The White House Office of Management and Budget (OMB) has proposed identity, credential and access management (ICAM) guidelines for federal agencies.
These guidelines are designed to strengthen the cybersecurity of federal agencies through the development and management of effective ICAM policies, according to a memo from OMB Director Mick Mulvaney.
The proposed OMB cybersecurity guidelines outline government-wide ICAM responsibilities across the following areas:
- Implementation of effective ICAM governance. Federal agencies must follow the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63 and Homeland Security Presidential Directive 12 (HSPD-12) security requirements.
- Modernization of federal agency ICAM capabilities. Federal agencies must deploy ICAM services and solutions that are not fragmented or duplicative.
- Federal agency adoption of shared ICAM services and solutions. Federal agencies must leverage shared ICAM services and solutions, including credential management and identity assurance and authentication offerings.
In addition, the OMB cybersecurity guidelines include updates to previous cybersecurity requirements in several areas, such as:
- Digital signatures.
- Encryption.
- Multi-factor authentication (MFA).
Federal agencies must be able to identify, credential, monitor and manage user access to information and information systems, Mulvaney noted. With the proposed OMB cybersecurity guidelines, federal agencies can streamline their ICAM policy management and ensure they are protected against evolving cyberattacks.
How Could the Proposed OMB Cybersecurity Guidelines Impact Federal Agencies?
The proposed OMB cybersecurity guidelines help federal agencies limit cyber risk, Mulvaney indicated. The guidelines could transform the way that federal agencies conduct identity-proofing tasks, establish digital identities and adopt processes for authentication and access control.
Also, the OMB cybersecurity guidelines ensure federal agencies can adopt identity validation solutions to enhance data privacy across social media and other digital platforms, according to Mulvaney. The guidelines empower federal agencies to develop risk-based ICAM strategies to minimize the impact of data breaches and other security incidents.
OMB Issues Memorandum on Data Breach Response
In January, OMB released a "Breach Memorandum" to advise federal agencies on how to prepare for and respond to a breach of personally identifiable information (PII). The memorandum promoted the development of a consistent approach for federal agencies to manage breaches.
The Breach Memorandum included a framework for assessing and mitigating the risk of harm to individuals potentially affected by a data breach. It also provided federal agencies with tips to help them identify breaches and tailor their breach response efforts accordingly.
Seventy-one percent of U.S. federal agencies have experienced a data breach, according to the "2018 Thales Data Threat Report: Federal Government Edition" from cybersecurity and defense solutions provider Thales and analyst firm 451 Research. Furthermore, the Thales report showed 51 percent of federal agencies have suffered a breach in the past year, and 73 percent intend to increase their IT security spending.