White House seeks to tighten identity management in federal agencies

A memo from OMB asks agencies to coordinate regularly to make sure federal identity management policies are consistently implemented.
identity management

A new White House memo tasks agencies with clamping down on identity security by designating a team of officials from the offices of the chief information officer and chief security officer, among others, to tackle the issue.

The Office of Management and Budget draft policy released Friday asks these officials to coordinate regularly to make sure federal Identity, Credential, and Access Management (ICAM) policies are consistently implemented. The proliferation of personal information through social media and data breaches makes verifying identities all the more important for agencies, OMB said.

ICAM – a set of measures to prevent unauthorized access to sensitive information – is a staple of cybersecurity, and federal agencies have had to adapt to evolving identity scams from hackers. ICAM took on added importance in the U.S. government after the devastating 2015 Office of Personnel Management breach, in which hackers used compromised credentials to steal information on 22 million current and former federal employees. Federal officials have been trying to bolster ICAM security ever since.

The OMB memo, which includes policy updates on encryption, multi-factor authentication, and digital signatures, also asks agencies to diversify their risk by using multiple credential providers to offer “resiliency in case of a compromise or other service failure with a credential provider.”


The draft policy includes other important updates. It asks agencies to find a way to automate agency-wide reporting on identity management, and to better understand how changes in a user’s access privileges over time affect cybersecurity and privacy.

Guidance from the National Institute of Standards and Technology will once again serve as the blueprint for agency cybersecurity policy. “The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks,” the NIST guidance warns, while laying out a slew of measures to guard against such attacks.

OMB is soliciting feedback on the memo through GitHub or an email to the federal CIO’s office.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts