approved federal PKI credentials when using digital signatures.”
Jeremy Grant, a former director of the National Strategy for Trusted Identities in Cyberspace and now a managing director at the Chertoff Group, said the focus on PKI is good, but he wished OMB offered agencies other technological options for systems that didn’t need such a high-level of assurance.
“There is no question that PKI is secure, but it’s not a one-size fits all model especially as an authentication tool,” Grant said. “The OMB cyber sprint made good progress, especially with desktops and laptops, but that’s just the first layer. There are dozens of applications that are not integrated with PIV cards or can’t be, and still are using username and passwords. And not everyone can get a PIV card, like temporary workers, some researchers and others, and they must default to the username and password. There are things, like what the Fast Identity Online (FIDO) Alliance is working on to create alternatives to SMS 2-factor authentication, something NIST also proposed to deprecate in its draft SP 800-63, that could substitute for PKI for some systems or applications.”
Grant said taking a mostly PKI-only approach is difficult for many organizations.
“FIDO is taking what’s good about PKI, the fact you need two different keys that need to match up, but trying to find a simpler way to deploy it without all the infrastructure that is needed,” he said. “The government is saying PKI is the solution for authentication, and it’s certainly secure, but there are other ways you could get the same outcomes without going for a solution that isn’t as heavy. I’d like OMB to have encouraged or permitted agencies to use other identity approaches for employees and contractors.”
Another area experts said OMB missed an opportunity around was the integration of logical and physical access control.
Neville Pattison, the senior vice president of government programs at Gemalto, a digital services and identity company, said A-130 could’ve done a better job requiring agencies to centralize the identity management function.
“Centralizing identity management brings much better controls for managing the organization in a secure and efficient manner,” Pattison said in an email to Federal News Radio.
Kevin Kozlowski, the executive vice president at XTec Inc., which provides HSPD-12 solutions to government, said while the policy moves agencies in the right direction by including new initiatives such as using derived credentials for mobile devices, and the incorporation of the newer FIPS 201-2 requirements, the lack of physical access control is concerning.
“While industry is anticipating an update to NIST SP 800-116 that will incorporate the next generation access control technologies required by GSA, it’s yet to be seen if that was on the same radar in A-130,” he said in an email to Federal News Radio. “The focus on interoperability is critical to the success of all of the identity and access management initiatives.”
OMB did highlight a major change in the A-130 around physical access control systems: “Physical access controls systems, which include, for example, servers, databases, workstations and network appliances in either shared or isolated networks, are considered information systems.”
The fact OMB is calling out physical access control systems as information systems means agency CIOs will play a much bigger role in managing and integration of these hardware and software solutions with the logical side.
Kozlowski added the other area A-130 could’ve been stronger is with enforcement.
He said like what the cyber sprint did for logical access, OMB needed something similar for physical access control.
“Way too many systems out there are still using old legacy technology with no authentication,” he said. “Even the ones doing authentication are doing it on a small subset of access control points instead of across the enterprise.”
Pattison also hit upon the challenges with legacy systems as well as the need for continued and constant funding.
Several experts say OMB is relooking at several existing policy documents around identity management, including the December 2003 guidance for e-authentication and the August 2005 memo to implement HSPD-12.
The experts say it’s unclear whether OMB will reissue updated memos or issue some kind of overlay on top of the existing memos to update specific areas.
But the fact is with A-130 completed as the underlying policy document, OMB now can turn its attention to some others that are in need of a refresh.