OMB has issued a new policy on identity, credential and access management, which it says “has become even more critical to the federal government’s successful delivery of mission and business promises to the American public.”
“To ensure secure and efficient operations, agencies of the federal government must be able to identify, credential, monitor, and manage subjects that access federal resources, including information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services, as well as individuals’ privacy,” says memo M-19-17.
While Homeland Security Presidential Directive 12 remains the government-wide policy for forms of personal identity verification (PIV) credentials issued by the government to its employees and contractors, it says, “as technology evolves, the government must offer flexible solutions to meet changing technology needs and shift the focus from managing the lifecycle of credentials to the lifecycle of identities.”
The memo covers topics including requirements for agencies to: “support cross-government identity federation and interoperability by identifying and resolving obstacles to accepting the PIV identity assertions from other agencies”; “shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems”; and “manage the risk to services and public user data at a level commensurate with the risk inherent to the digital offering as well as with the sensitivity of the data collected to provide the digital offering.”
The memo, which overrides a number of prior OMB memos dating to 2004, also lays out a series of specific responsibilities for DHS, OPM and individual agencies.