31.5 F
Washington D.C.
Thursday, February 29, 2024

White House Revises Digital Identity Management with ‘Common Vision’

The White House has revised policy for how agencies should handle digital credentials and access control, citing “a new set of challenges” as “information about individuals has become more widely available through social media and breaches of personally identifiable information.”

The Wednesday memo from Acting Office of Management and Budget Director Russell Vought said the federal government “continues to refresh its digital infrastructure through comprehensive efforts focused on cybersecurity, procurement, and management of a workforce capable of operating modem, frequently cloud-based environments,” and to that end has an “intensified focus on risk management and the adoption of processes, policies, and solutions that enhance privacy and security and that mitigate the degradation of operational service delivery.”

“Accordingly, identity management has become even more critical to the Federal Government’s successful delivery of mission and business promises to the American public,” the memo added. “As such, through this Federal ICAM policy, the Government is enacting a common vision for identity as an enabler of mission delivery, trust, and safety of the Nation.”

Agencies’ ICAM strategies must shift, the memo said, to “a new model informed by risk management perspectives, the Federal resource accessed, and outcomes aligned to agency missions.” They must implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 63-3 “in combination with the remaining suite of publications that relate to identity management issued by NIST, the Office of Personnel Management (OPM), and the Department of Homeland Security (DHS) to form a comprehensive approach to identity proofing that safeguards privacy and security.”

“Agencies shall follow the requirements issued by OPM regarding the eligibility to issue, suspend, and revoke [Personal Identity Verification] credentials,” the directive continues. “Agencies shall require PIV credentials (where applicable in accordance with OPM requirements) as the primary means of identification and authentication to Federal information systems and Federally controlled facilities and secured areas by Federal employees and contractors… Agencies, in collaboration with 0MB as necessary, shall support cross-government identity federation and interoperability by identifying and resolving obstacles to accepting the PIV identity assertions from other agencies to grant access ( where authorized) to agency information systems, facilities, and secured areas.”

OMB notes that “for individuals that fall outside the scope of PIV applicability, agencies should define and leverage credentials when using digital signatures.”

Each agency is supposed to establish an ICAM office or team to govern the policy and set performance goals while they “define and maintain a single comprehensive ICAM policy, process, and technology solution roadmap, consistent with agency authorities and operational mission needs.”

“Agencies shall require all contracts requiring contractors to have access to Federally controlled facilities or access to Federally controlled information systems to include a requirement to comply with HSPD-12 and FIPS 201 for affected contractor personnel based on OPM requirements and the Federal Acquisition Regulation (FAR),” the memo continues. “Agencies shall confirm that products and services acquired to further their HSPD-12 and ICAM implementations are compliant with 0MB policy, NIST standards, and supporting technical specifications. Agencies shall leverage approved Best in Class and Tier 2 contract vehicles, or Federally provided shared services, to procure digital certificates for identification and authentication of Federal enterprise identities.”

Agencies tasked with overseeing parts of the government-wide effort to improve digital identity management include the Commerce Department, General Services Administration, OPM, and DHS, which will, in part, “lead research and development (R&D) coordination with the interagency, private sector, and international partner stakeholders to identify ICAM mission needs with related technology capability gaps, including in particular those that cannot be solved with currently fielded technologies, and that may require additional R&D investment to reach operational deployment maturity.”

Bridget Johnson
Bridget Johnson
Bridget Johnson is the Managing Editor for Homeland Security Today. A veteran journalist whose news articles and analyses have run in dozens of news outlets across the globe, Bridget first came to Washington to be online editor and a foreign policy writer at The Hill. Previously she was an editorial board member at the Rocky Mountain News and syndicated nation/world news columnist at the Los Angeles Daily News. Bridget is a terrorism analyst and security consultant with a specialty in online open-source extremist propaganda, incitement, recruitment, and training. She hosts and presents in Homeland Security Today law enforcement training webinars studying a range of counterterrorism topics including conspiracy theory extremism, complex coordinated attacks, critical infrastructure attacks, arson terrorism, drone and venue threats, antisemitism and white supremacists, anti-government extremism, and WMD threats. She is a Senior Risk Analyst for Gate 15 and a private investigator. Bridget is an NPR on-air contributor and has contributed to USA Today, The Wall Street Journal, New York Observer, National Review Online, Politico, New York Daily News, The Jerusalem Post, The Hill, Washington Times, RealClearWorld and more, and has myriad television and radio credits including Al-Jazeera, BBC and SiriusXM.

Related Articles

Latest Articles