How DOJ Uses ICAM to Fight Fraud

The Office of Justice Programs (OJP) needs to ensure the right grants make it to the right people, and identity, credential and access management solutions (ICAM) create a crucial gateway to applicants and awardees.

“Law enforcement officers — and community programs and their officers — they don’t have a lot of time to go through arduous processes,” said Jaime Noble, OJP Deputy Director for IT Security and Deputy Chief Information Security Officer at an FCW event Tuesday. “But we need to make sure that, as stewards of federal dollars, we are giving money to people who are who they say they are.”

To implement ICAM solutions, Noble needed buy-in from department leadership. She explained how an ICAM system would support business processes in addition to securing DOJ’s digital infrastructure.

“There’s only so much money to go around, but I think that presenting security as a business case and really outlining how implementing an identity and access management system — implementing any other aspect of the executive order [on improving the nation’s cybersecurity] — how that is going to benefit the mission and the business,” she said.

Now, OJP uses ICAM solutions to vet system users and ensure the proper awardees access federal funding.

“One thing that we get audited on every year is fraud, waste and abuse,” Noble said. “Who is getting access to this money? Is it the right amount of money? And also the confidentiality of the data in our system, the integrity of that system, the availability of it. … We want these funds to go to specific organizations and entities for very specific purposes. And so to that end, identity and access governance really is the gatekeeper of that.”

But ICAM solutions can hinder mission delivery if they introduce too much user friction, Noble added.

“Maybe there are some risk-based decisions that we need to make,” she said. “Let’s say you have a role of a state governor accepting an award. If the two or three times a year you have to log in to the system you have to go through eighteen checks just to get it there to accept that award, that causes a lot of friction. What that ends up setting up is that their assistant or their deputy maybe has the password and the login information. That’s something, from a security perspective, that we really don’t want to happen.”

OJP is currently collecting data on when people run into issues — whether they’re having trouble with password recollection, MFA access, entity administrators, or other hurdles — and working to increase efficiency and enhance the user experience.

“If the system is slowing down and people can’t use it, it doesn’t really matter what security we’re putting on there,” Noble said. “Because that’s really what [user’s] care about, is their mission.”