Introduction

Legacy identity and access management (IAM) is often considered a cumbersome, complex, and archaic monolith. In particular, legacy IAM often requires lengthy development time for updates and onboarding new applications, particularly cloud applications. Additionally, many security and technology professionals fear that changes made to an identity system will create havoc throughout their environment, especially with dependent downstream systems. All of this is leading many government agencies to look elsewhere to remedy their digital identity woes.

If legacy approaches to digital identity are inflexible and monolithic, modern identity solutions are agile and adaptable. Modern digital identity systems are flexible and lightweight and often come out of the box with prebuilt integrations with a variety of applications and platforms. These new systems take an API-first approach to identity and are vendor-neutral, scalable, secure, and easy to use. Standard APIs for modern systems can be configured in days, if not hours; legacy systems can take weeks or months. The API approach also enables easier integration with cloud-based applications, while integrating legacy systems is often more complex.

As federal agencies contemplate switching to a modern digital identity system, they also need to account for new regulations. Executive Order 14028, "Improving the Nation's Cybersecurity," states that federal agencies must take a Zero Trust approach to access to online systems.1 Identity is at the core of Zero Trust, and modern identity enables organizations to comply with this regulation. In addition, it allows organizations to bring partners to the table to help them comply with other Zero Trust requirements. Other regulations are driving change across the federal landscape, including at the U.S. Department of Defense (DoD), and are pushing federal entities toward scalable, flexible, and cloud-based solutions. These drivers are forcing agencies to look outside of the traditional Common Access Card (CAC) and Personal Identity Verification (PIV) credentials to other form factors, including those that are phishing resistant.

Policy and Regulatory Drivers

Cybersecurity has been top of mind for all recent administrations, with 2021's Executive Order 14028 laying out the priorities, and follow-on policies and regulations detailing more specifics. Modern, cloud-based digital identity is central to many of the initiatives, including:

  • Zero Trust: Executive Order 14028 mandated that federal agencies must take a Zero Trust approach to access to online systems. Identity is a core pillar of Zero Trust, a point recognized by OMB implementing memo M-22-09 released in January 2022. The emphasis is not just multi-factor authentication (MFA), but rather taking a holistic, risk-based approach to digital identity and enabling continuous authentication and authorization that checks every interaction among device, data, and user. Classifying users and their access levels in the directory is critical, so that a modern digital identity system can enable appropriate access.
  • DoD Identity Credential & Access Management (ICAM) Strategy: The DoD's Common Access Card (CAC) and the Personal Identity Verification (PIV) credentials used at other federal agencies have been in use for more than 15 years. While there is nothing wrong with the security provided by these smart cards, they provide operational challenges to an increasingly remote and mobile workforce—a challenge long faced by users in the Guard or Reserves. Moreover, authentication technologies have evolved, and other form factors have emerged. Particularly during the pandemic, other form factors have been used for access to federal systems because of the complexity of issuing the smart cards. Agencies want to explore "Bring Your Own Device" (BYOD) to enable other authenticators for soldiers, employees, and others—spouses and children—who may need secure access to DoD networks. Requiring only CAC or PIV for access to certain resources will make BYOD impossible. Agencies need a flexible identity system that can accept a range of commercial off-the-shelf (COTS) authenticators in addition to ones issued by federal agencies for access.
  • Phishing-Resistant MFA: The White House Office of Management and Budget's Zero Trust strategy document calls for agency employees and contractors to use a phishing-resistant method to access agency-hosted accounts, including FIDO2 and mobile app-based push notification.2 The option must also be made available to citizens accessing federal systems too.
  • DoD Software Modernization Strategy: The strategy emphasizes the importance of commercial partnerships through the adoption of cloud-based technologies. There is also an emphasis on enterprise services that provide ready-to-use, composable functions, such as identity management and APIs, to support software modernization efforts. This enables the DoD to quickly adopt and use secure capabilities in support of mission requirements.
  • Continuous Authority to Operate (CATO): With software modernization comes automation. This enables the DoD to reevaluate the Authority to Operate (ATO) process. The software modernization will shift the ATO process from a "box check" to continuous authorization that involves validating the quality and security of the software development platform, process, and platform team. It couples this validation with automation to produce real-time and continuous evidence, verifying the defensive posture of the platform and resulting in software in real time.
  • CMMC 2.0: The certification aims to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors.

To view the full article, please click here.

Footnote

1. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.