What does the latest OMB ICAM policy mean?

The Office of Management and Budget (OMB) memorandum M-19-17 “Enabling Mission Delivery through Improved Identity, Credential, and Access Management (ICAM) policy” establishes a comprehensive roadmap for the modernisation of ICAM for Federal Agencies.

So, what are the implications of this latest Federal Government memorandum and what next steps need to be taken to comply with it?

In short, OMB M-19-17 reinforces HSPD-12 and FIPS-201 policies and serves to continue progressing ICAM within the government by expanding the number and form of permitted authenticators.

 

PIV cards remain at the heart of identity security

Federal Information Processing Standard 201 (FIPS 201), the response to Homeland Security Presidential Directive 12 (HSPD-12), sets the standard for common identification of federal employees and contractors.

OMB’s M-19-17 release, together with FIPS 201 and HSPD-12 underlines the important role of PIV cards in federal identity and promotes the issuance of Personal Identity Verification (PIV) credentials across all federal enterprise identities.

In fact, the new memo states that agencies are required to use PIV-based authentication for physical as well as logical access – something which many agencies are yet to adopt.

 

Agencies need to plan how they will adopt Derived PIV

We are seeing a number of agencies adopting Derived PIV credentials, enabling their employees to derive credentials from PIV cards onto mobile devices and tokens such as the YubiKey. However, many more agencies are yet to adopt Derived PIV. M-19-17 highlights the importance of embracing authentication using mobile platforms and clears the obstacles to deployment of a much wider range of form-factors that have been holding back the more flexible use cases that the agencies have been demanding for some time.

 

Benefits of adopting Derived PIV

• Seamless authentication into agency resources from mobile devices
• Access Office 365 securely
• Decrypt email on mobile devices
• Securely access laptops with keys such as the YubiKey
• Access secure buildings with a mobile device
• Use apps to verify identity

 

Standards set by NIST

The National Institute of Standards and Technology (NIST) define the standards with which federal agencies must comply, in the form of a series of Special Publications and Inter-Agency Advisories.

M-19-17 highlights a number of these, including SP800-63-3, which was recently updated to reflect different levels of assurance for identities, authenticators and federated assertions. This opens the route for agencies to embrace new technologies for identity and access management that will let them implement secure access controls within business processes that were previously unattainable.

Over the coming months, we can expect updates to a number of the other special publications to further extend the use of multiple form factors for authentication.

 

How do I manage these new technologies?

Once each federal employee or contractor is in possession of two or more different means of authentication, you will clearly need to have a sophisticated Credential Management System (CMS) to manage each one throughout its lifecycle.

Fortunately, Intercede’s MyID is already ‘PIV-D Ready’ – and has been for the past 3 years.

MyID can manage multiple devices including mobile and USB tokens, through a common set of administrative functions and self-service interfaces.

 

Best practice guidance from NCCoE

Trusted to help federal agencies including the Social Security Administration and Transportation Security Administration to issue and manage millions of digital identities, our team have the knowledge and experience federal agencies need to get their identity solutions in shape. MyID can also be found in the NIST National Cybersecurity Center of Excellence laboratories as part of a best practice solution alongside partners Intel, IBM, MobileIron and Verizon for federal agencies to implement Derived PIV solutions.

 

Technology for seamless derived PIV

MyID self-service opens up a web portal for end-users to utilise their PIV card to derive a credential onto their mobile device or key. MyID is configurable for agencies to elect their chosen primary credential. A solution that is trusted by governments and federal agencies for citizens and employees alike to seamlessly transfer a trusted credential onto a mobile device.

 

Find out more

Looking to evolve your PIV solution to Derived PIV? Visit our Derived PIV page to find out how MyID credential management is opening up Derived PIV for federal agencies and making a seemingly complex evolution simple.