GSA Outlines Best Practices for Identity Management
Ken Myers explains how GSA’s new playbooks are guiding federal agencies’ identity management.
The General Services Administration’s Office of Government Policy is developing new playbooks to guide agencies through Identity, Credential and Access Management (ICAM) implementation, especially as more data and services move to the cloud.
“From the context of ICAM…[efficiency] is the core in an agency’s infrastructure to help enable some of the modernization and customer experience initiatives that agencies are doing,” GSA’s Director of the Identity Assurance and Trusted Access Division, Ken Myers, explained during GovCIO Media & Research’s Zero Trust Breakfast on Thursday.
ICAM spans across all functions of how systems are run and accessed, including people as well as other technologies like automation and robotic process automation (RPA). GSA has published four playbooks since last September. The playbooks focus on single sign-on, authentication and digital identity risk assessment (DIRA) to simultaneously accelerate efficiency and security.
“We’re talking about granting access, but would you be able to revoke access very quickly as well? So, are those capabilities being considered at the time? That’s certainly something that should be top of mind,” Felipe Fernandez, director of systems engineering at Fortinet Federal explained. “If you’re going to deploy your trust, you’re doing automation…don’t just stop at the users.”
The six-step Digital Identity Risk Assessment playbook helps federal CIOs update and maintain consistent processes, determine whether an agency application requires a DIRA, integrate DIRA into agency Risk Management Framework (RMF) processes and learn practices to implement DIRA processes. GSA compiled best practices for the playbook based on OMB’s Memo 19-17 and NIST’s Special Publication 800-63-3.
As more agencies adopt cloud platforms, Myers said its critical to have security and identity management solutions in place. GSA’s Cloud Identity playbook pretexts OMB’s FY 24 priorities, which calls on agencies to make stronger investments in cloud and security.
“It tries to help agencies understand the advantages of using a FedRAMP identity as a service,” Myers said. “There are three capabilities to FedRAMP identity as a service. It’s combining directory services, supporting multiple forms of multi-factor authentication and providing a single sign on tool. Those three capabilities built into one.”
Looking into 2023, GSA will work to align the federal ICAM infrastructure to the identity action steps within the federal zero trust strategy. GSA will also focus on insider threat mitigation. In the coming weeks, GSA plans to publish the privileged identity playbook. The playbook is currently undergoing final reviews and was a collaboration between GSA and DHS’ Continuous Diagnostic Mitigation program.
“That’s a joint collaboration where we took insider threat mitigation best practices and then combined it with privileged IT user best practices,” Myers said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden Signs New Tech Executive Orders Before Departing Office
Joe Biden signed two new executive orders this week promoting future cyber and AI priorities before Donald Trump takes office Monday.
5m read -
DODIN Strategy Aims to Outpace Cyber Threats
JFHQ-DODIN Commander Lt. Gen. Paul Stanton says the new "How We Prevail" plan moves from reactive defense to proactive threat mitigation.
4m read -
Preparing for the Future Cyber Landscape
CISA, CFPB and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future threat landscape and bolster cyber resilience.
30m watch -
Air Force Chief: Modernization Is Critical to Maintaining Superiority
Air Force Secretary Frank Kendall cites AI, automation and cyber resilience as key modernization components to outpace China by 2050.
3m read