A new White House memo tasks agencies with clamping down on identity security by designating a team of officials from the offices of the chief information officer and chief security officer, among others, to tackle the issue.
The Office of Management and Budget draft policy released Friday asks these officials to coordinate regularly to make sure federal Identity, Credential, and Access Management (ICAM) policies are consistently implemented. The proliferation of personal information through social media and data breaches makes verifying identities all the more important for agencies, OMB said.
ICAM – a set of measures to prevent unauthorized access to sensitive information – is a staple of cybersecurity, and federal agencies have had to adapt to evolving identity scams from hackers. ICAM took on added importance in the U.S. government after the devastating 2015 Office of Personnel Management breach, in which hackers used compromised credentials to steal information on 22 million current and former federal employees. Federal officials have been trying to bolster ICAM security ever since.
The OMB memo, which includes policy updates on encryption, multi-factor authentication, and digital signatures, also asks agencies to diversify their risk by using multiple credential providers to offer “resiliency in case of a compromise or other service failure with a credential provider.”
The draft policy includes other important updates. It asks agencies to find a way to automate agency-wide reporting on identity management, and to better understand how changes in a user’s access privileges over time affect cybersecurity and privacy.
Guidance from the National Institute of Standards and Technology will once again serve as the blueprint for agency cybersecurity policy. “The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks,” the NIST guidance warns, while laying out a slew of measures to guard against such attacks.
OMB is soliciting feedback on the memo through GitHub or an email to the federal CIO’s office.