A group of federal IT managers and officials from the General Services Administration are working together on an update to the Federal Identity, Credential and Access Management (FICAM) framework on track for release in October and a set of playbooks to help agencies implement various security measures.
The revised FICAM won't have much in the way of policy updates, according to LaChelle LeVan, FICAM chief technical architect at GSA. However, the update will make the document more readable, searchable and generally "consumable."
The new FICAM will be digitized and fully indexed and searchable and rewritten using more plain language and industry terminology.
Learn more about securing federal networks at Federal Times' CyberCon 2015, to be held Nov. 18 at the Ritz Carlton in Pentagon City, Virginia.
"Some of the early FICAM documents were fantastic. They helped educate our community on what the problems were and what identity and access management really meant for a government agency," LeVan said. "Now it's time to take it to the next level of maturity: clean it up, focus it, simplify it and provide more direction."
Many agencies made significant progress in their use of PIV cards during this summer's cybersecurity sprint — an important initial step in an ICAM program. From there, it is important agencies build off of those credentials and clarify roles and authentication for parts of the network, as well as physical buildings.
"We have to deliver not only guidance but areas that they can execute on," she explained. "That architecture is focused on taking thinks like policies and directives and translating those into solutions that you can execute on."
Along with a more consumable FICAM, the tiger team has also begun work on a number of playbooks to provide even more guidance on implementation.
"There's a huge focus across the agencies — no matter what discipline you're working in — on playbooks, instead of focusing on policy and theory," LeVan said. "How do I do what you have told me to just do?"
"Instead of providing a 400-page document that would put you to sleep or is longer than the Iliad, you get a two- or three-page document that literally addresses your particular problem you might be trying to implement," LeVan said.
While the FICAM revisions will likely be released in October, LeVan said the playbooks are further down the line. The group won't hold back, however, and plan to issue the playbooks on a rolling basis as they are finished.
LeVan said anyone who wants to be involved in the process should take a seat at the table. The team is wrapping up work on the FICAM update now but anyone interested in helping develop the playbooks should reach out to firstname.lastname@example.org.