GSA Outlines Best Practices for Identity Management
Ken Myers explains how GSA’s new playbooks are guiding federal agencies’ identity management.
The General Services Administration’s Office of Government Policy is developing new playbooks to guide agencies through Identity, Credential and Access Management (ICAM) implementation, especially as more data and services move to the cloud.
“From the context of ICAM…[efficiency] is the core in an agency’s infrastructure to help enable some of the modernization and customer experience initiatives that agencies are doing,” GSA’s Director of the Identity Assurance and Trusted Access Division, Ken Myers, explained during GovCIO Media & Research’s Zero Trust Breakfast on Thursday.
ICAM spans across all functions of how systems are run and accessed, including people as well as other technologies like automation and robotic process automation (RPA). GSA has published four playbooks since last September. The playbooks focus on single sign-on, authentication and digital identity risk assessment (DIRA) to simultaneously accelerate efficiency and security.
“We’re talking about granting access, but would you be able to revoke access very quickly as well? So, are those capabilities being considered at the time? That’s certainly something that should be top of mind,” Felipe Fernandez, director of systems engineering at Fortinet Federal explained. “If you’re going to deploy your trust, you’re doing automation…don’t just stop at the users.”
The six-step Digital Identity Risk Assessment playbook helps federal CIOs update and maintain consistent processes, determine whether an agency application requires a DIRA, integrate DIRA into agency Risk Management Framework (RMF) processes and learn practices to implement DIRA processes. GSA compiled best practices for the playbook based on OMB’s Memo 19-17 and NIST’s Special Publication 800-63-3.
As more agencies adopt cloud platforms, Myers said its critical to have security and identity management solutions in place. GSA’s Cloud Identity playbook pretexts OMB’s FY 24 priorities, which calls on agencies to make stronger investments in cloud and security.
“It tries to help agencies understand the advantages of using a FedRAMP identity as a service,” Myers said. “There are three capabilities to FedRAMP identity as a service. It’s combining directory services, supporting multiple forms of multi-factor authentication and providing a single sign on tool. Those three capabilities built into one.”
Looking into 2023, GSA will work to align the federal ICAM infrastructure to the identity action steps within the federal zero trust strategy. GSA will also focus on insider threat mitigation. In the coming weeks, GSA plans to publish the privileged identity playbook. The playbook is currently undergoing final reviews and was a collaboration between GSA and DHS’ Continuous Diagnostic Mitigation program.
“That’s a joint collaboration where we took insider threat mitigation best practices and then combined it with privileged IT user best practices,” Myers said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Trump's Intelligence Pick Backs Cybersecurity, Tech Accountability
The former congresswoman has called for improving cyber defenses and advocated for accountability in federal tech and data practices.
2m read -
DHS Leads Government’s Largest Civilian AI Hiring Effort
On this AI GovCast miniseries, Boyce discusses his journey to the agency with his prior roles at the Office of Management and Budget.
15m listen -
Federal IT Trends in 2024, Outlook for 2025
Federal IT advancements in 2024 showcased the transformative potential of emerging technologies, particularly artificial intelligence.
2m read -
Trump's FBI Pick Calls for Increased Cyber Resiliency
Trump's pick for FBI Director Kash Patel has expressed his plans for bolstering the nation's cyber resiliency if confirmed by the Senate.
3m read