GSA Outlines Best Practices for Identity Management

The General Services Administration’s Office of Government Policy is developing new playbooks to guide agencies through Identity, Credential and Access Management (ICAM) implementation, especially as more data and services move to the cloud.

“From the context of ICAM…[efficiency] is the core in an agency’s infrastructure to help enable some of the modernization and customer experience initiatives that agencies are doing,” GSA’s Director of the Identity Assurance and Trusted Access Division, Ken Myers, explained during GovCIO Media & Research’s Zero Trust Breakfast on Thursday.

ICAM spans across all functions of how systems are run and accessed, including people as well as other technologies like automation and robotic process automation (RPA). GSA has published four playbooks since last September. The playbooks focus on single sign-on, authentication and digital identity risk assessment (DIRA) to simultaneously accelerate efficiency and security.

“We’re talking about granting access, but would you be able to revoke access very quickly as well? So, are those capabilities being considered at the time? That’s certainly something that should be top of mind,” Felipe Fernandez, director of systems engineering at Fortinet Federal explained. “If you’re going to deploy your trust, you’re doing automation…don’t just stop at the users.”

The six-step Digital Identity Risk Assessment playbook helps federal CIOs update and maintain consistent processes, determine whether an agency application requires a DIRA, integrate DIRA into agency Risk Management Framework (RMF) processes and learn practices to implement DIRA processes. GSA compiled best practices for the playbook based on OMB’s Memo 19-17 and NIST’s Special Publication 800-63-3.

As more agencies adopt cloud platforms, Myers said its critical to have security and identity management solutions in place. GSA’s Cloud Identity playbook pretexts OMB’s FY 24 priorities, which calls on agencies to make stronger investments in cloud and security.

“It tries to help agencies understand the advantages of using a FedRAMP identity as a service,” Myers said. “There are three capabilities to FedRAMP identity as a service. It’s combining directory services, supporting multiple forms of multi-factor authentication and providing a single sign on tool. Those three capabilities built into one.”

Looking into 2023, GSA will work to align the federal ICAM infrastructure to the identity action steps within the federal zero trust strategy. GSA will also focus on insider threat mitigation. In the coming weeks, GSA plans to publish the privileged identity playbook. The playbook is currently undergoing final reviews and was a collaboration between GSA and DHS’ Continuous Diagnostic Mitigation program.

“That’s a joint collaboration where we took insider threat mitigation best practices and then combined it with privileged IT user best practices,” Myers said.