The Office of Management and Budget has released a draft policy on identity, credential and access management (ICAM), seeking public comment on how best to address governmentwide and agency-specific identity management.
“Agencies must be able to identify, credential, monitor and manage user access to information and information systems across their enterprise in order to ensure secure and efficient operations. In particular, how agencies conduct identity proofing, establish digital identities and adopt sound processes for authentication and access control will significantly impact the security of their digital services,” wrote OMB Director Mick Mulvaney.
“Additionally, as information about individuals becomes more widely available through social media or through breaches of personally identifiable information (PII), it is increasingly important that all agencies adopt identity validation solutions that enhance privacy and mitigate negative impacts to delivery of digital services and maintenance of online trust.”
Even as research into new IdAM technologies advances, the CAC and PIV cards are not going away.
The draft policy would require agencies to use National Institute of Standards and Technology and Department of Homeland Security guidance to accomplish five ICAM goals:
- Define and implement ICAM policies, processes and technology solutions that encompass the agency’s entire enterprise;
- Design an integrated ICAM office that includes personnel from the offices of the Chief Information Officer, Chief Security Officer, Human Resources, General Counsel, Senior Agency Official for Privacy and component organizations;
- Outline performance expectations for cybersecurity and risk management;
- Develop a method for streamlining and automating performance reporting; and
- Incorporate digital identity risk management into existing processes.
The policy also encourages agencies to adopt modern, shared ICAM solutions and capabilities.
The Department of Commerce, Office of Personnel Management, Department of Homeland Security and General Services Administration would also have governmentwide responsibilities, including developing ICAM guidance and product lists.
Comments on the draft policy are open through GitHub or through emailing the federal Office of the Chief Information Officer.