Best Practices for ICAM Shared Service Providers

Dog using computer talking to another dog. The caption reads, "On the Internet, nobody knows you're a dog."
The New Yorker cartoon by Peter Steiner, 1993

Way back in 1993—a lot of time in internet years—a New Yorker cartoonist created what became one of the most oft-cited memes about cybersecurity. A dog sits at a desktop computer saying to a fellow canine, “On the internet, no one knows you’re a dog.” For something from the early days of the world wide web, it was prescient, and the fact that it is still cited today—in the National Institute of Standards and Technology‘s (NIST) “Digital Identity Guidelines, for instance—shows that the challenges of managing identity have grown along with the digital world. Complex organizations like the federal government require robust identity solutions to manage access to government resources. However, the success of a federated identity solution hinges on aligning cybersecurity and shared service best practices. While the importance of both cybersecurity and shared services is widely understood and discussed, aligning and managing the relationship between the two presents challenges. Without alignment, potential partners will not trust their data with a provider, and the shared service will not be able to grow and scale.

The recent and dramatic increase in Federal remote workers has highlighted the challenges around identity, credential, and access management (ICAM), Federal policy on which was laid out in OMB Circular M‑19–17. Through supporting MAX Authentication Services (MAS), Treasury’s Budget Formulation and Execution Manager (BFEM), and our broader work in shared services, TCG has gained important insights into effectively managing a digital identity shared service.

ICAM as a Shared Service Requires Building Trust Between Providers and Partners

Any shared service requires managing its partnerships in a transparent and collaborative fashion, and this is even more important for ICAM because these services guard access to agencies’ most valuable asset—data. Third party organizations like FedRAMP and NIST offer important frameworks for setting, communicating, and assessing standards for these services. However, agencies may not always understand how these standards and assessments help protect their data. Therefore, shared service providers must be prepared to address the needs, risks, and business case for partner organization buy-in.

Adapt and Scale Quickly

While some verification protocols such as knowledge-based verification, for instance, are clearly out of sync with current best practices, user needs, changing technologies, and unforeseen circumstances often require organizations to adapt their protocols quickly without sacrificing security. There has been plenty of evidence of this recently. Due to COVID-19, more workers than ever required remote access to networks. The Small Business Administration (SBA) had to scale its network to handle a workforce of 20,000 personnel—about five times what it was before the pandemic. The office that issued PIV cards for the SBA was closed, so the agency had to find alternative but still secure means of granting access. The Coronavirus Aid, Relief, and Economic Security (CARES) Act necessitated authentication and verification services be quickly scaled up to include agencies allocating funds and their partners in the banking industry who distributed the funds. In short, the use of cloud applications, identity verification services, and remote access went through the roof.

Adaptability is not only important in terms of responding to external events but also for responding to new partner needs. Treasury’s adaptive approach to security with specific federal clients has enabled broader adoption of BFEM as a shared service. BFEM provides information security support to include security document updates for the System Security Plan (SSP), assisting with security reviews, POAM action items as needed, and general security management for the application.

This includes working alongside security analysts at partner agencies to address issues identified through penetration testing, security audit scans, and environmental security flags. These issues are documented, categorized by criticality (low, moderate, high, or critical) to determine the order in which required security control areas were addressed and implemented.

Privacy

Shared service providers need clear policy and procedures regarding privacy rules and the proper handling of personally identifiable information (PII). Privacy policies and associated procedures may be established along the following lines:

  • Access rules for PII within a system
  • PII retention schedules and procedures
  • PII incident response and data breach notification
  • Privacy in the system development life cycle process
  • Limitation of collection, disclosure, sharing, and use of PII
  • Consequences for failure to follow privacy rules of behavior

In addition, shared service providers should:

  • Promote awareness of PII policies and procedures. Awareness efforts designed to change behavior or reinforce desired PII practices. The purpose of awareness is to focus attention on the protection of PII.
  • Minimize the Use, Collection, and Retention of PII. The practice of minimizing the use, collection, and retention of PII is a basic privacy principle. By limiting PII collections to the least amount necessary to conduct its mission, organizations may limit potential negative consequences in the event of a data breach involving PII.
  • De-Identifying Information. Full data records are not always necessary, such as for some forms of research, resource planning, and examinations of correlations and trends. The term “de-identified information” is used to describe masked or obfuscated records that have had enough PII removed such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

There are numerous benefits for digital identity federation across the federal government for the public, federal employees, and contractors, and the shared service model is the obvious lever for realizing these benefits. A single sign-on provider would facilitate easy, secure access for multiple services. With such a shared service in place, agencies could more easily adapt and scale new services to meet emerging needs and changing conditions—like a global pandemic—and position themselves for a more agile and secure future. The strategies for growing an ICAM shared service throughout the federal government rely on implementing best practices for managing strategic business partnerships, software development and maintenance, and security policy. Without harmonizing these practices, an offering is likely to stall or even fail because the business will be unable to grow securely.